X509Certificate2 ctor与cer文件 [英] X509Certificate2 ctor with cer file

问题描述

我在.Net中遇到2路ssl配置问题. 不知何故，当我在构造函数中使用.cer文件和密码创建X509Certificate2对象时，密码将被忽略(我输入了错误的密码，并且该密码有效-成功返回了响应). 另一方面，当我使用.p12文件时，行为符合预期(错误的密码会导致结果失败)

I'm facing some issue with 2-way ssl configuration in .Net. Somehow, when I create X509Certificate2 object using .cer file and password in the constructor, the password is ignored (I gave wrong password and it worked - the response was successfully returned). In the other hand, when I use .p12 file the behavior is as expected (wrong password causes unsuccessful result)

有什么想法吗?

谢谢.

推荐答案

.cer文件仅包含(通常是)未加密形式的X509证书.在这种情况下，不需要密码即可解密证书.我想X509Certificate2构造函数尝试确定Byte []参数的编码格式，并在不需要时忽略password参数.在创建后，对象的PrivateKey属性很有可能是null.

The .cer file contains (it is the common case) only the X509 certificate in an unencrypted form. In that case, no password is required to decode the certificate. I suppose the X509Certificate2 constructor tries to determine the encoding format of the Byte[] parameter and ignore the password parameter when it is not required. And it is more than likely that, after being created, the PrivateKey property of the object is null.

加载.cer文件时，应使用仅包含1 Byte []参数的构造函数.该构造函数的文档明确指定了支持的数据格式:

When loading a .cer file you should use the constructor which takes only 1 Byte[] parameter. The documentation of that constructor clearly specifies the supported data formats:

此构造函数使用字节数组中的证书信息创建一个新的X509Certificate2对象.字节数组可以是二进制(DER)编码的或Base64编码的X.509数据.字节数组也可以是PKCS7(Authenticode)签名的文件；签名者证书用于创建对象.

This constructor creates a new X509Certificate2 object using certificate information from a byte array. The byte array can be binary (DER) encoded or Base64-encoded X.509 data. The byte array can also be a PKCS7 (Authenticode) signed file; the signer certificate is used to create the object.

PKCS#12格式(.p12或.pfx文件)是证书和私钥的容器格式.在那种情况下，需要密码来解密加密的私钥.实际上，在X509Certificate2构造函数文档中指定了PKCS#12文件的行为:

The PKCS#12 format (.p12 or .pfx file) is a container format for certificates and private keys. In that case the password is required to decrypt the encrypted private key. Actually the behaviour with a PKCS#12 file is specified in the The X509Certificate2 constructor documentation:

此构造函数与包含证书的私钥的PKCS12(PFX)文件一起使用.用正确的密码调用此构造函数会解密私钥并将其保存到密钥容器中.

This constructor is used with PKCS12 (PFX) files that contain the certificate's private key. Calling this constructor with the correct password decrypts the private key and saves it to a key container.

这篇关于X509Certificate2 ctor与cer文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！