如何以编程方式创建有效的自签名X509Certificate2，而不是从.NET Core中的文件加载 [英] How to create a valid, self-signed X509Certificate2 programmatically, not loading from file in .NET Core

问题描述

我目前要做的是使用OpenSSL生成PFX文件。这引起了不必要的依赖性，尤其是对于Windows用户。因此，我找到了一些有关如何使用BouncyCastle创建自己的证书的示例，但是该库与.NET Core不兼容（或者我找不到兼容的程序包）。

What I currently do is that I use OpenSSL to generate PFX file. This is causing an unwanted dependency, especially for Windows users. So I found some examples on how to create your own certificate using BouncyCastle, but this library is not .NET Core compatible (or I failed to find the compatible package).

因此，是否可以仅使用.NET核心来创建自己的自签名X509证书，以避免依赖OpenSSL（或任何其他生成外部工具的证书）？

So, is it possible to create your own self signed X509 certificate using just .NET core to avoid dependency on OpenSSL (or any other certificate generating external tool)?

编辑：由某人（编辑？）建议，这样的问题如何使用C＃创建自签名证书？提供了答案。再次令人遗憾的是，这与.NET Core没有任何关系。此处接受的答案以开头。此实现使用certenroll.dll中的CX509CertificateRequestCertificate COM对象（和朋友-MSDN doc）创建一个自签名证书请求并对其进行签名，即显然不是.NET Core ...实际上，没有答案与.NET Core兼容。

It was suggested by someone (editor?) that this SO question How to create a self-signed certificate using C#? provides an answer. Sadly again, this has nothing to do with .NET Core. The accepted answer there starts with This implementation uses the CX509CertificateRequestCertificate COM object (and friends - MSDN doc) from certenroll.dll to create a self signed certificate request and sign it, which is obviously NOT .NET Core ... In fact, none of the answers there is .NET Core compatible.

推荐答案

我发现<一个href = https://stackoverflow.com/questions/48196350/generate-and-sign-certificate-request-using-pure-net-framework>另一个SO问题，这使我走上了正轨。证书API已添加到2.0版的.Net Core。我有类似下一个函数的功能，可以创建自签名证书，然后将其导入到 My 存储中以在IIS上使用它们。

I found this other SO question that put me on the right track. Certificates API was added to .Net Core on 2.0 version. I have a function like the next one to create self signed certificates that I later import into My store to use them on IIS.

    private X509Certificate2 buildSelfSignedServerCertificate()
    {
        SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder();
        sanBuilder.AddIpAddress(IPAddress.Loopback);
        sanBuilder.AddIpAddress(IPAddress.IPv6Loopback);
        sanBuilder.AddDnsName("localhost");
        sanBuilder.AddDnsName(Environment.MachineName);

        X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN={CertificateName}");

        using (RSA rsa = RSA.Create(2048))
        {
            var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256,RSASignaturePadding.Pkcs1);

            request.CertificateExtensions.Add(
                new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature , false));


            request.CertificateExtensions.Add(
               new X509EnhancedKeyUsageExtension(
                   new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, false));

            request.CertificateExtensions.Add(sanBuilder.Build());

            var certificate= request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(3650)));
            certificate.FriendlyName = CertificateName;

            return new X509Certificate2(certificate.Export(X509ContentType.Pfx, "WeNeedASaf3rPassword"), "WeNeedASaf3rPassword", X509KeyStorageFlags.MachineKeySet);
        }
    }

如果需要pfx，请使用X509Certificate2上的Export函数应该可以。它返回一个带有原始pfx数据的字节数组。

If you want the pfx, the Export function on X509Certificate2 should do the trick. It returns a byte array with the raw pfx data.

这篇关于如何以编程方式创建有效的自签名X509Certificate2，而不是从.NET Core中的文件加载的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！