X509Certificate2 ctor与cer文件 [英] X509Certificate2 ctor with cer file
问题描述
我在.Net中遇到2路ssl配置问题. 不知何故,当我在构造函数中使用.cer文件和密码创建X509Certificate2对象时,密码将被忽略(我输入了错误的密码,并且该密码有效-成功返回了响应). 另一方面,当我使用.p12文件时,行为符合预期(错误的密码会导致结果失败)
I'm facing some issue with 2-way ssl configuration in .Net. Somehow, when I create X509Certificate2 object using .cer file and password in the constructor, the password is ignored (I gave wrong password and it worked - the response was successfully returned). In the other hand, when I use .p12 file the behavior is as expected (wrong password causes unsuccessful result)
有什么想法吗?
谢谢.
推荐答案
.cer文件仅包含(通常是)未加密形式的X509证书.在这种情况下,不需要密码即可解密证书.我想X509Certificate2构造函数尝试确定Byte []参数的编码格式,并在不需要时忽略password参数.在创建后,对象的PrivateKey
属性很有可能是null
.
The .cer file contains (it is the common case) only the X509 certificate in an unencrypted form. In that case, no password is required to decode the certificate. I suppose the X509Certificate2 constructor tries to determine the encoding format of the Byte[] parameter and ignore the password parameter when it is not required. And it is more than likely that, after being created, the PrivateKey
property of the object is null
.
加载.cer文件时,应使用仅包含1 Byte []参数的构造函数.该构造函数的文档明确指定了支持的数据格式:
When loading a .cer file you should use the constructor which takes only 1 Byte[] parameter. The documentation of that constructor clearly specifies the supported data formats:
此构造函数使用字节数组中的证书信息创建一个新的X509Certificate2对象.字节数组可以是二进制(DER)编码的或Base64编码的X.509数据.字节数组也可以是PKCS7(Authenticode)签名的文件;签名者证书用于创建对象.
This constructor creates a new X509Certificate2 object using certificate information from a byte array. The byte array can be binary (DER) encoded or Base64-encoded X.509 data. The byte array can also be a PKCS7 (Authenticode) signed file; the signer certificate is used to create the object.
PKCS#12格式(.p12或.pfx文件)是证书和私钥的容器格式.在那种情况下,需要密码来解密加密的私钥.实际上,在X509Certificate2构造函数文档中指定了PKCS#12文件的行为:
The PKCS#12 format (.p12 or .pfx file) is a container format for certificates and private keys. In that case the password is required to decrypt the encrypted private key. Actually the behaviour with a PKCS#12 file is specified in the The X509Certificate2 constructor documentation:
此构造函数与包含证书的私钥的PKCS12(PFX)文件一起使用.用正确的密码调用此构造函数会解密私钥并将其保存到密钥容器中.
This constructor is used with PKCS12 (PFX) files that contain the certificate's private key. Calling this constructor with the correct password decrypts the private key and saves it to a key container.
这篇关于X509Certificate2 ctor与cer文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!