使用openSSL生成自签名的RSA-2048-SHA-256证书PFX文件 [英] Generate self signed RSA-2048-SHA-256 certificate PFX file using openSSL
问题描述
我试图创建一个自签名的RSA-2048-SHA-256证书PFX文件,以便将其用于WCF请求中的数据签名.
I am trying to create a self signed RSA-2048-SHA-256 certificate PFX file, in order to use it for data signing in my WCF requests.
我使用了一些openSSL示例来创建证书PFX文件,但是即使将SHA算法设置为256,当我将其加载到.net应用程序中时,也看到该证书的私钥具有以下设置:
I used some openSSL examples in order to create a certificate PFX file, but even though I set the SHA algorithm to 256, when I load it in my .net app, I see that this certificate's private key, has these settings:
KeyExchangeAlgorithm = RSA-PKCS1-KeyEx
SignatureAlgorithm = http://www.w3.org/2000/09/xmldsig#rsa-sha1
并且当我使用下面的代码来使用此证书时,我收到无效的算法指定的异常",但是如果将SHA256CryptoServiceProvider更改为SHA1CryptoServiceProvider,一切正常.
and when I use the code below in order to consume this certificate, I am getting "Invalid algorithm specified exception", but if I change the SHA256CryptoServiceProvider to SHA1CryptoServiceProvider everything works fine.
string msg = "This is my test message";
X509Certificate2 privateCert = new X509Certificate2("C:\\TEMP\\private.pfx", "12345");
byte[] signature = (privateCert.PrivateKey as RSACryptoServiceProvider).SignData(new UTF8Encoding().GetBytes(msg), new SHA256CryptoServiceProvider());
我只能假定我的证书文件不是使用SHA256创建的,而是使用某种默认的SHA1算法创建的.
I can only assume that my certificate file was not created with SHA256, but instead with some kind of default SHA1 algorithm.
这些是我用来创建证书的步骤:
Those are the steps I used in order to create my certificate:
-
openssl req -x509 -days 365 -newkey rsa:2048 -sha256 -keyout key.pem -out cert.pem -
openssl pkcs12 -export -in cert.pem -inkey key.pem -out private.pfx
openssl req -x509 -days 365 -newkey rsa:2048 -sha256 -keyout key.pem -out cert.pemopenssl pkcs12 -export -in cert.pem -inkey key.pem -out private.pfx
我在做什么错了?
推荐答案
我在做什么错了?
What am I doing wrong?
相信这两个属性具有含义:).
Believing that those two properties have meaning :).
您看到的两个值是硬-编码为RSACryptoServiceProvider .其他RSA类型(例如RSACng)具有彼此不同,混乱程度较小,硬编码的值.
The two values you're seeing are hard-coded into RSACryptoServiceProvider. Other RSA types (such as RSACng) have different, less confusing, hard-coded values.
问题在于键没有这些属性中的任何一个.密钥可以用于多种用途(尽管NIST建议不要这样做). TLS会话(或EnvelopedCMS文档等)可以具有密钥交换算法.证书,SignedCMS文档或其他此类材料可以具有签名(并因此具有签名算法).
The problem is that a key doesn't have either of those attributes. A key can be used for multiple purposes (though NIST recommends against it). A TLS session (or EnvelopedCMS document, etc) can have a key exchange algorithm. A certificate, SignedCMS document, or other such material can have a signature (and thus a signature algorithm).
要知道您的证书是使用RSA-PKCS1-SHA256签名的,您需要查看
To know that your certificate was signed with RSA-PKCS1-SHA256 you need to look at X509Certificate2.SignatureAlgorithm.
switch (cert.SignatureAlgorithm.Value)
{
case "1.2.840.113549.1.1.4":
return "RSA-PKCS1-MD5";
case "1.2.840.113549.1.1.5";
return "RSA-PKCS1-SHA1";
case "1.2.840.113549.1.1.11";
return "RSA-PKCS1-SHA2-256"; // Winner
case "1.2.840.113549.1.1.12":
return "RSA-PKCS1-SHA2-384";
case "1.2.840.113549.1.1.13":
return "RSA-PKCS1-SHA2-512";
default:
throw new SomethingFromTheFutureOrMaybeNotRSAException();
}
这篇关于使用openSSL生成自签名的RSA-2048-SHA-256证书PFX文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
