如何使用C#创建自签名证书? [英] How can I create a self-signed certificate using C#?
问题描述
我需要使用C#创建一个自签名证书(用于本地加密-它不用于保护通信)。
I need to create a self-signed certificate (for local encryption - it's not used to secure communications), using C#.
我已经看到一些使用 P /调用,并带有 Crypt32.dll ,但是它们很复杂,很难更新参数-而且我还想避免P / Invoke。
I've seen some implementations that use P/Invoke with Crypt32.dll, but they are complicated and it's hard to update the parameters - and I would also like to avoid P/Invoke if at all possible.
我不需要跨平台的东西-仅在Windows上运行就足够了。
I don't need something that is cross platform - running only on Windows is good enough for me.
理想情况下,结果是一个X509Certificate2对象,可用于插入Windows证书存储区或将其导出到 PFX 一个文件。
Ideally, the result would be an X509Certificate2 object that I can use to insert into the Windows certificate store or export to a PFX file.
推荐答案
此实现使用 CX509CertificateRequestCertificate
COM对象(和朋友- certenroll.dll 中的a377124%28v = vs.85%29.aspx rel = noreferrer> MSDN文档)创建自签名证书请求,签字。
This implementation uses the CX509CertificateRequestCertificate
COM object (and friends - MSDN doc) from certenroll.dll
to create a self signed certificate request and sign it.
下面的示例非常简单(如果您忽略了这里发生的COM内容),并且其中的一些代码确实是可选的(
The example below is pretty straight forward (if you ignore the bits of COM stuff that goes on here) and there are a few parts of the code that are really optional (such as EKU) which are none-the-less useful and easy to adapt to your use.
public static X509Certificate2 CreateSelfSignedCertificate(string subjectName)
{
// create DN for subject and issuer
var dn = new CX500DistinguishedName();
dn.Encode("CN=" + subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);
// create a new private key for the certificate
CX509PrivateKey privateKey = new CX509PrivateKey();
privateKey.ProviderName = "Microsoft Base Cryptographic Provider v1.0";
privateKey.MachineContext = true;
privateKey.Length = 2048;
privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; // use is not limited
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
privateKey.Create();
// Use the stronger SHA512 hashing algorithm
var hashobj = new CObjectId();
hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY,
AlgorithmFlags.AlgorithmFlagsNone, "SHA512");
// add extended key usage if you want - look at MSDN for a list of possible OIDs
var oid = new CObjectId();
oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // SSL server
var oidlist = new CObjectIds();
oidlist.Add(oid);
var eku = new CX509ExtensionEnhancedKeyUsage();
eku.InitializeEncode(oidlist);
// Create the self signing request
var cert = new CX509CertificateRequestCertificate();
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, "");
cert.Subject = dn;
cert.Issuer = dn; // the issuer and the subject are the same
cert.NotBefore = DateTime.Now;
// this cert expires immediately. Change to whatever makes sense for you
cert.NotAfter = DateTime.Now;
cert.X509Extensions.Add((CX509Extension)eku); // add the EKU
cert.HashAlgorithm = hashobj; // Specify the hashing algorithm
cert.Encode(); // encode the certificate
// Do the final enrollment process
var enroll = new CX509Enrollment();
enroll.InitializeFromRequest(cert); // load the certificate
enroll.CertificateFriendlyName = subjectName; // Optional: add a friendly name
string csr = enroll.CreateRequest(); // Output the request in base64
// and install it back as the response
enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate,
csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password
// output a base64 encoded PKCS#12 so we can import it back to the .Net security classes
var base64encoded = enroll.CreatePFX("", // no password, this is for internal consumption
PFXExportOptions.PFXExportChainWithRoot);
// instantiate the target class with the PKCS#12 data (and the empty password)
return new System.Security.Cryptography.X509Certificates.X509Certificate2(
System.Convert.FromBase64String(base64encoded), "",
// mark the private key as exportable (this is usually what you want to do)
System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.Exportable
);
}
可以使用将结果添加到证书存储中X509Store
或使用 X509Certificate2
方法导出。
The result can be added to a certificate store using X509Store
or exported using the X509Certificate2
methods.
用于完全托管且不受限制的到Microsoft平台上,如果您对Mono的许可没有问题,则可以查看 X509CertificateBuilder 来自 Mono.Security 。 Mono.Security是Mono的独立产品,它不需要Mono的其余部分即可运行,并且可以在任何兼容的.Net环境(例如Microsoft的实现)中使用。
For a fully managed and not tied to Microsoft's platform, and if you're OK with Mono's licensing, then you can look at X509CertificateBuilder from Mono.Security. Mono.Security is standalone from Mono, in that it doesn't need the rest of Mono to run and can be used in any compliant .Net environment (e.g. Microsoft's implementation).
这篇关于如何使用C#创建自签名证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!