证书存储区中证书的私钥不可读

通过谷歌几乎所有的东西我得到了一个解决方案…据我了解有一些事情要做：

1. 生成X509Certificate2
2. 确保私钥容器是持久的（不是临时的）
3. 确保对经过身份validation的用户具有访问规则 ，以便他们可以看到私钥

所以最终的代码是：

 X509Certificate2 nonPersistentCert = CreateACertSomehow(); // this is only required since there's no constructor for X509Certificate2 that uses X509KeyStorageFlags but a password // so we create a tmp password, which is not reqired to be secure since it's only used in memory // and the private key will be included (plain) in the final cert anyway const string TMP_PFX_PASSWORD = "password"; // create a pfx in memory ... byte[] nonPersistentCertPfxBytes = nonPersistentCert.Export(X509ContentType.Pfx, TMP_PFX_PASSWORD); // ... to get an X509Certificate2 object with the X509KeyStorageFlags.PersistKeySet flag set X509Certificate2 serverCert = new X509Certificate2(nonPersistentCertPfxBytes, TMP_PFX_PASSWORD, X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable); // use X509KeyStorageFlags.Exportable only if you want the private key to tbe exportable // get the private key, which currently only the SYSTEM-User has access to RSACryptoServiceProvider systemUserOnlyReadablePrivateKey = serverCert.PrivateKey as RSACryptoServiceProvider; // create cspParameters CspParameters cspParameters = new CspParameters(systemUserOnlyReadablePrivateKey.CspKeyContainerInfo.ProviderType, systemUserOnlyReadablePrivateKey.CspKeyContainerInfo.ProviderName, systemUserOnlyReadablePrivateKey.CspKeyContainerInfo.KeyContainerName) { // CspProviderFlags.UseArchivableKey means the key is exportable, if you don't want that use CspProviderFlags.UseExistingKey instead Flags = CspProviderFlags.UseMachineKeyStore | CspProviderFlags.UseArchivableKey, CryptoKeySecurity = systemUserOnlyReadablePrivateKey.CspKeyContainerInfo.CryptoKeySecurity }; // add the access rules cspParameters.CryptoKeySecurity.AddAccessRule(new CryptoKeyAccessRule(new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null), CryptoKeyRights.GenericRead, AccessControlType.Allow)); // create a new RSACryptoServiceProvider from the cspParameters and assign that as the private key RSACryptoServiceProvider allUsersReadablePrivateKey = new RSACryptoServiceProvider(cspParameters); serverCert.PrivateKey = allUsersReadablePrivateKey; // finally place it into the cert store X509Store rootStore = new X509Store(StoreName.My, StoreLocation.LocalMachine); rootStore.Open(OpenFlags.ReadWrite); rootStore.Add(serverCert); rootStore.Close(); // :)