有关通过自己的证书颁发机构申请新证书的一些问题 [英] Some questions about Apply new Certification from Own Certification Authority
问题描述
大家好,
我对从自己的CA申请新证书有一些疑问.
I have some questions about applying the new certificate from my own CA.
1.在哪里可以找到证书模板?
1. Where can I find the certificate Templates?
我使用用户"在这里,但实际上我在任何地方都找不到它,我只是尝试并尝试并最终获得它.....
I use "User" here, but actually I can't find it anywhere, I just try and try and try and finally got it.....
2.如何更改模板?
我希望哈希算法是"SHA256"但它始终是"SHA512"甚至我的设置都是"SHA256".我认为是因为模板.
I want the Hash Algorithm is "SHA256" but it always be "SHA512" even my setting is "SHA256". I think it because of the Templates.
我发现了这个创建新证书模板
但是我找不到证书模板管理单元"在MMC中安装(已在服务器管理器中安装了所有"Active Directory证书服务"-添加角色和功能)
But I can't find the "Certificate Templates snap-in" in MMC (It's installed all of the "Active Directory Certificate Services" in Server Manager - Add roles and features)
3.可以将签发给"吗?无需更改管理员"?
3. Can the "Issued To" no change to "Administrator"?
原始的签发给"和发行人"是我设置的,但是在完成"DownloadAndInstallCert" (下面有代码)
The original "Issued To" and "Issued By" are what I setup, but it changed after did the "DownloadAndInstallCert" (Following have code)
下载并安装证书后
所以我只能认出他们使用的是好记的名字"
So I just can recognize them use the "Friendly Name"
这是我的代码:
static void Main(string[] args)
{
START:
string sRequest = "";
Console.WriteLine("Request a new certificate? (y|n)");
string sYN = Console.ReadLine();
if (sYN == "y")
{
sRequest = CreateCertRequestMessage();
Console.WriteLine("Request Message:");
if (sRequest != "")
{
var id = SendCertificateRequest(sRequest);
Console.WriteLine("Request ID: " + id.ToString());
}
}
if (sRequest != "" || sYN == "n")
{
Console.WriteLine("Download & install certificate? (y|n)");
if (Console.ReadLine() == "y")
{
Console.WriteLine("Request ID:");
var id = int.Parse(Console.ReadLine());
Console.WriteLine("Friendly Name:");
string sFriendlyName = Console.ReadLine();
DownloadAndInstallCert(id, sFriendlyName);
}
}
Console.WriteLine("Finish (y|n)?");
if (Console.ReadLine() == "n")
goto START;
}
private static string CreateCertRequestMessage()
{
string sRequest = "";
try
{
Console.WriteLine("CA Name?");
string sCAName = Console.ReadLine();
Console.WriteLine("Key Size? (Defult:4096)");
int nKeySize = 4096;
if (Console.ReadLine() == "2048") nKeySize = 2048;
X509KeySpec keySpec = X509KeySpec.XCN_AT_KEYEXCHANGE;
Console.WriteLine("Key Spec? 1:KEYEXCHANGE; 2: SIGNATURE. Defult:1");
if (Console.ReadLine() == "2")
keySpec = X509KeySpec.XCN_AT_SIGNATURE;
var objCSPs = new CCspInformations();
objCSPs.AddAvailableCsps();
var objPrivateKey = new CX509PrivateKey();
objPrivateKey.ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider";
objPrivateKey.Length = nKeySize;
objPrivateKey.KeySpec = keySpec;
objPrivateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES;
objPrivateKey.MachineContext = true;
objPrivateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG;
objPrivateKey.CspInformations = objCSPs;
objPrivateKey.ProviderType = X509ProviderType.XCN_PROV_RSA_AES;
objPrivateKey.Create();
var hashobj = new CObjectId();
hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY,
AlgorithmFlags.AlgorithmFlagsNone,
"SHA256");
var objDN = new CX500DistinguishedName();
var subjectName = "CN = " + sCAName;
objDN.Encode(subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);
var objPkcs10 = new CX509CertificateRequestPkcs10();
objPkcs10.InitializeFromPrivateKey(
X509CertificateEnrollmentContext.ContextMachine,
objPrivateKey,
"User");
objPkcs10.HashAlgorithm = hashobj; // Specify the hashing algorithm
objPkcs10.Subject = objDN;
var objEnroll = new CX509Enrollment();
objEnroll.InitializeFromRequest(objPkcs10);
sRequest = objEnroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64);
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
return sRequest;
}
private static int SendCertificateRequest(string sRequest)
{
try
{
var objCertRequest = new CCertRequest();
var iDisposition = objCertRequest.Submit(
CR_IN_BASE64 | CR_IN_FORMATANY,
sRequest,
string.Empty,
@"192.168.222.138\TEST-CA");
switch (iDisposition)
{
case CR_DISP_ISSUED:
Console.WriteLine("The certificate had been issued.");
break;
case CR_DISP_UNDER_SUBMISSION:
Console.WriteLine("The certificate is still pending.");
break;
default:
Console.WriteLine("Request return No.: " + iDisposition);
Console.WriteLine("The submission failed: " + objCertRequest.GetDispositionMessage());
Console.WriteLine("Last status: " + objCertRequest.GetLastStatus().ToString());
break;
}
return objCertRequest.GetRequestId();
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
return -1;
}
private static void DownloadAndInstallCert(int nRequestId, string sFriendlyName)
{
try
{
var objCertRequest = new CCertRequest();
var iDisposition = objCertRequest.RetrievePending(nRequestId, @"192.168.222.138\TEST-CA");
if (iDisposition == CR_DISP_ISSUED)
{
var cert = objCertRequest.GetCertificate(CR_OUT_BASE64 | CR_OUT_CHAIN);
var objEnroll = new CX509Enrollment();
objEnroll.Initialize(X509CertificateEnrollmentContext.ContextMachine);
objEnroll.CertificateFriendlyName = sFriendlyName;
objEnroll.InstallResponse(
InstallResponseRestrictionFlags.AllowUntrustedRoot,
cert,
EncodingType.XCN_CRYPT_STRING_BASE64,
"");
Console.WriteLine("The certificate had been installed successfully.");
}
}
catch (Exception ex)
{
Console.WriteLine("Error: ");
Console.WriteLine(ex.Message);
}
}
我知道我可以使用自签名的方式,但是我只是想知道是否有可能这样做.
I know I can use the way of self-signed, but I just wondering if possible to make it by this.
我的环境是:
Microsoft Visual Studio C#
Microsoft Visual Studio C#
虚拟机中的Windows Server 2012 R2(x64)
Windows Server 2012 R2 (x64) in Virtual Machine
谢谢!
推荐答案
妈妈,
根据您的代码,您似乎想要创建证书请求,然后将请求发送到CA,并从CA获取响应并安装新证书.证书.
我建议您尝试使用CertEnroll Com组件.
#如何使用CertEnroll和.NET(C#)创建证书请求
如果您使用.net 4.0和x64运行代码,如果遇到一些问题,可以参考下面的链接.
#编译和运行将CertEnroll与.NET 4.0和x64结合使用的代码时出现问题
爱德华
这篇关于有关通过自己的证书颁发机构申请新证书的一些问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!