程序员经验分享-hwhale

在 .NET Core 中自动创建私钥、CSR 和最终签名证书的过程

2024-01-10

有人向我提供了中间证书(由根证书签名)及其密码。为了安全地连接到 SSL 端点,我需要提供签名证书。

这是我所做的:

  1. 创建私钥
  2. 使用该私钥创建 CSR
  3. 使用提供的中级证书对其进行签名

我使用 openssl 来完成这一切,它运行得非常完美:TLS 端点接受了我的连接请求。但在 C# 中它不起作用。知道缺少什么吗?

        var password = new SecureString();
        password.AppendChar('x');
        password.AppendChar('y');
        password.AppendChar('z');

        // Intermediate certificate with pw protection
        X509Certificate2 intermediateCert = new X509Certificate2("intermediate.pfx", password);
        X509Certificate2 certificate;

       using (RSA rsa = RSA.Create(2048))
        {

            //A client creates a certificate signing request.
            CertificateRequest req = new CertificateRequest(
                    new X500DistinguishedName("CN=myname"),
                    rsa,
                    HashAlgorithmName.SHA256,
                    RSASignaturePadding.Pkcs1);

            req.CertificateExtensions.Add(
                new X509BasicConstraintsExtension(false, false, 0, false));

            req.CertificateExtensions.Add(
                new X509KeyUsageExtension(
                    X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyEncipherment,
                    false));

            req.CertificateExtensions.Add(
                new X509EnhancedKeyUsageExtension(
                    new OidCollection
                    {
                        new Oid("1.3.6.1.5.5.7.3.**1**")
                    },
                    true));

            req.CertificateExtensions.Add(
                new X509SubjectKeyIdentifierExtension(req.PublicKey, false));


            X500DistinguishedName dname = new X500DistinguishedName(intermediateCert.Subject);
            X509SignatureGenerator gen = X509SignatureGenerator.CreateForRSA((RSA)intermediateCert.PrivateKey, RSASignaturePadding.Pkcs1);

            certificate = req.Create(
                dname, gen,
                DateTimeOffset.UtcNow.AddDays(-1),
                DateTimeOffset.UtcNow.AddDays(10),
                new byte[] {1, 2, 3, 4});

          // Use certificate to connect to Azure IOT HUB
        }

edit:本例中的指定端点是 Azure IoT 中心。错误信息是:

Amqp异常: {“errorCode”:401002,“trackingId”:“e930cb7c-d1a5-4ad0-bb5d-e9b4ee97e8b2”,“消息”:“IotHubUnauthorizedAccess”,“timestampUtc”:“2018-10-12T18:08:23.2328669Z”}

edit:工作证明

X509v3 extensions:
    X509v3 Basic Constraints:
        CA:FALSE
    Netscape Cert Type:
        SSL Server
    Netscape Comment:
        OpenSSL Generated Server Certificate
    X509v3 Subject Key Identifier:
        9E:86:FF:19:70:DB:5D:56:2D:16:48:E3:81:76:66:FD:17:C8:82:9A
    X509v3 Authority Key Identifier:
        keyid:E0:31:C5:81:6F:75:6A:AC:9C:F1:B1:B8:72:B7:E3:C6:AB:4C:E9:89
        DirName:/CN=abuscert
        serial:01

    X509v3 Key Usage: critical
        Digital Signature, Key Encipherment
    X509v3 Extended Key Usage:
        TLS Web Server Authentication

用C#创建的:

X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, Time Stamping
            X509v3 Subject Key Identifier:
                00:5E:F2:48:5C:E4:CA:B5:F3:5F:A6:0E:62:7C:FF:61:87:B1:D5:89

None

本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)

c

NET

SSL

NetCore

azureiothub

在 .NET Core 中自动创建私钥、CSR 和最终签名证书的过程 的相关文章

随机推荐

热门标签