如何以编程方式创建有效的自签名 X509Certificate2，而不是从 .NET Core 中的文件加载 [英] How to create a valid, self-signed X509Certificate2 programmatically, not loading from file in .NET Core

问题描述

我目前做的是使用 OpenSSL 生成 PFX 文件.这会导致不必要的依赖，尤其是对于 Windows 用户.所以我找到了一些关于如何使用 BouncyCastle 创建自己的证书的示例，但该库与 .NET Core 不兼容(或者我找不到兼容的包).

What I currently do is that I use OpenSSL to generate PFX file. This is causing an unwanted dependency, especially for Windows users. So I found some examples on how to create your own certificate using BouncyCastle, but this library is not .NET Core compatible (or I failed to find the compatible package).

那么，是否可以仅使用 .NET 核心创建您自己的自签名 X509 证书以避免依赖 OpenSSL(或任何其他生成证书的外部工具)?

So, is it possible to create your own self signed X509 certificate using just .NET core to avoid dependency on OpenSSL (or any other certificate generating external tool)?

有人(编辑?)建议这个 SO 问题 如何使用 C# 创建自签名证书? 提供了答案.再次遗憾的是，这与 .NET Core 无关.那里接受的答案以 此实现使用 certenroll.dll 中的 CX509CertificateRequestCertificate COM 对象(和朋友 - MSDN 文档)来创建自签名证书请求并对其进行签名，这显然不是 .NET Core ... 事实上，没有一个答案与 .NET Core 兼容.

It was suggested by someone (editor?) that this SO question How to create a self-signed certificate using C#? provides an answer. Sadly again, this has nothing to do with .NET Core. The accepted answer there starts with This implementation uses the CX509CertificateRequestCertificate COM object (and friends - MSDN doc) from certenroll.dll to create a self signed certificate request and sign it, which is obviously NOT .NET Core ... In fact, none of the answers there is .NET Core compatible.

推荐答案

我发现 这个其他 SO 问题 让我走上了正轨.证书 API 已添加到 2.0 版本的 .Net Core.我有一个类似于下一个的功能来创建自签名证书，然后我将其导入 My 商店以在 IIS 上使用它们.

I found this other SO question that put me on the right track. Certificates API was added to .Net Core on 2.0 version. I have a function like the next one to create self signed certificates that I later import into My store to use them on IIS.

    private X509Certificate2 buildSelfSignedServerCertificate()
    {
        SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder();
        sanBuilder.AddIpAddress(IPAddress.Loopback);
        sanBuilder.AddIpAddress(IPAddress.IPv6Loopback);
        sanBuilder.AddDnsName("localhost");
        sanBuilder.AddDnsName(Environment.MachineName);

        X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN={CertificateName}");

        using (RSA rsa = RSA.Create(2048))
        {
            var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256,RSASignaturePadding.Pkcs1);

            request.CertificateExtensions.Add(
                new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature , false));


            request.CertificateExtensions.Add(
               new X509EnhancedKeyUsageExtension(
                   new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, false));

            request.CertificateExtensions.Add(sanBuilder.Build());

            var certificate= request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(3650)));
            certificate.FriendlyName = CertificateName;

            return new X509Certificate2(certificate.Export(X509ContentType.Pfx, "WeNeedASaf3rPassword"), "WeNeedASaf3rPassword", X509KeyStorageFlags.MachineKeySet);
        }
    }

如果您想要 pfx，X509Certificate2 上的导出功能应该可以解决问题.它返回一个包含原始 pfx 数据的字节数组.

If you want the pfx, the Export function on X509Certificate2 should do the trick. It returns a byte array with the raw pfx data.

这篇关于如何以编程方式创建有效的自签名 X509Certificate2，而不是从 .NET Core 中的文件加载的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！