使用纯.net Framework生成并签署证书请求 [英] Generate and Sign Certificate Request using pure .net Framework
问题描述
我正在尝试使用纯.net代码创建证书请求,并针对现有的可用CA证书(在Windows证书存储中或作为单独的文件)根据证书请求创建证书。
我知道我可以使用 X509Certificate 和 X509Certificate2 类加载证书并访问其信息,但在$code.System.Security.Cryptography 命名空间中看不到任何可用于创建证书请求或签署这样的证书请求以创建新的签名证书。
尽管有关 System.Security.Cryptography.Pkcs 名称空间的文档说:
System.Security.Cryptography.Pkcs命名空间提供编程
公钥密码标准(PKCS)的元素,包括用于数据签名,交换密钥,请求证书,
公钥加密和解密以及其他安全功能的
方法。
因此,我如何创建证书请求并签署该请求以仅使用<$ c中的纯.net类创建新的X509证书$ c> System.Security.Cryptography ?
注意:
- 我不想使用openssl或MakeCert这样的外部可执行文件
- 我不想使用BouncyCastle
- 我不想使用Windows 证书注册API
- 我不想使用本机Win32 API函数
简短答案:您可以从.NET Framework 4.7.2开始。
此功能最初以 CertificateRequest 类,它可以构建PKCS#10认证签名请求或X.509(自签名或链接)公钥证书。 p>
该功能的类在.NET Framework 4.7.2中可用。
使用(RSA父= RSA.Create(4096))
使用(RSA rsa = RSA.Create(2048))
{
CertificateRequest parentReq = new CertificateRequest(
CN =实验性颁发机构,
父级,
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
parentReq.CertificateExtensions.Add(
新的X509BasicConstraintsExtension(true,false,0,true));
parentReq.CertificateExtensions.Add(
新的X509SubjectKeyIdentifierExtension(parentReq.PublicKey,false));
使用(X509Certificate2 parentCert = parentReq.CreateSelfSigned(
DateTimeOffset.UtcNow.AddDays(-45),
DateTimeOffset.UtcNow.AddDays(365)))
{
CertificateRequest req =新的CertificateRequest(
CN =有效时间戳记授权机构,
rsa,
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
req.CertificateExtensions.Add(
新的X509BasicConstraintsExtension(false,false,0,false));
req.CertificateExtensions.Add(
新的X509KeyUsageExtension(
X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.NonRepudiation,
false));
req.CertificateExtensions.Add(
新的X509EnhancedKeyUsageExtension(
新的OidCollection
{
新的Oid( 1.3.6.1.5.5.7.3.8 )
},
true));
req.CertificateExtensions.Add(
新的X509SubjectKeyIdentifierExtension(req.PublicKey,false));
使用(X509Certificate2 cert = req.Create(
parentCert,
DateTimeOffset.UtcNow.AddDays(-1),
DateTimeOffset.UtcNow.AddDays(90),
新字节[] {,1、2、3、4}))
{
//对这些证书进行处理,例如将它们导出到PFX,
//或添加他们到X509Store或其他。
}
}
}
如果您是停留在较旧的版本上:要在不添加任何新P / Invokes的情况下实现目标,您需要阅读并理解以下文档:
- ITU-T X.680 -201508,ASN.1语言
- IETF RFC 5280 或ITU-T X.509 ,这些文件说明了X.509证书中的字段。
- IETF RFC 2986 ,说明了PKCS#10认证签名请求
- ITU-T X.690 ,说明了ASN.1(包括DER)的BER编码家族,它告诉您如何读写字节以实现X.509 / PKCS#的语义10。
然后您可以编写DER编写器/读取器,并根据需要发送字节。
I am trying to use pure .net code to create a certificate request and create a certificate from the certificate request against an existing CA certificate I have available (either in the Windows Certificate store or as a separate file).
I know that I have the classes X509Certificate and X509Certificate2 available to load certificates and get access to their information, but I don't see any classes or functionality within the System.Security.Cryptography namespace that could be used to create a certificate request or to sign such a certificate request to create a new signed certificate.
And that although the documentation on the System.Security.Cryptography.Pkcs namespace says:
The System.Security.Cryptography.Pkcs namespace provides programming elements for Public Key Cryptography Standards (PKCS), including methods for signing data, exchanging keys, requesting certificates, public key encryption and decryption, and other security functions.
So, how can I create a certificate request and sign that request to create a new X509 certificate using only pure .net classes from System.Security.Cryptography?
Note:
- I don't want to use an external executable like openssl or MakeCert
- I don't want to use BouncyCastle
- I don't want to use Windows Certificate Enrollment API
- I don't want to use the native Win32 API functions
Short answer: You can starting in .NET Framework 4.7.2.
This functionality was originally added to .NET Core 2.0 in the form of the CertificateRequest class, which can build a PKCS#10 certification signing request or an X.509 (self-signed or chained) public key certificate.
The classes for that feature were made available in .NET Framework 4.7.2.
using (RSA parent = RSA.Create(4096))
using (RSA rsa = RSA.Create(2048))
{
CertificateRequest parentReq = new CertificateRequest(
"CN=Experimental Issuing Authority",
parent,
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
parentReq.CertificateExtensions.Add(
new X509BasicConstraintsExtension(true, false, 0, true));
parentReq.CertificateExtensions.Add(
new X509SubjectKeyIdentifierExtension(parentReq.PublicKey, false));
using (X509Certificate2 parentCert = parentReq.CreateSelfSigned(
DateTimeOffset.UtcNow.AddDays(-45),
DateTimeOffset.UtcNow.AddDays(365)))
{
CertificateRequest req = new CertificateRequest(
"CN=Valid-Looking Timestamp Authority",
rsa,
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
req.CertificateExtensions.Add(
new X509BasicConstraintsExtension(false, false, 0, false));
req.CertificateExtensions.Add(
new X509KeyUsageExtension(
X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.NonRepudiation,
false));
req.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(
new OidCollection
{
new Oid("1.3.6.1.5.5.7.3.8")
},
true));
req.CertificateExtensions.Add(
new X509SubjectKeyIdentifierExtension(req.PublicKey, false));
using (X509Certificate2 cert = req.Create(
parentCert,
DateTimeOffset.UtcNow.AddDays(-1),
DateTimeOffset.UtcNow.AddDays(90),
new byte[] { 1, 2, 3, 4 }))
{
// Do something with these certs, like export them to PFX,
// or add them to an X509Store, or whatever.
}
}
}
Longer answer if you're stuck on older versions: To accomplish your goal without adding any new P/Invokes, you would need to read and understand the following documents:
- ITU-T X.680-201508, the ASN.1 language
- IETF RFC 5280 or ITU-T X.509, the documents that explain the fields in X.509 certificates.
- IETF RFC 2986, explains the PKCS#10 certification signing request
- ITU-T X.690, explains the BER encoding family for ASN.1 (including DER) which tells you how to read and write bytes to achieve the semantic meaning from X.509 / PKCS#10.
And then you could write a DER writer/reader, and just emit the bytes for what you want.
这篇关于使用纯.net Framework生成并签署证书请求的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
