如何创建防止“服务器模式SSL的X​​509证书必须使用带有关联私钥的证书"，以防止出现这种情况.例外? [英] How to create a X509 certificate that prevents "server mode SSL must use certificate with associated private key" exception?

问题描述

我正在尝试创建一个X.509证书文件，该文件将与 smtp4dev中的以下代码一起使用项目:

I'm trying to create an X.509 certificate file that will work with the following code as found in the smtp4dev project:

var certificate = new X509Certificate(Settings.Default.SSLCertificatePath);
var clientCertificateRequired = false;
var protocols = SslProtocols.Ssl2 | SslProtocols.Ssl3 | SslProtocols.Tls;
var checkRevocation = false;

var stream = new SslStream(stream);
stream.AuthenticateAsServer(certificate, clientCertificateRequired, protocols, checkRevocation);

Settings.Default.SSLCertificatePath指向.cer文件.

无论我尝试什么，都会失败，并显示System.NotSupportedException消息:

Whatever I try, this fails with a System.NotSupportedException with the message:

服务器模式SSL必须使用带有关联私钥的证书.

The server mode SSL must use a certificate with the associated private key.

我使用新建了X509证书-SelfSignedCertificate 在提升的PowerShell会话中的PowerShell CommandLet:

I have created an X509 certificate using the New-SelfSignedCertificate PowerShell CommandLet in an elevated PowerShell session:

New-SelfSignedCertificate `
    -DnsName "localhost" `
    -CertStoreLocation "cert:\CurrentUser\My" `
    -FriendlyName "smtp4dev" `
    -TextExtension "2.5.29.37={text}1.3.6.1.5.5.7.3.1" `
    -KeyUsage DigitalSignature,KeyEncipherment,DataEncipherment `
    -Provider "Microsoft RSA SChannel Cryptographic Provider"

我添加了这些选项，以尽可能紧密地镜像已经存储在我的计算机上的证书，该证书是由IIS Express安装程序生成的.因为该特定证书确实有效，尽管我不知道为什么.

I added these options to mirror as closely as possible a certificate that is already stored on my machine, and that was generated by the IIS Express installer. Because that particular certificate does work, although I don't know why.

两个证书都位于Local Computer > Personal证书存储中.对于这两个证书，证书管理器都提到您具有与此证书相对应的私钥".

Both certificates are located in the Local Computer > Personal certificate store. For both certificates the Certificate Manager mentions that "You have a private key that corresponds to this certificate".

当我比较这两个证书的属性时，smtp4dev证书与IIS Express开发证书在以下3种方面不同(除指纹和序列号之外):

When I compare the properties of these 2 certificates, the smtp4dev certificate differs from the IIS Express Development Certificate in the following 3 ways (besides the Thumbprint and Serial number):

• 密钥用法被标记为关键扩展名
• 带有值DNS Name=localhost
的主题备用名称扩展
• 带有值e7 12 f5 ...
的主题密钥标识符扩展

• Key Usage is marked as a critical extension
• Subject Alternative Name extension with value DNS Name=localhost
• Subject Key Identifier extension with value e7 12 f5 ...

我使用证书管理器将两个证书(不带私钥)导出到我的桌面，作为"Base-64编码的x.509(.CER)"文件. (包括私钥会将导出格式限制为smtp4dev不支持的PKCS#12(.PFX).)

I exported both certificates to my desktop without the private key as "Base-64 encoded x.509 (.CER)" files using the Certificate Manager. (Including the private key would limit the export format to PKCS #12 (.PFX) which is not supported by smtp4dev.)

以这种方式导出证书后，当我双击它们时，都没有显示有关拥有私钥的消息.

After exporting the certificates this way, when I double-click them, neither shows the message about having the private key.

只有IIS Express开发证书可以在此问题开头显示的代码中使用. smtp4dev不会.

Only the IIS Express Development Certificate works in the code shown at the beginning of this question. The smtp4dev one does not.

我尝试过的其他事情:

1. 我经常遇到使用makecert的教程，但是我没有该程序.

1. I often come across tutorials that use makecert, but I don't have that program.

我尝试使用由openssl生成的自签名证书，并且仅将Common Name设置为localhost，但是我遇到了相同的异常(服务器模式SSL必须使用带有关联证书的证书私钥").

I have tried using a self-signed certificate generated by openssl and only setting the Common Name to localhost but I get the same exception ("The server mode SSL must use a certificate with the associated private key").

更改代码以使用X509Certificate2并不是一种选择，因为要应用该补丁再获得另一个smtp4dev版本会很耗时，因为该项目似乎没有得到积极开发.

Changing the code to use X509Certificate2 is not an option, as it would be time-consuming to get another release of smtp4dev with the patch applied, since the project seems not to be actively developed.

实际上可以尝试使用其他证书文件格式(例如PFX)，只要将文件重命名为.cer，就可以欺骗smtp4dev使用证书.这使我可以在证书中包含私钥.它适用于IIS Express开发证书的导出，但不适用于smtp4dev证书的导出.

Trying a different certificate file format (such as PFX) is actually possible, as long as I rename the file to .cer I can trick smtp4dev into using the certificate. This allows me to include the private key in the certificate. It works with an export of the IIS Express Development Certificate, but it doesn't work with an export of the smtp4dev certificate.

推荐答案

仅想到一件事:密钥提供程序兼容性.似乎SslStream不支持CNG KSP(密钥存储提供程序)，这是New-SelfSignedCertificate` cmdlet的默认密钥提供程序类型.

Only one thing comes to mind: key provider compatibility. It appears that SslStream do not support CNG KSP (Key Storage Provider) which is default key provider type for New-SelfSignedCertificate` cmdlet.

我建议在PowerShell调用中明确指定任何旧提供程序:

I would suggest to explicitly specify any of legacy providers in the PowerShell call:

New-SelfSignedCertificate `
    -DnsName "localhost" `
    -CertStoreLocation "cert:\LocalMachine\My" `
    -FriendlyName "smtp4dev" `
    -TextExtension "2.5.29.37={text}1.3.6.1.5.5.7.3.1" `
    -KeyUsage DigitalSignature,KeyEncipherment,DataEncipherment `
    -Provider "Microsoft RSA SChannel Cryptographic Provider"

这篇关于如何创建防止“服务器模式SSL的X​​509证书必须使用带有关联私钥的证书"，以防止出现这种情况.例外?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！