我怎样才能创建一个测试签名证书？ [英] How can I create a test signing certificate?

问题描述

我试图按照<一个href="http://devproconnections.com/development/generate-saml-tokens-using-windows-identity-foundation"相对=nofollow>这些说明创建使用WIF一个SAML2令牌。

I'm trying to follow these instructions to create a SAML2 token using WIF.

本说明书说

要提供签字凭据到SecurityTokenDescriptor，你必须   首先得到一个参考签名证书作为   X509Certificate2实例。从此，你可以创建一个   SecurityKeyIdentifier并产生SigningCredentials实例

To supply signing credentials to the SecurityTokenDescriptor, you must first get a reference to the signing certificate as an X509Certificate2 instance. From this you can create a SecurityKeyIdentifier and produce a SigningCredentials instance

下面code提供：

X509Certificate2 signingCert = CertificateUtil.GetCertificate(StoreName.My, StoreLocation.LocalMachine, "CN=busta-rpsts.com ");
SecurityKeyIdentifier ski = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[] { new     X509SecurityToken(signingCert).CreateKeyIdentifierClause<X509SubjectKeyIdentifierClause>() });
X509SigningCredentials signingCreds = new X509SigningCredentials(signingCert, ski);
descriptor.SigningCredentials = signingCreds;

我试着用做一个测试证书的 makecert 的，其中包括一个主题密钥标识符，但是当我运行任何证书，我通过上面的code使我得到了以下的 System.NotSupportedException 的：

I've tried making a test certificate using makecert that includes a subject key identifier, but when I run any certificate that I make through the above code I get the following System.NotSupportedException:

X509SecurityToken'不支持'X509SubjectKeyIdentifierClause   创作。

'X509SecurityToken' does not support 'X509SubjectKeyIdentifierClause' creation.

此调用这一行的时候发生：

This occurs when calling this line:

new X509SecurityToken(signingCert).CreateKeyIdentifierClause<X509SubjectKeyIdentifierClause>()

现在我知道了指示说...

Now I know the instructions say...

注：与makecert.exe创建的证书不包括主题   密钥标识符，因此不能以这种方式被使用。你应该   生产与Windows Server证书或购买一个证书   从Verisign或等效提供商

Note: Certificates created with makecert.exe do not include a subject key identifier and thus cannot be used in this manner. You should produce certificates with Windows Server or purchase a certificate from Verisign or an equivalent provider.

......但是我已经使用的参数的 -eku 2.5.29.14 的，我希望能够解决这个问题，我认为这个图片显示，我已经做到了吗？

...however I've used the argument -eku 2.5.29.14, which I hoped would resolve the issue, and I think this image shows that I've done it right?

谁能给我如何我可以创造，我可以用得到这个code工作，或点我在正确的方向上的测试证书的说明？我也不知道他们的意思是你应该出示证件与Windows Server。这是否意味着一个创建CSR？

Can anyone give me instructions on how I can create a test certificate that I can use to get this code working, or point me in the right direction? I'm also not sure what they mean by "You should produce certificates with Windows Server." Does it mean a creating a CSR?

在此先感谢：）

推荐答案

恕我直言，这将是最好的，以模拟真实的场景，以便使CA将颁发用于SAML令牌生成证书。您将了解到更多关于PKI和证书，解决了开发时间问题，而不是生产时间。但在技术上它是不需要做这种方式

IMHO it would be best to simulate real world scenario so make a CA that will issue the certificate used for SAML token generation. You will learn more about PKI and certificates, solve problems in development time, not production time. But technically it is not required to do it this way.

那么，什么需要做的：

1. 在下载 XCA
2. 在XCA使CA证书（已先后CA模板，所以只用它）。指南可以发现这里
3. 发行的CA.下最终实体证书指南可以发现这里
4. 导出CA证书（不包括私钥）到一个文件
在LOCALMACHINE
5. 导入CA证书受信任的根存储（使用mmc->文件 - >添加snapin->证书─>计算机帐户）
6. 与私钥（PKCS＃12格式）出口下颁发的最终实体证书。
7. 导入终端实体证书到个人存储区中LOCALMACHINE（使用mmc->文件 - >添加snapin->证书─>计算机帐户）
8. 生成CRL。指南可以发现这里
9. 在发行最终实体证书时请将CRL在你摆正位置，或将其放置在受信任的根存储在LOCALMACHINE
10. 然后 X509Certificate2 signingCert = CertificateUtil.GetCertificate（StoreName.My，StoreLocation.LocalMachine，CN = busta-rpsts.com）; 将工作...可能。如果没有，你将不得不修改，以便您的帐户可以使用来自本地计算机的个人存储的私钥私钥权利（再次MMC）。

1. Download XCA
2. In XCA make a CA certificate (it has already CA template so just use it). Guide can be found here
3. Issue an end-entity certificate under the CA. Guide can be found here
4. Export CA certificate (without private key) to a file
5. Import CA certificate to Trusted Root Store in LocalMachine (use mmc->File->add snapin->certificates->computer account)
6. Export issued end-entity certificate with private key (PKCS#12 format).
7. Import end-entity certificate into Personal store in LocalMachine (use mmc->File->add snapin->certificates->computer account)
8. Generate CRL. Guide can be found here
9. Place the CRL at the location that you put when issuing end-entity certificate or place it in Trusted Root Store in LocalMachine
10. Then X509Certificate2 signingCert = CertificateUtil.GetCertificate(StoreName.My, StoreLocation.LocalMachine, "CN=busta-rpsts.com "); will work ... probably. If not, you will have to modify private key rights (mmc again) so that you account can use private key from local machine personal store.

这篇关于我怎样才能创建一个测试签名证书？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！