如何创建测试签名证书? [英] How can I create a test signing certificate?
问题描述
我想按照
任何人都可以告诉我如何创建测试证书我可以使用得到这个代码工作,或指出我的方向正确吗?我也不知道他们的意思是你应该生成证书与Windows Server。是否意味着创建CSR?
提前感谢:)
IMHO最好模拟真实世界方案,因此请使CA发出用于生成SAML令牌的证书。您将了解更多关于PKI和证书,解决开发时间的问题,而不是生产时间。
那么需要做什么:
- 下载 XCA
- 在XCA make CA证书(它已经有CA模板,所以只使用它)。指南这里
- 在CA下发布终端实体证书。可在这里找到指南
- 将CA证书导出到文件
- 将CA证书导入到LocalMachine中的受信任的根存储(使用mmc-> File-> add snapin-> certificates-> computer account)
- 使用私钥(PKCS#12格式)导出已颁发的终端实体证书。
- 将本地实体证书导入LocalMachine中的个人存储(使用mmc->文件 - >添加snapin->证书 - >计算机帐户)
- 生成CRL。指南这里
- 将CRL放置在发出最终实体证书或将其放在LocalMachine中的受信任根存储中时放置的位置
- 然后
X509Certificate2 signingCert = CertificateUtil.GetCertificate StoreName.My,StoreLocation.LocalMachine,CN = busta-rpsts.com);将工作...可能。如果没有,您将必须修改私钥权限(mmc再次),以便您的帐户可以使用本地机器个人商店的私钥。
I'm trying to follow these instructions to create a SAML2 token using WIF.
The instructions say
To supply signing credentials to the SecurityTokenDescriptor, you must first get a reference to the signing certificate as an X509Certificate2 instance. From this you can create a SecurityKeyIdentifier and produce a SigningCredentials instance
The following code is supplied:
X509Certificate2 signingCert = CertificateUtil.GetCertificate(StoreName.My, StoreLocation.LocalMachine, "CN=busta-rpsts.com ");
SecurityKeyIdentifier ski = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[] { new X509SecurityToken(signingCert).CreateKeyIdentifierClause<X509SubjectKeyIdentifierClause>() });
X509SigningCredentials signingCreds = new X509SigningCredentials(signingCert, ski);
descriptor.SigningCredentials = signingCreds;
I've tried making a test certificate using makecert that includes a subject key identifier, but when I run any certificate that I make through the above code I get the following System.NotSupportedException:
'X509SecurityToken' does not support 'X509SubjectKeyIdentifierClause' creation.
This occurs when calling this line:
new X509SecurityToken(signingCert).CreateKeyIdentifierClause<X509SubjectKeyIdentifierClause>()
Now I know the instructions say...
Note: Certificates created with makecert.exe do not include a subject key identifier and thus cannot be used in this manner. You should produce certificates with Windows Server or purchase a certificate from Verisign or an equivalent provider.
...however I've used the argument -eku 2.5.29.14, which I hoped would resolve the issue, and I think this image shows that I've done it right?
Can anyone give me instructions on how I can create a test certificate that I can use to get this code working, or point me in the right direction? I'm also not sure what they mean by "You should produce certificates with Windows Server." Does it mean a creating a CSR?
Thanks in advance :)
IMHO it would be best to simulate real world scenario so make a CA that will issue the certificate used for SAML token generation. You will learn more about PKI and certificates, solve problems in development time, not production time. But technically it is not required to do it this way.
So what needs to be done:
- Download XCA
- In XCA make a CA certificate (it has already CA template so just use it). Guide can be found here
- Issue an end-entity certificate under the CA. Guide can be found here
- Export CA certificate (without private key) to a file
- Import CA certificate to Trusted Root Store in LocalMachine (use mmc->File->add snapin->certificates->computer account)
- Export issued end-entity certificate with private key (PKCS#12 format).
- Import end-entity certificate into Personal store in LocalMachine (use mmc->File->add snapin->certificates->computer account)
- Generate CRL. Guide can be found here
- Place the CRL at the location that you put when issuing end-entity certificate or place it in Trusted Root Store in LocalMachine
- Then
X509Certificate2 signingCert = CertificateUtil.GetCertificate(StoreName.My, StoreLocation.LocalMachine, "CN=busta-rpsts.com ");will work ... probably. If not, you will have to modify private key rights (mmc again) so that you account can use private key from local machine personal store.
这篇关于如何创建测试签名证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
