使用OpenSSL以编程方式将.PEM证书转换为.PFX [英] Convert a .PEM certificate to .PFX programmatically using OpenSSL

问题描述

我有一个要转换的 .PEM文件到PKCS12文件(PFX)，我知道我可以使用以下openssl命令轻松完成此操作:

I've got a .PEM file that I want to convert to a PKCS12 file (PFX), and I know I can easily accomplish this using the following openssl command:

Create a PKCS#12 file:

 openssl pkcs12 -export -in file.pem -out file.p12 -name "My Certificate"

这很棒，但是我想通过编程方式使用 OpenSSL 调用.不幸的是，OpenSSL的文档并不理想.

Which is great, but I'd like to do this programmatically using OpenSSL calls. Unfortunately, documentation for OpenSSL is less than ideal.

我已经考虑使用其他库来做到这一点:

I've looked into doing this using other libraries:

使用.NET:我可以从PEM文件创建X509Certificate2对象，但这仅获取第一个证书，而忽略PEM文件中的任何中间CA.

Using .NET: I can create a X509Certificate2 object from a PEM file, but this only grabs the first certificate and ignores any intermediate CA's in the PEM file.

使用 Mentalis.org 安全库:我可以从PEM文件创建证书对象，但是看到以下内容在文档中:

Using Mentalis.org Security Library: I can create a Certificate object from a PEM file, but I see the following in the documentation:

备注 此实现仅读取 PEM文件中的证书.确实 不从 证书文件(如果存在).

Remarks This implementation only reads certificates from PEM files. It does not read the private key from the certificate file, if one is present.

所以，这对我没有帮助.我也需要那个私钥.

So, that doesn't help me. I need that private key too.

我基本上需要重新创建OpenSSL命令行工具操作才能使用PEM> PFX，但是要使用代码.

I basically need to recreate the OpenSSL command line tool operation for going PEM>PFX, but in code.

有更简单的方法吗?

推荐答案

您可以使用 BouncyCastle (假设C# ，因为您提到了.NET).

You could use BouncyCastle (assuming C#, because you mentioned .NET).

让我们说localhost.pem在这里既包含证书又包含私钥，类似这样的方法应该起作用:

Let's say localhost.pem here contains both the certificate and the private key, something like this should work:

using System;
using System.Collections;
using System.Linq;
using System.Text;
using System.IO;

using Org.BouncyCastle.Crypto;
using Org.BouncyCastle.OpenSsl;
using Org.BouncyCastle.Pkcs;
using Org.BouncyCastle.X509;
using Org.BouncyCastle.Security;

namespace TestApplication
{
    class Program
    {
        static void Main(string[] args)
        {
            StreamReader sr = File.OpenText("localhost.pem");
            IPasswordFinder passwordFinder = new PasswordStore("testtest".ToCharArray());
            PemReader pemReader = new PemReader(sr, passwordFinder);


            Pkcs12Store store = new Pkcs12StoreBuilder().Build();
            X509CertificateEntry[] chain = new X509CertificateEntry[1];
            AsymmetricCipherKeyPair privKey = null;

            object o;
            while ((o = pemReader.ReadObject()) != null)
            {
                if (o is X509Certificate)
                {
                    chain[0] = new X509CertificateEntry((X509Certificate)o);
                }
                else if (o is AsymmetricCipherKeyPair)
                {
                    privKey = (AsymmetricCipherKeyPair)o;
                }
            }

            store.SetKeyEntry("test", new AsymmetricKeyEntry(privKey.Private), chain);
            FileStream p12file = File.Create("localhost.p12");
            store.Save(p12file, "testtest".ToCharArray(), new SecureRandom());
            p12file.Close();
        }
    }

    class PasswordStore : IPasswordFinder
    {
        private char[] password;

        public PasswordStore(
                    char[] password)
        {
            this.password = password;
        }

        public char[] GetPassword()
        {
            return (char[])password.Clone();
        }

    }
}

对于IPasswordFinder，如果您想正确处理证书链，可能会需要一些更细微的东西. 要获得更多高级功能，您可以在 BouncyCastle中找到更多详细信息例子.

You'll probably need something a bit more subtle for the IPasswordFinder and if you want to handle certificate chains correctly. For more advanced features, you may be able to find more details in the BouncyCastle examples.

这篇关于使用OpenSSL以编程方式将.PEM证书转换为.PFX的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！