时间戳

首页 > 解决方案 > 自动化在 .NET Core 中创建私钥、CSR 和最终签名证书的过程

c# - 自动化在 .NET Core 中创建私钥、CSR 和最终签名证书的过程

问题描述

有人向我提供了一个中间证书(由根证书签名)及其密码。为了安全地连接到 SSL 端点,我需要提供签名证书。

这是我所做的:

  1. 创建私钥
  2. 使用该私钥创建 CSR
  3. 使用提供的中间证书对其进行签名

我对所有这些都使用了 openssl,它完美地工作:TLS 端点接受了我的连接请求。在 C# 中虽然它不起作用。知道缺少什么吗?

        var password = new SecureString();
        password.AppendChar('x');
        password.AppendChar('y');
        password.AppendChar('z');

        // Intermediate certificate with pw protection
        X509Certificate2 intermediateCert = new X509Certificate2("intermediate.pfx", password);
        X509Certificate2 certificate;

       using (RSA rsa = RSA.Create(2048))
        {

            //A client creates a certificate signing request.
            CertificateRequest req = new CertificateRequest(
                    new X500DistinguishedName("CN=myname"),
                    rsa,
                    HashAlgorithmName.SHA256,
                    RSASignaturePadding.Pkcs1);

            req.CertificateExtensions.Add(
                new X509BasicConstraintsExtension(false, false, 0, false));

            req.CertificateExtensions.Add(
                new X509KeyUsageExtension(
                    X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyEncipherment,
                    false));

            req.CertificateExtensions.Add(
                new X509EnhancedKeyUsageExtension(
                    new OidCollection
                    {
                        new Oid("1.3.6.1.5.5.7.3.**1**")
                    },
                    true));

            req.CertificateExtensions.Add(
                new X509SubjectKeyIdentifierExtension(req.PublicKey, false));


            X500DistinguishedName dname = new X500DistinguishedName(intermediateCert.Subject);
            X509SignatureGenerator gen = X509SignatureGenerator.CreateForRSA((RSA)intermediateCert.PrivateKey, RSASignaturePadding.Pkcs1);

            certificate = req.Create(
                dname, gen,
                DateTimeOffset.UtcNow.AddDays(-1),
                DateTimeOffset.UtcNow.AddDays(10),
                new byte[] {1, 2, 3, 4});

          // Use certificate to connect to Azure IOT HUB
        }

编辑:在这种情况下,命名端点是 Azure IoT Hub。错误信息是:

AmqpException: {"errorCode":401002,"trackingId":"e930cb7c-d1a5-4ad0-bb5d-e9b4ee97e8b2","message":"IotHubUnauthorizedAccess","timestampUtc":"2018-10-12T18:08:23.2328669Z"}

编辑:工作证明

X509v3 extensions:
    X509v3 Basic Constraints:
        CA:FALSE
    Netscape Cert Type:
        SSL Server
    Netscape Comment:
        OpenSSL Generated Server Certificate
    X509v3 Subject Key Identifier:
        9E:86:FF:19:70:DB:5D:56:2D:16:48:E3:81:76:66:FD:17:C8:82:9A
    X509v3 Authority Key Identifier:
        keyid:E0:31:C5:81:6F:75:6A:AC:9C:F1:B1:B8:72:B7:E3:C6:AB:4C:E9:89
        DirName:/CN=abuscert
        serial:01

    X509v3 Key Usage: critical
        Digital Signature, Key Encipherment
    X509v3 Extended Key Usage:
        TLS Web Server Authentication

用 C# 创建的那个:

X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, Time Stamping
            X509v3 Subject Key Identifier:
                00:5E:F2:48:5C:E4:CA:B5:F3:5F:A6:0E:62:7C:FF:61:87:B1:D5:89

标签: c#.netssl.net-coreazure-iot-hub

解决方案

推荐阅读