c# - 自动化在 .NET Core 中创建私钥、CSR 和最终签名证书的过程
问题描述
有人向我提供了一个中间证书(由根证书签名)及其密码。为了安全地连接到 SSL 端点,我需要提供签名证书。
这是我所做的:
- 创建私钥
- 使用该私钥创建 CSR
- 使用提供的中间证书对其进行签名
我对所有这些都使用了 openssl,它完美地工作:TLS 端点接受了我的连接请求。在 C# 中虽然它不起作用。知道缺少什么吗?
var password = new SecureString();
password.AppendChar('x');
password.AppendChar('y');
password.AppendChar('z');
// Intermediate certificate with pw protection
X509Certificate2 intermediateCert = new X509Certificate2("intermediate.pfx", password);
X509Certificate2 certificate;
using (RSA rsa = RSA.Create(2048))
{
//A client creates a certificate signing request.
CertificateRequest req = new CertificateRequest(
new X500DistinguishedName("CN=myname"),
rsa,
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
req.CertificateExtensions.Add(
new X509BasicConstraintsExtension(false, false, 0, false));
req.CertificateExtensions.Add(
new X509KeyUsageExtension(
X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyEncipherment,
false));
req.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(
new OidCollection
{
new Oid("1.3.6.1.5.5.7.3.**1**")
},
true));
req.CertificateExtensions.Add(
new X509SubjectKeyIdentifierExtension(req.PublicKey, false));
X500DistinguishedName dname = new X500DistinguishedName(intermediateCert.Subject);
X509SignatureGenerator gen = X509SignatureGenerator.CreateForRSA((RSA)intermediateCert.PrivateKey, RSASignaturePadding.Pkcs1);
certificate = req.Create(
dname, gen,
DateTimeOffset.UtcNow.AddDays(-1),
DateTimeOffset.UtcNow.AddDays(10),
new byte[] {1, 2, 3, 4});
// Use certificate to connect to Azure IOT HUB
}
编辑:在这种情况下,命名端点是 Azure IoT Hub。错误信息是:
AmqpException: {"errorCode":401002,"trackingId":"e930cb7c-d1a5-4ad0-bb5d-e9b4ee97e8b2","message":"IotHubUnauthorizedAccess","timestampUtc":"2018-10-12T18:08:23.2328669Z"}
编辑:工作证明
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Server Certificate
X509v3 Subject Key Identifier:
9E:86:FF:19:70:DB:5D:56:2D:16:48:E3:81:76:66:FD:17:C8:82:9A
X509v3 Authority Key Identifier:
keyid:E0:31:C5:81:6F:75:6A:AC:9C:F1:B1:B8:72:B7:E3:C6:AB:4C:E9:89
DirName:/CN=abuscert
serial:01
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
用 C# 创建的那个:
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, Time Stamping
X509v3 Subject Key Identifier:
00:5E:F2:48:5C:E4:CA:B5:F3:5F:A6:0E:62:7C:FF:61:87:B1:D5:89
解决方案
推荐阅读
- javascript - 渲染前在 Nuxtjs 上获取 Firebase
- python - 使用python从文本列中提取有意义的信息
- java - 用于模拟 JPAQueryFactory 的 Junit、Mockito 和 Querydsl (Mysema)
- enterprise-architect - Enterprise Architect 组件内部的组件部分
- swift - 迅速如何等到所有skaction完成
- php - 如何向多维数组添加值?
- mongodb - 如何在具有 ca 证书的元数据库中添加 MongoDB 以进行身份验证
- vba - 字典中循环和条件的逻辑
- jquery - 如何获取 AJAX 响应授权标头
- jquery - 事件监听器并不总是调用 jquery ui 图标