动态生成的自签名证书 [英] Generate self signed certificate on the fly
本文介绍了动态生成的自签名证书的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我四处寻找,但没有找到一个明确的例子。
我要创建签署了自我(个体经营)可信证书编程(C#),下面这一步:
STEP1:
即时创建根CA证书,并将其添加到文件夹中的证书存储受信任的根证书颁发机构
我想要做的正是这个命令行工具做什么:
的 makecert.exe -sk RootCA -sky签名-pe -n CN = MY_CA -r -SR LOCALMACHINE -ss根MyCA.cer 的
STEP2:
创建基于previously创建的根CA证书一证书,并把它的证书存储,文件夹个人,在
我想要做的正是这个命令行工具做什么:
的 makecert.exe -sk服务器-sky交换-pe -n CN = 127.0.0.1 -ir LOCALMACHINE -is根-ic MyCA.cer -sr LOCALMACHINE -ss我MyCertificate.cer 的
我要获得此:结果
我做了(见下code - STEP1),不知道该怎么做STEP2,任何帮助将是AP preciated。目标机器为Windows XP /七。
我都尝试纯.NET的方式和BouncyCastle的库
// STEP1
mycerRoot = generateRootCertV1(MY_CA); //尝试也generateRootCertV2(BouncyCastle的)
addCertToStore(mycerRoot,StoreName.Root,StoreLocation.LocalMachine);//第2步
mycer = generateCert(127.0.0.1,mycerRoot); // ?????? < - 类似的东西如何实现generateCert?
addCertToStore(mycer,StoreName.My,StoreLocation.LocalMachine);公共静态Org.BouncyCastle.X509.X509Certificate generateRootCertV2(字符串certName)
{
X509V1CertificateGenerator certGen =新X509V1CertificateGenerator(); X509Name CN =新X509Name(CN =+ certName); RsaKeyPairGenerator keypairgen =新RsaKeyPairGenerator();
keypairgen.Init(新KeyGenerationParameters(新的SecureRandom(新CryptoApiRandomGenerator()),1024)); AsymmetricCipherKeyPair密钥对= keypairgen.GenerateKeyPair(); certGen.SetSerialNumber(BigInteger.ProbablePrime(120,新的随机()));
certGen.SetIssuerDN(CN);
certGen.SetNotAfter(DateTime.MaxValue);
certGen.SetNotBefore(DateTime.Now.Subtract(新时间跨度(7,0,0,0)));
certGen.SetSubjectDN(CN);
certGen.SetPublicKey(keypair.Public);
certGen.SetSignatureAlgorithm(MD5WithRSA); Org.BouncyCastle.X509.X509Certificate newCert = certGen.Generate(keypair.Private); 返回newCert;
}公共静态X509Certificate2 GenerateRootCertV1(字符串HostNameOrIP_or_CertName)
{
X509Certificate2证书= NULL; 尝试
{ 使用(CryptContext CTX =新CryptContext())
{
ctx.Open();
证书= ctx.CreateSelfSignedCertificate(
新SelfSignedCertProperties
{
IsPrivateKeyExportable = TRUE,
KeyBitLength = 4096,
名称=新X500DistinguishedName(CN =+ HostNameOrIP_or_CertName)
ValidFrom = DateTime.Today.AddDays(-1),
ValidTo = DateTime.Today.AddYears(20),
});
} }
赶上(异常前)
{
} 返回证书;
}公共静态布尔addCertToStore(X509Certificate2证书,STORENAME ST,StoreLocation SL)
{
布尔BRET = FALSE; 尝试
{
店内的X509Store =新的X509Store(ST,SL);
store.Open(OpenFlags.ReadWrite); 如果(CERT!= NULL)
{
字节[] = PFX cert.Export(X509ContentType.Pfx);
证书=新X509Certificate2(PFX,(串)空,X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.MachineKeySet); 如果(!certExists(存储,cert.SubjectName.Name))
{
store.Add(CERT);
BRET =真;
}
}
store.Close();
}
抓住
{ } 返回BRET;
}
解决方案
我编辑的答案做的根证书,然后再发出一个最终实体证书。
这是通过弹性产生自我标志证书的一些实例:
公共静态X509Certificate2 GenerateSelfSignedCertificate(字符串主旨名称,字符串证书中issuerName,AsymmetricKeyParameter issuerPrivKey,INT keyStrength = 2048)
{
//生成随机数
VAR randomGenerator =新CryptoApiRandomGenerator();
VAR随机=新的SecureRandom(randomGenerator); //证书发电机
VAR certificateGenerator =新X509V3CertificateGenerator(); // 序列号
VAR的serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One,BigInteger.ValueOf(Int64.MaxValue),随机);
certificateGenerator.SetSerialNumber(的serialNumber); //签名算法
常量字符串signatureAlgorithm =SHA256WithRSA;
certificateGenerator.SetSignatureAlgorithm(signatureAlgorithm); //发行人及主题名称
VAR的subjectDN =新X509Name(主旨名称);
VAR issuerDN =证书中issuerName;
certificateGenerator.SetIssuerDN(issuerDN);
certificateGenerator.SetSubjectDN(subjectDN中); //有效
VAR notBefore = DateTime.UtcNow.Date;
变种notAfter = notBefore.AddYears(2); certificateGenerator.SetNotBefore(notBefore);
certificateGenerator.SetNotAfter(notAfter); //主体公钥
AsymmetricCipherKeyPair subjectKeyPair;
VAR keyGenerationParameters =新KeyGenerationParameters(随机,keyStrength);
VAR的KeyPairGenerator =新RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
subjectKeyPair = keyPairGenerator.GenerateKeyPair(); certificateGenerator.SetPublicKey(subjectKeyPair.Public); //生成证书
VAR issuerKeyPair = subjectKeyPair; // selfsign证书
VAR证书= certificateGenerator.Generate(issuerPrivKey,随机); // correcponding私钥
PrivateKeyInfo进行信息= PrivateKeyInfoFactory.CreatePrivateKeyInfo(subjectKeyPair.Private);
//合并到X509Certificate2
VAR X509 =新System.Security.Cryptography.X509Certificates.X509Certificate2(certificate.GetEn codeD()); VAR SEQ =(Asn1Sequence)Asn1Object.FromByteArray(info.PrivateKey.GetDerEn codeD());
如果(seq.Count!= 9)
抛出新PemException(在RSA私钥畸形序); VAR RSA =新RsaPrivateKeyStructure(SEQ);
RsaPrivateCrtKeyParameters rsaparams =新RsaPrivateCrtKeyParameters(
rsa.Modulus,rsa.PublicExponent,rsa.PrivateExponent,rsa.Prime1,rsa.Prime2,rsa.Exponent1,rsa.Exponent2,rsa.Coefficient); x509.PrivateKey = DotNetUtilities.ToRSA(rsaparams);
返回X509;}
公共静态AsymmetricKeyParameter GenerateCACertificate(字符串主旨名称,诠释keyStrength = 2048)
{
//生成随机数
VAR randomGenerator =新CryptoApiRandomGenerator();
VAR随机=新的SecureRandom(randomGenerator); //证书发电机
VAR certificateGenerator =新X509V3CertificateGenerator(); // 序列号
VAR的serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One,BigInteger.ValueOf(Int64.MaxValue),随机);
certificateGenerator.SetSerialNumber(的serialNumber); //签名算法
常量字符串signatureAlgorithm =SHA256WithRSA;
certificateGenerator.SetSignatureAlgorithm(signatureAlgorithm); //发行人及主题名称
VAR的subjectDN =新X509Name(主旨名称);
VAR issuerDN = subjectDN中;
certificateGenerator.SetIssuerDN(issuerDN);
certificateGenerator.SetSubjectDN(subjectDN中); //有效
VAR notBefore = DateTime.UtcNow.Date;
变种notAfter = notBefore.AddYears(2); certificateGenerator.SetNotBefore(notBefore);
certificateGenerator.SetNotAfter(notAfter); //主体公钥
AsymmetricCipherKeyPair subjectKeyPair;
VAR keyGenerationParameters =新KeyGenerationParameters(随机,keyStrength);
VAR的KeyPairGenerator =新RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
subjectKeyPair = keyPairGenerator.GenerateKeyPair(); certificateGenerator.SetPublicKey(subjectKeyPair.Public); //生成证书
VAR issuerKeyPair = subjectKeyPair; // selfsign证书
VAR证书= certificateGenerator.Generate(issuerKeyPair.Private,随机);
VAR X509 =新System.Security.Cryptography.X509Certificates.X509Certificate2(certificate.GetEn codeD());
//添加CA证书到根存储
addCertToStore(CERT,StoreName.Root,StoreLocation.CurrentUser); 返回issuerKeyPair.Private;}
和添加到存储(您code略有修改):
公共静态布尔addCertToStore(System.Security.Cryptography.X509Certificates.X509Certificate2证书,System.Security.Cryptography.X509Certificates.StoreName ST,System.Security.Cryptography.X509Certificates.StoreLocation SL)
{
布尔BRET = FALSE; 尝试
{
店内的X509Store =新的X509Store(ST,SL);
store.Open(OpenFlags.ReadWrite);
store.Add(CERT); store.Close();
}
抓住
{ } 返回BRET;
}
和用法:
VAR caPrivKey = GenerateCACertificate(CN =根CA);
VAR证书= GenerateSelfSignedCertificate(CN = 127.0.01,CN =根CA,caPrivKey);
addCertToStore(CERT,StoreName.My,StoreLocation.CurrentUser);
我没有@wakeupneo意见后,编制本例中code。 @wakeupneo你可能稍微修改code和加适量扩展每个证书。
I searched around but didn't find a clear example. I want to create a self signed (self)Trusted certificate programmatically(c#), following this step:
STEP1: create root CA cert on the fly and add it to the certificate store in the folder "Trusted Root certification Authorities"
I want to do exactly what this command line tool does:
makecert.exe -sk RootCA -sky signature -pe -n CN=MY_CA -r -sr LocalMachine -ss Root MyCA.cer
STEP2: create a cert based on the previously created root CA cert and put it in the certificate store, in the folder "Personal"
I want to do exactly what this command line tool does:
makecert.exe -sk server -sky exchange -pe -n CN=127.0.0.1 -ir LocalMachine -is Root -ic MyCA.cer -sr LocalMachine -ss My MyCertificate.cer
I want to obtain this:
I did that(see following code - STEP1), don't know how to make STEP2, any help would be appreciated. Target machines is Windows XP/Seven. I tried both pure .net approach and BouncyCastle library.
//STEP1
mycerRoot=generateRootCertV1("MY_CA"); //tried also generateRootCertV2(BouncyCastle)
addCertToStore(mycerRoot, StoreName.Root, StoreLocation.LocalMachine);
//STEP2
mycer=generateCert("127.0.0.1",mycerRoot);//?????? <-- Something like that How to implement generateCert???
addCertToStore(mycer, StoreName.My, StoreLocation.LocalMachine);
public static Org.BouncyCastle.X509.X509Certificate generateRootCertV2(string certName)
{
X509V1CertificateGenerator certGen = new X509V1CertificateGenerator();
X509Name CN = new X509Name("CN=" + certName);
RsaKeyPairGenerator keypairgen = new RsaKeyPairGenerator();
keypairgen.Init(new KeyGenerationParameters(new SecureRandom(new CryptoApiRandomGenerator()), 1024));
AsymmetricCipherKeyPair keypair = keypairgen.GenerateKeyPair();
certGen.SetSerialNumber(BigInteger.ProbablePrime(120, new Random()));
certGen.SetIssuerDN(CN);
certGen.SetNotAfter(DateTime.MaxValue);
certGen.SetNotBefore(DateTime.Now.Subtract(new TimeSpan(7, 0, 0, 0)));
certGen.SetSubjectDN(CN);
certGen.SetPublicKey(keypair.Public);
certGen.SetSignatureAlgorithm("MD5WithRSA");
Org.BouncyCastle.X509.X509Certificate newCert = certGen.Generate(keypair.Private);
return newCert;
}
public static X509Certificate2 GenerateRootCertV1(string HostNameOrIP_or_CertName)
{
X509Certificate2 cert = null;
try
{
using (CryptContext ctx = new CryptContext())
{
ctx.Open();
cert = ctx.CreateSelfSignedCertificate(
new SelfSignedCertProperties
{
IsPrivateKeyExportable = true,
KeyBitLength = 4096,
Name = new X500DistinguishedName("cn=" + HostNameOrIP_or_CertName),
ValidFrom = DateTime.Today.AddDays(-1),
ValidTo = DateTime.Today.AddYears(20),
});
}
}
catch (Exception ex)
{
}
return cert;
}
public static bool addCertToStore(X509Certificate2 cert, StoreName st, StoreLocation sl)
{
bool bRet = false;
try
{
X509Store store = new X509Store(st, sl);
store.Open(OpenFlags.ReadWrite);
if (cert != null)
{
byte[] pfx = cert.Export(X509ContentType.Pfx);
cert = new X509Certificate2(pfx, (string)null, X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.MachineKeySet);
if (!certExists(store, cert.SubjectName.Name))
{
store.Add(cert);
bRet = true;
}
}
store.Close();
}
catch
{
}
return bRet;
}
解决方案
I edited the answer to do root cert first and then issue an end entity certificate. Here is some example of generating self sign certificate through bouncy:
public static X509Certificate2 GenerateSelfSignedCertificate(string subjectName, string issuerName, AsymmetricKeyParameter issuerPrivKey, int keyStrength = 2048)
{
// Generating Random Numbers
var randomGenerator = new CryptoApiRandomGenerator();
var random = new SecureRandom(randomGenerator);
// The Certificate Generator
var certificateGenerator = new X509V3CertificateGenerator();
// Serial Number
var serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
certificateGenerator.SetSerialNumber(serialNumber);
// Signature Algorithm
const string signatureAlgorithm = "SHA256WithRSA";
certificateGenerator.SetSignatureAlgorithm(signatureAlgorithm);
// Issuer and Subject Name
var subjectDN = new X509Name(subjectName);
var issuerDN = issuerName;
certificateGenerator.SetIssuerDN(issuerDN);
certificateGenerator.SetSubjectDN(subjectDN);
// Valid For
var notBefore = DateTime.UtcNow.Date;
var notAfter = notBefore.AddYears(2);
certificateGenerator.SetNotBefore(notBefore);
certificateGenerator.SetNotAfter(notAfter);
// Subject Public Key
AsymmetricCipherKeyPair subjectKeyPair;
var keyGenerationParameters = new KeyGenerationParameters(random, keyStrength);
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
subjectKeyPair = keyPairGenerator.GenerateKeyPair();
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
// Generating the Certificate
var issuerKeyPair = subjectKeyPair;
// selfsign certificate
var certificate = certificateGenerator.Generate(issuerPrivKey, random);
// correcponding private key
PrivateKeyInfo info = PrivateKeyInfoFactory.CreatePrivateKeyInfo(subjectKeyPair.Private);
// merge into X509Certificate2
var x509 = new System.Security.Cryptography.X509Certificates.X509Certificate2(certificate.GetEncoded());
var seq = (Asn1Sequence)Asn1Object.FromByteArray(info.PrivateKey.GetDerEncoded());
if (seq.Count != 9)
throw new PemException("malformed sequence in RSA private key");
var rsa = new RsaPrivateKeyStructure(seq);
RsaPrivateCrtKeyParameters rsaparams = new RsaPrivateCrtKeyParameters(
rsa.Modulus, rsa.PublicExponent, rsa.PrivateExponent, rsa.Prime1, rsa.Prime2, rsa.Exponent1, rsa.Exponent2, rsa.Coefficient);
x509.PrivateKey = DotNetUtilities.ToRSA(rsaparams);
return x509;
}
public static AsymmetricKeyParameter GenerateCACertificate(string subjectName, int keyStrength = 2048)
{
// Generating Random Numbers
var randomGenerator = new CryptoApiRandomGenerator();
var random = new SecureRandom(randomGenerator);
// The Certificate Generator
var certificateGenerator = new X509V3CertificateGenerator();
// Serial Number
var serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
certificateGenerator.SetSerialNumber(serialNumber);
// Signature Algorithm
const string signatureAlgorithm = "SHA256WithRSA";
certificateGenerator.SetSignatureAlgorithm(signatureAlgorithm);
// Issuer and Subject Name
var subjectDN = new X509Name(subjectName);
var issuerDN = subjectDN;
certificateGenerator.SetIssuerDN(issuerDN);
certificateGenerator.SetSubjectDN(subjectDN);
// Valid For
var notBefore = DateTime.UtcNow.Date;
var notAfter = notBefore.AddYears(2);
certificateGenerator.SetNotBefore(notBefore);
certificateGenerator.SetNotAfter(notAfter);
// Subject Public Key
AsymmetricCipherKeyPair subjectKeyPair;
var keyGenerationParameters = new KeyGenerationParameters(random, keyStrength);
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
subjectKeyPair = keyPairGenerator.GenerateKeyPair();
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
// Generating the Certificate
var issuerKeyPair = subjectKeyPair;
// selfsign certificate
var certificate = certificateGenerator.Generate(issuerKeyPair.Private, random);
var x509 = new System.Security.Cryptography.X509Certificates.X509Certificate2(certificate.GetEncoded());
// Add CA certificate to Root store
addCertToStore(cert, StoreName.Root, StoreLocation.CurrentUser);
return issuerKeyPair.Private;
}
and add to store (your code slightly modified):
public static bool addCertToStore(System.Security.Cryptography.X509Certificates.X509Certificate2 cert, System.Security.Cryptography.X509Certificates.StoreName st, System.Security.Cryptography.X509Certificates.StoreLocation sl)
{
bool bRet = false;
try
{
X509Store store = new X509Store(st, sl);
store.Open(OpenFlags.ReadWrite);
store.Add(cert);
store.Close();
}
catch
{
}
return bRet;
}
and usage:
var caPrivKey = GenerateCACertificate("CN=root ca");
var cert = GenerateSelfSignedCertificate("CN=127.0.01", "CN=root ca", caPrivKey);
addCertToStore(cert, StoreName.My, StoreLocation.CurrentUser);
I have not compiled this example code after @wakeupneo comments. @wakeupneo you might to slightly edit the code and add proper extensions to each certificate.
这篇关于动态生成的自签名证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
