問題描述

我正在嘗試使用純 .net 代碼創建證書請求，并根據我現有的 CA 證書(在 Windows 證書存儲中或作為單獨的文件)從證書請求創建證書.

I am trying to use pure .net code to create a certificate request and create a certificate from the certificate request against an existing CA certificate I have available (either in the Windows Certificate store or as a separate file).

我知道我有類 X509Certificate 和 X509Certificate2 可用于加載證書并訪問其信息，但我在 System.Security.Cryptography 命名空間，可用于創建證書請求或簽署此類證書請求以創建新的簽名證書.

I know that I have the classes X509Certificate and X509Certificate2 available to load certificates and get access to their information, but I don't see any classes or functionality within the System.Security.Cryptography namespace that could be used to create a certificate request or to sign such a certificate request to create a new signed certificate.

雖然 文檔在 System.Security.Cryptography.Pkcs 命名空間 說:

And that although the documentation on the System.Security.Cryptography.Pkcs namespace says:

System.Security.Cryptography.Pkcs 命名空間提供編程公鑰加密標準 (PKCS) 的元素，包括簽署數據、交換密鑰、請求證書的方法，公鑰加解密等安全功能.

The System.Security.Cryptography.Pkcs namespace provides programming elements for Public Key Cryptography Standards (PKCS), including methods for signing data, exchanging keys, requesting certificates, public key encryption and decryption, and other security functions.

那么，我如何創建證書請求并滿足該請求以僅使用來自 System.Security.Cryptography 的純 .net 類來創建新的 X509 證書?

So, how can I create a certificate request and fulfill that request to create a new X509 certificate using only pure .net classes from System.Security.Cryptography?

注意:

• 我不想使用像 openssl 或 MakeCert 這樣的外部可執行文件
• 我不想使用 BouncyCastle
• 我不想使用 Windows 證書注冊 API
• 我不想使用本機 Win32 API 函數

推薦答案

簡答:你可以從 .NET Framework 4.7.2 開始.

Short answer: You can starting in .NET Framework 4.7.2.

此功能最初以 CertificateRequest 類，可以構建 PKCS#10 證書簽名請求或 X.509(自簽名或鏈式)公鑰證書.

This functionality was originally added to .NET Core 2.0 in the form of the CertificateRequest class, which can build a PKCS#10 certification signing request or an X.509 (self-signed or chained) public key certificate.

該功能的類在 .NET Framework 4.7.2 中可用.

The classes for that feature were made available in .NET Framework 4.7.2.

using (RSA parent = RSA.Create(4096))
using (RSA rsa = RSA.Create(2048))
{
    CertificateRequest parentReq = new CertificateRequest(
        "CN=Experimental Issuing Authority",
        parent,
        HashAlgorithmName.SHA256,
        RSASignaturePadding.Pkcs1);

    parentReq.CertificateExtensions.Add(
        new X509BasicConstraintsExtension(true, false, 0, true));

    parentReq.CertificateExtensions.Add(
        new X509SubjectKeyIdentifierExtension(parentReq.PublicKey, false));

    using (X509Certificate2 parentCert = parentReq.CreateSelfSigned(
        DateTimeOffset.UtcNow.AddDays(-45),
        DateTimeOffset.UtcNow.AddDays(365)))
    {
        CertificateRequest req = new CertificateRequest(
            "CN=Valid-Looking Timestamp Authority",
            rsa,
            HashAlgorithmName.SHA256,
            RSASignaturePadding.Pkcs1);

        req.CertificateExtensions.Add(
            new X509BasicConstraintsExtension(false, false, 0, false));

        req.CertificateExtensions.Add(
            new X509KeyUsageExtension(
                X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.NonRepudiation,
                false));

        req.CertificateExtensions.Add(
            new X509EnhancedKeyUsageExtension(
                new OidCollection
                {
                    new Oid("1.3.6.1.5.5.7.3.8")
                },
                true));

        req.CertificateExtensions.Add(
            new X509SubjectKeyIdentifierExtension(req.PublicKey, false));

        using (X509Certificate2 cert = req.Create(
            parentCert,
            DateTimeOffset.UtcNow.AddDays(-1),
            DateTimeOffset.UtcNow.AddDays(90),
            new byte[] { 1, 2, 3, 4 }))
        {
            // Do something with these certs, like export them to PFX,
            // or add them to an X509Store, or whatever.
        }
    }
}

如果您卡在舊版本上，答案更長:要在不添加任何新 P/Invokes 的情況下實現您的目標，您需要閱讀并理解以下文檔:

Longer answer if you're stuck on older versions: To accomplish your goal without adding any new P/Invokes, you would need to read and understand the following documents:

• ITU-T X.680-201508，ASN.1 語言
• IETF RFC 5280 或 ITU-T X.509，解釋 X.509 證書中的字段的文檔.
• IETF RFC 2986，解釋了 PKCS#10 認證簽名請求
• ITU-T X.690，解釋了 ASN.1(包括 DER)的 BER 編碼系列，告訴您如何讀取和寫入字節以實現 X.509 的語義含義/PKCS#10.

• ITU-T X.680-201508, the ASN.1 language
• IETF RFC 5280 or ITU-T X.509, the documents that explain the fields in X.509 certificates.
• IETF RFC 2986, explains the PKCS#10 certification signing request
• ITU-T X.690, explains the BER encoding family for ASN.1 (including DER) which tells you how to read and write bytes to achieve the semantic meaning from X.509 / PKCS#10.

然后您可以編寫一個 DER 寫入器/讀取器，然后只發出您想要的字節.

And then you could write a DER writer/reader, and just emit the bytes for what you want.

這篇關于使用純 .net 框架生成和簽署證書請求的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網！