生成签名的X.509客户端证书是无效的(没有证书链,其CA) [英] Generated signed X.509 client certificate is invalid (no certificate chain to its CA)
问题描述
我用充气城堡代X.509客户端证书,并使用已知的CA唱他们。
首先,我读的证书存储CA证书,生成客户端证书,使用CA的签名证书的验证失败母鹿以下问题
一个证书链无法建立到受信任的根证书颁发机构。
块引用>
据我了解,这是由于没有相关的CA的证书。
下面是一个代码示例:
公共静态X509Certificate2 generateCertificate所( X509Certificate2 CACERT,串certSubjectName)
{
//生成证书
VAR cerKp = kpgen.GenerateKeyPair();
变种certName =新X509Name(真,certSubjectName); //主旨名称=用户
变种系列号= BigInteger.ProbablePrime(120,新的随机());
X509V3CertificateGenerator第二代=新X509V3CertificateGenerator();
gen2.SetSerialNumber(系列号);
gen2.SetSubjectDN(certName);
gen2.SetIssuerDN(新X509Name(真,caCert.Subject));
gen2.SetNotAfter(DateTime.Now.AddDays(100));
gen2.SetNotBefore(DateTime.Now.Subtract(新时间跨度(7,0,0,0)));
gen2.SetSignatureAlgorithm(SHA1WithRSA);
gen2.SetPublicKey(cerKp.Public);
AsymmetricCipherKeyPair AKP = DotNetUtilities.GetKeyPair(caCert.PrivateKey);
Org.BouncyCastle.X509.X509Certificate newCert = gen2.Generate(caKp.Private);
//用于获取私钥
X509Certificate2 userCert = ConvertToWindows(newCert,cerKp);
如果(caCert22.Verify())//用于CA
{
效果很好,如果(userCert.Verify())//进行客户端证书
失败{
返回userCert;
}
}
返回NULL;
}
私有静态X509Certificate2 ConvertToWindows(Org.BouncyCastle.X509.X509Certificate newCert,AsymmetricCipherKeyPair KP)
{
字符串tempStorePwd =ABCD1234
变种tempStoreFile =新的FileInfo(Path.GetTempFileName());
试
{
//存储键
{
变种newStore =新Pkcs12Store();
变种certEntry =新X509CertificateEntry(newCert);
newStore.SetCertificateEntry(
newCert.SubjectDN.ToString(),
certEntry
);
newStore.SetKeyEntry(
newCert.SubjectDN.ToString(),
新AsymmetricKeyEntry(kp.Private),
新的[] {} certEntry
);
使用(VAR S = tempStoreFile.Create())
{
newStore.Save($ B $学士,
tempStorePwd.ToCharArray(),
新的SecureRandom(新CryptoApiRandomGenerator())
);
}
}
//刷新键
返回新X509Certificate2(tempStoreFile.FullName,tempStorePwd);
}
终于
{
tempStoreFile.Delete();
}
}
解决方案我想通了这一点。如果调用X509Certificate.Verify(公钥),你必须通过CA的公钥,而不是客户端的从Pkcs10CertificationRequest公共密钥。
I use Bouncy Castle for generation of X.509 client certificates and sing them using a known CA.
First I read the CA certificate from the certificate store, generate the client certificate, sign it using the CA. Validation of the certificate is failed doe to the following issue
A certificate chain could not be built to a trusted root authority.
As I understand this is due to the certificate not being related to the CA.
Here is a code sample:
public static X509Certificate2 GenerateCertificate(X509Certificate2 caCert, string certSubjectName) { // Generate Certificate var cerKp = kpgen.GenerateKeyPair(); var certName = new X509Name(true,certSubjectName); // subjectName = user var serialNo = BigInteger.ProbablePrime(120, new Random()); X509V3CertificateGenerator gen2 = new X509V3CertificateGenerator(); gen2.SetSerialNumber(serialNo); gen2.SetSubjectDN(certName); gen2.SetIssuerDN(new X509Name(true,caCert.Subject)); gen2.SetNotAfter(DateTime.Now.AddDays(100)); gen2.SetNotBefore(DateTime.Now.Subtract(new TimeSpan(7, 0, 0, 0))); gen2.SetSignatureAlgorithm("SHA1WithRSA"); gen2.SetPublicKey(cerKp.Public); AsymmetricCipherKeyPair akp = DotNetUtilities.GetKeyPair(caCert.PrivateKey); Org.BouncyCastle.X509.X509Certificate newCert = gen2.Generate(caKp.Private); // used for getting a private key X509Certificate2 userCert = ConvertToWindows(newCert,cerKp); if (caCert22.Verify()) // works well for CA { if (userCert.Verify()) // fails for client certificate { return userCert; } } return null; } private static X509Certificate2 ConvertToWindows(Org.BouncyCastle.X509.X509Certificate newCert, AsymmetricCipherKeyPair kp) { string tempStorePwd = "abcd1234"; var tempStoreFile = new FileInfo(Path.GetTempFileName()); try { // store key { var newStore = new Pkcs12Store(); var certEntry = new X509CertificateEntry(newCert); newStore.SetCertificateEntry( newCert.SubjectDN.ToString(), certEntry ); newStore.SetKeyEntry( newCert.SubjectDN.ToString(), new AsymmetricKeyEntry(kp.Private), new[] { certEntry } ); using (var s = tempStoreFile.Create()) { newStore.Save( s, tempStorePwd.ToCharArray(), new SecureRandom(new CryptoApiRandomGenerator()) ); } } // reload key return new X509Certificate2(tempStoreFile.FullName, tempStorePwd); } finally { tempStoreFile.Delete(); } }
解决方案I figured this out. If you call X509Certificate.Verify(publicKey) you have to pass the CA's public key, not the client's public key from the Pkcs10CertificationRequest.
这篇关于生成签名的X.509客户端证书是无效的(没有证书链,其CA)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!