问题描述
我有一个Azure DevOps管道,该管道(通过Powershell脚本)将证书添加到Azure Service Fabric应用程序的虚拟机规模集对象。
证书已正确安装,但服务结构应用程序尝试启动时出现错误,提示“ Internal.Cryptography.CryptoThrowHelper + WindowsCryptographicException:密钥集不存在”。
我进行了一次Google搜索,发现了以下页面:Service Fabric: Authenticating with Azure KeyVault via cert: "KeySet does not exist"
这使我能够通过移至服务结构节点并使用NETWORK SERVICE用户帐户授予已安装的证书读取权限来手动解决此问题。
是否可以通过DevOps Pipeline向安装的证书授予此权限?
解决方法
您可以将以下内容添加到Powershell脚本中
function Set-CertificateReadPermission
{
param
(
[Parameter(Position=1,Mandatory=$true)]
$cert,[Parameter(Position=2,Mandatory=$true)]
[ValidateNotNullOrEmpty()]
[string]$serviceAccount
)
# Specify the user,the permissions and the permission type
$permission = "$($serviceAccount)","Read","Allow"
$accessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission;
# Location of the machine related keys
$keyPath = "$($env:ProgramData)\Microsoft\Crypto\RSA\MachineKeys\";
$keyName = $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName;
$keyFullPath = $keyPath + $keyName;
try
{
# Get the current acl of the private key
$acl = (Get-Acl $keyFullPath)
# Add the new ace to the acl of the private key
$acl.AddAccessRule($accessRule);
# Write back the new acl
Set-Acl -Path $keyFullPath -AclObject $acl;
}
catch
{
throw $_;
}
}
# Get the certificate,or use a previous variable:
$cert = Get-ChildItem -Path cert:\LocalMachine\My\EEDEF61D4FF6EDBAAD538BB08CCAADDC3EE28FF
#Call method to set permission on certificate
Set-CertificateReadPermission $cert "NT AUTHORITY\NETWORK SERVICE"