导出没有私钥的 X.509 证书 [英] Exporting X.509 certificate WITHOUT private key

问题描述

我认为这很简单，但显然不是.我安装了一个证书，该证书具有一个可导出的私钥，并且我想仅使用公钥以编程方式将其导出.换句话说，当通过 certmgr 导出并导出到 .CER 时，我想要一个等同于选择不导出私钥"的结果.

I thought this would be straightforward but apparently it isn't. I have a certificate installed that has a private key, exportable, and I want to programmatically export it with the public key ONLY. In other words, I want a result equivalent to selecting "Do not export the private key" when exporting through certmgr and exporting to .CER.

似乎所有 X509Certificate2.Export 方法都将导出私钥(如果存在)，如 PKCS #12，这与我想要的相反.

It seems that all of the X509Certificate2.Export methods will export the private key if it exists, as PKCS #12, which is the opposite of what I want.

有什么方法可以使用 C# 来完成，还是我需要开始深入研究 CAPICOM?

Is there any way using C# to accomplish this, or do I need to start digging into CAPICOM?

推荐答案

对于其他可能偶然发现此问题的人，我想通了.如果您将 X509ContentType.Cert 指定为 X509Certificate.Export 的第一个(也是唯一一个)参数，它只会导出公钥.另一方面，指定 X509ContentType.Pfx 包括私钥(如果存在).

For anyone else who might have stumbled on this, I figured it out. If you specify X509ContentType.Cert as the first (and only) parameter to X509Certificate.Export, it only exports the public key. On the other hand, specifying X509ContentType.Pfx includes the private key if one exists.

我可以发誓上周我看到了不同的行为，但我在测试时一定已经安装了私钥.今天删除了那个证书，重新开始的时候，发现导出的证书里面没有私钥.

I could have sworn that I was seeing different behaviour last week, but I must have already had the private key installed when I was testing. When I deleted that certificate today and started again from scratch, I saw that there was no private key in the exported cert.

这篇关于导出没有私钥的 X.509 证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！