SSLStream例子 - 我怎么拿到工作证? [英] SSLStream example - how do I get certificates that work?
问题描述
我使用的是从MSDN 这里的SSLStream例子。客户端code似乎,以做工精细,因为我可以连接到谷歌和它至少得过去的认证,但服务器却没有。
I'm using the SSLStream example from msdn here. The client code "seems" to work fine, as I can connect to google and it at least gets past authentication, but the server doesn't.
从MSDN页面的评论,我用<一个程序href=\"http://www.reliablesoftware.com/DasBlog/PermaLink,guid,6507b2c6-473e-4ddc-9e66-8a161e5df6e9.aspx\">this页面生成自己的私钥,但它只是不工作。我得到 System.NotSupportedException的一个例外:服务器模式SSL必须使用证书具有相关的私钥所以我pretty确保无论我在做什么。是错误的。
From the comments from the msdn page, I used the procedure on this page to generate my own private key, but it just doesn't work. I get an exception of System.NotSupportedException: The server mode SSL must use a certificate with the associated private key. So I'm pretty sure whatever I'm doing is wrong.
所以我的问题很简单:我如何获得/生成密钥,将用于从MSDN我自己的小例子程序工作?它可以是自签名什么的,但我太新,SSL,甚至确切地知道我需要什么。所有我想要做的就是运行例子作为赐予的,除了指定我自己的证书我的本地服务器。它会是巨大的,知道我必须安装我的第二台机器上,如果我只是希望他们两个人之间也进行交流(所以它不是一个100%的本地主机的例子)。
So my question is simple: how do I get/generate keys that will work for my own little example program from msdn? It can be self-signed, whatever, but I'm too new to SSL to even know what exactly I need. All I want to do is to run the example as-given, except for specifying my own certificates for my local server. And it'd be great to know what I'd have to install on my 2nd machine if I just want to communicate between the two of them too (so it's not a 100% localhost example).
我个人认为这是例如文档中的一个缺陷。应该说来运行它,你需要做的A,B,C等,但事实并非如此。
Personally I see this as a flaw in the example document. It should say "to run this, you need to do A, B, C, etc," but it doesn't.
推荐答案
您可以用自签名证书甚至工作的例子。我已经从提取,你稍作修改使用makecert教程的命令:
You can get the example to work even with self-signed certificates. I've extracted the commands from the makecert tutorial that you're using with minor modifications:
makecert -sv RootCATest.pvk -r -n "CN=FakeServerName" RootCATest.cer
makecert -ic RootCATest.cer -iv RootCATest.pvk -n "CN=FakeServerName" -sv TempCert.pvk -pe -sky exchange TempCert.cer
cert2spc TempCert.cer TempCert.spc
pvkimprt -pfx TempCert.spc TempCert.pvk
makecert 和 cert2psc 可以在微软的SDK \\窗口\\ V7被发现。 0A \\ BIN 文件夹中。
在 pvkImport.exe 安装程序可以下载的这里(下载不再可用 - 看到约瑟夫的开放SSL的备选答案)。
makecert and cert2psc can be found in your Microsoft SDKs\Window\v7.0A\Bin folder.
The pvkImport.exe installer can be downloaded here (download no longer available - see Joseph's answer for open-ssl alternative).
对于这一步确保您选择导出私钥时从pvkimprt对话框出现
pvkimprt -pfx TempCert.spc TempCert.pvk
pvkimprt 会提示您输入密码时,您选择,包括私钥。稍后将需要提供此密码,当您导入生成.pfx文件到您的服务器计算机的个人存储
pvkimprt will prompt you for a password when you elect to include the private key. You will need to provide this password later when you import the generated .pfx file into the personal store of your server machine
接下来,进口RootCATest.cer到电脑商店的受信任的根证书颁发机构(在服务器和客户端上)。请注意,证书颁发给 FakeServerName 。 sslStream.AuthenticateAsClient(服务器),其中 SERVERNAME 是价值:这必须与SslTcpClient预计服务器名称相匹配传递给SslTcpClient.exe第二个参数。
Next, import RootCATest.cer into your Computer store's Trusted Root Certification Authorities (on both the server and client). Notice that the certificate is issued to FakeServerName. This must match the server name that the SslTcpClient expects: sslStream.AuthenticateAsClient(serverName), where serverName is the value of the second argument passed to SslTcpClient.exe.
当您的客户端连接,服务器presents告诉客户:我FakeServerName证书。如果客户端计算机信任颁发证书,这是由进口RootCATest.cer到客户端的受信任的根证书颁发机构实现了CA的客户端将接受这种说法。
When your client connects, the server presents a certificate that tells the client "I'm FakeServerName". The client will accept this claim if the client machine trusts the CA that issued the certificate, which is achieved by importing RootCATest.cer into the client's Trusted Root Certification Authorities.
最后,你需要导入私有密钥服务器将使用到服务器计算机的个人存储区。 这一步非常重要,因为它解决了服务器模式SSL必须使用证书与关联的私钥。。这是由导入先前生成的 .PFX 文件来实现的。请确保您更改文件类型过滤器为所有文件,这样就可以看到你生成.pfx文件:
Finally, you need to import the private key that the server is going to use into the server machine's Personal store. This step is important because it addresses The server mode SSL must use a certificate with the associated private key.. This is achieved by importing the .pfx file that you generated earlier. Make sure that you change the file type filter to "all files" so that you can see the .pfx file that you generated:
通过MSDN提供的示例code使用端口443(这是标准的SSL端口)。我公司自创建控制台应用程序,我改变了样本的类使用的端口为8080:
The sample code provided by MSDN uses port 443 (which is the standard ssl port). Since I created console applications, I changed the port used by the sample classes to 8080:
SslTcpServer:
SslTcpServer:
TcpListener listener = new TcpListener(IPAddress.Any, 8080);
SslTcpClient:
SslTcpClient:
TcpClient client = new TcpClient(machineName, 8080);
下面是输出:
您将启动你的服务器是这样的:
you would launch your server like this:
SslTcpServer.exe TempCert.cer
从客户端,你会连这样的:
from the client, you would connect like this:
SslTcpClient.exe <ip to your server> FakeServerName
这篇关于SSLStream例子 - 我怎么拿到工作证?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
