SSLStream 示例 - 如何获得有效的证书? [英] SSLStream example - how do I get certificates that work?

问题描述

我使用的是来自 msdn 此处的 SSLStream 示例.客户端代码似乎"工作正常，因为我可以连接到 google 并且它至少通过了身份验证，但服务器没有.

I'm using the SSLStream example from msdn here. The client code "seems" to work fine, as I can connect to google and it at least gets past authentication, but the server doesn't.

从 msdn 页面的评论中，我使用了 这个页面来生成我自己的私钥，但它不起作用.我得到了一个例外 System.NotSupportedException: The server mode SSL must use a certificate with the associated private key. 所以我很确定我所做的一切都是错误的.

From the comments from the msdn page, I used the procedure on this page to generate my own private key, but it just doesn't work. I get an exception of System.NotSupportedException: The server mode SSL must use a certificate with the associated private key. So I'm pretty sure whatever I'm doing is wrong.

所以我的问题很简单:如何从 msdn 获取/生成适用于我自己的小示例程序的密钥?它可以是自签名的，无论如何，但我对 SSL 太陌生，甚至不知道我到底需要什么.我想要做的就是按照给定的方式运行示例，除了为本地服务器指定我自己的证书.如果我也只想在两台机器之间进行通信，那么知道我必须在我的第二台机器上安装什么会很棒(所以这不是 100% 本地主机示例).

So my question is simple: how do I get/generate keys that will work for my own little example program from msdn? It can be self-signed, whatever, but I'm too new to SSL to even know what exactly I need. All I want to do is to run the example as-given, except for specifying my own certificates for my local server. And it'd be great to know what I'd have to install on my 2nd machine if I just want to communicate between the two of them too (so it's not a 100% localhost example).

我个人认为这是示例文档中的一个缺陷.它应该说要运行这个，你需要做 A、B、C 等"，但它没有.

Personally I see this as a flaw in the example document. It should say "to run this, you need to do A, B, C, etc," but it doesn't.

推荐答案

即使使用自签名证书，您也可以使示例正常工作.我已经从您正在使用的 makecert 教程中提取了命令，并稍作修改:

You can get the example to work even with self-signed certificates. I've extracted the commands from the makecert tutorial that you're using with minor modifications:

makecert -sv RootCATest.pvk -r -n "CN=FakeServerName" RootCATest.cer
makecert -ic RootCATest.cer -iv RootCATest.pvk -n "CN=FakeServerName" -sv  TempCert.pvk -pe -sky exchange TempCert.cer
cert2spc TempCert.cer TempCert.spc
pvkimprt -pfx TempCert.spc TempCert.pvk

makecert 和 cert2psc 可以在您的 Microsoft SDKsWindowv7.0ABin 文件夹中找到.pvkImport.exe 安装程序可以在 这里下载(由@Jospeph 提供，经 VirusTotal 验证).这曾经可以从 Microsoft 站点下载，但他们已将其删除.或者，@Dweeberly 向我们指出了微软提供的新替代品，pvk2pfx.

makecert and cert2psc can be found in your Microsoft SDKsWindowv7.0ABin folder. The pvkImport.exe installer can be downloaded here (Provided by @Jospeph and VirusTotal verified). This used to be downloadable from the Microsoft Site, but they have since taken it down. Alternatively, @Dweeberly pointed us to a new Microsoft-provided replacement, pvk2pfx.

对于下一步，请确保您选择在 pvkimprt 的对话框出现时导出私钥:

pvkimprt -pfx TempCert.spc TempCert.pvk

pvkimprt 将提示您输入密码.稍后将生成的 .pfx 文件导入服务器计算机的个人存储时，您将需要提供此密码

pvkimprt will prompt you for a password when you elect to include the private key. You will need to provide this password later when you import the generated .pfx file into the personal store of your server machine

接下来，将 RootCATest.cer 导入您的 Computer 商店的受信任的根证书颁发机构(在服务器和客户端上).请注意，证书颁发给 FakeServerName.这必须与 SslTcpClient 期望的服务器名称匹配:sslStream.AuthenticateAsClient(serverName)，其中 serverName 是传递给 SslTcpClient.exe 的第二个参数的值.

Next, import RootCATest.cer into your Computer store's Trusted Root Certification Authorities (on both the server and client). Notice that the certificate is issued to FakeServerName. This must match the server name that the SslTcpClient expects: sslStream.AuthenticateAsClient(serverName), where serverName is the value of the second argument passed to SslTcpClient.exe.

当您的客户端连接时，服务器会提供一个证书，告诉客户端我是 FakeServerName".如果客户端机器信任颁发证书的 CA，则客户端将接受此声明，这是通过将 RootCATest.cer 导入客户端的受信任根证书颁发机构来实现的.

When your client connects, the server presents a certificate that tells the client "I'm FakeServerName". The client will accept this claim if the client machine trusts the CA that issued the certificate, which is achieved by importing RootCATest.cer into the client's Trusted Root Certification Authorities.

最后，您需要将服务器将要使用的私钥导入到服务器机器的个人存储中.此步骤很重要，因为它解决了服务器模式 SSL 必须使用具有关联私钥的证书..这是通过导入您之前生成的 .pfx 文件来实现的.确保将文件类型过滤器更改为所有文件"，以便您可以看到您生成的 .pfx 文件:

Finally, you need to import the private key that the server is going to use into the server machine's Personal store. This step is important because it addresses The server mode SSL must use a certificate with the associated private key.. This is achieved by importing the .pfx file that you generated earlier. Make sure that you change the file type filter to "all files" so that you can see the .pfx file that you generated:

MSDN 提供的示例代码使用端口 443(这是标准的 ssl 端口).由于我创建了控制台应用程序，因此我将示例类使用的端口更改为 8080:

The sample code provided by MSDN uses port 443 (which is the standard ssl port). Since I created console applications, I changed the port used by the sample classes to 8080:

SslTcpServer:

SslTcpServer:

TcpListener listener = new TcpListener(IPAddress.Any, 8080);

SslTcpClient:

SslTcpClient:

TcpClient client = new TcpClient(machineName, 8080);

输出如下:

你会像这样启动你的服务器:

you would launch your server like this:

SslTcpServer.exe TempCert.cer 

从客户端，你会像这样连接:

from the client, you would connect like this:

SslTcpClient.exe <ip to your server> FakeServerName

这篇关于SSLStream 示例 - 如何获得有效的证书?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！