Bouncy Castle - 此证书具有无效的数字签名

时间:2012-10-27 19:11:58

标签: ssl-certificate bouncycastle

我一直使用充气城堡生成自签名证书,一切顺利,直到我更新了在我的计算机A上运行的win7操作系统。更新后,证书在使用CERTMGR查看时给出了以下错误:此证书有无效的数字签名。

相同的证书不会在未收到Microsoft安全更新的另一台计算机(B)上出错。然后,我在B上生成了一个没有错误的新证书,然后将其安装在A上,发生了同样的错误。 (此证书的数字签名无效。)

我回到了充气城堡,并运行了Org.BouncyCastle.Pkcs.Examples Pkcs12Example中提供的示例中的代码,我得到的结果相同,具体取决于计算机上的A,它在B上失败就可以了。

有没有人遇到过同样的问题,可以采取哪些措施来解决此错误?我不想回滚计算机A来删除引入此错误的微软更新。如果可能的话,我希望找到一个永久性的解决方案

    namespace Org.BouncyCastle.Pkcs.Examples
{
    /**
    * Example of how to set up a certificate chain and a PKCS 12 store for
    * a private individual - obviously you'll need to generate your own keys,
    * and you may need to add a NetscapeCertType extension or add a key
    * usage extension depending on your application, but you should get the
    * idea! As always this is just an example...
    */
    public class Pkcs12Example
    {
        private static readonly char[] passwd = "hello world".ToCharArray();

        private static readonly X509V1CertificateGenerator v1CertGen = new X509V1CertificateGenerator();
        private static readonly X509V3CertificateGenerator v3CertGen = new X509V3CertificateGenerator();

        /**
        * we generate the CA's certificate
        */
        public static X509CertificateEntry CreateMasterCert(
            AsymmetricKeyParameter  pubKey,
            AsymmetricKeyParameter  privKey)
        {
            //
            // signers name
            //
            string issuer = "C=AU, O=The Legion of the Bouncy Castle, OU=Bouncy Primary Certificate";

            //
            // subjects name - the same as we are self signed.
            //
            string subject = "C=AU, O=The Legion of the Bouncy Castle, OU=Bouncy Primary Certificate";

            //
            // create the certificate - version 1
            //

            v1CertGen.SetSerialNumber(BigInteger.One);
            v1CertGen.SetIssuerDN(new X509Name(issuer));
            v1CertGen.SetNotBefore(DateTime.UtcNow.AddMonths(-1));
            v1CertGen.SetNotAfter(DateTime.UtcNow.AddMonths(1));
            v1CertGen.SetSubjectDN(new X509Name(subject));
            v1CertGen.SetPublicKey(pubKey);
            v1CertGen.SetSignatureAlgorithm("SHA1WithRSAEncryption");

            X509Certificate cert = v1CertGen.Generate(privKey);

            cert.CheckValidity(DateTime.UtcNow);

            cert.Verify(pubKey);

//          PKCS12BagAttributeCarrier   bagAttr = (PKCS12BagAttributeCarrier)cert;
            IDictionary bagAttr = new Hashtable();

            //
            // this is actually optional - but if you want to have control
            // over setting the friendly name this is the way to do it...
            //
//          bagAttr.setBagAttribute(
//              PKCSObjectIdentifiers.pkcs_9_at_friendlyName,
//              new DERBMPString("Bouncy Primary Certificate"));
            bagAttr.Add(PkcsObjectIdentifiers.Pkcs9AtFriendlyName.Id,
                new DerBmpString("Bouncy Primary Certificate"));

            return new X509CertificateEntry(cert, bagAttr);
        }

        /**
        * we generate an intermediate certificate signed by our CA
        */
        public static X509CertificateEntry CreateIntermediateCert(
            AsymmetricKeyParameter  pubKey,
            AsymmetricKeyParameter  caPrivKey,
            X509Certificate         caCert)
        {
            //
            // subject name table.
            //
            IDictionary attrs = new Hashtable();
            IList order = new ArrayList();

            attrs.Add(X509Name.C, "AU");
            attrs.Add(X509Name.O, "The Legion of the Bouncy Castle");
            attrs.Add(X509Name.OU, "Bouncy Intermediate Certificate");
            attrs.Add(X509Name.EmailAddress, "feedback-crypto@bouncycastle.org");

            order.Add(X509Name.C);
            order.Add(X509Name.O);
            order.Add(X509Name.OU);
            order.Add(X509Name.EmailAddress);

            //
            // create the certificate - version 3
            //
            v3CertGen.Reset();

            v3CertGen.SetSerialNumber(BigInteger.Two);
            v3CertGen.SetIssuerDN(PrincipalUtilities.GetSubjectX509Principal(caCert));
            v3CertGen.SetNotBefore(DateTime.UtcNow.AddMonths(-1));
            v3CertGen.SetNotAfter(DateTime.UtcNow.AddMonths(1));
            v3CertGen.SetSubjectDN(new X509Name(order, attrs));
            v3CertGen.SetPublicKey(pubKey);
            v3CertGen.SetSignatureAlgorithm("SHA1WithRSAEncryption");

            //
            // extensions
            //
            v3CertGen.AddExtension(
                X509Extensions.SubjectKeyIdentifier,
                false,
                new SubjectKeyIdentifierStructure(pubKey));

            v3CertGen.AddExtension(
                X509Extensions.AuthorityKeyIdentifier,
                false,
                new AuthorityKeyIdentifierStructure(caCert));

            v3CertGen.AddExtension(
                X509Extensions.BasicConstraints,
                true,
                new BasicConstraints(0));

            X509Certificate cert = v3CertGen.Generate(caPrivKey);

            cert.CheckValidity(DateTime.UtcNow);

            cert.Verify(caCert.GetPublicKey());


            IDictionary bagAttr = new Hashtable();


            bagAttr.Add(PkcsObjectIdentifiers.Pkcs9AtFriendlyName.Id,
                new DerBmpString("Bouncy Intermediate Certificate"));

            return new X509CertificateEntry(cert, bagAttr);
        }

        /**
        * we generate a certificate signed by our CA's intermediate certificate
        */
        public static X509CertificateEntry CreateCert(
            AsymmetricKeyParameter  pubKey,
            AsymmetricKeyParameter  caPrivKey,
            AsymmetricKeyParameter  caPubKey)
        {
            //
            // signers name table.
            //
            IDictionary sAttrs = new Hashtable();
            IList sOrder = new ArrayList();

            sAttrs.Add(X509Name.C, "AU");
            sAttrs.Add(X509Name.O, "The Legion of the Bouncy Castle");
            sAttrs.Add(X509Name.OU, "Bouncy Intermediate Certificate");
            sAttrs.Add(X509Name.EmailAddress, "feedback-crypto@bouncycastle.org");

            sOrder.Add(X509Name.C);
            sOrder.Add(X509Name.O);
            sOrder.Add(X509Name.OU);
            sOrder.Add(X509Name.EmailAddress);

            //
            // subjects name table.
            //
            IDictionary attrs = new Hashtable();
            IList order = new ArrayList();

            attrs.Add(X509Name.C, "AU");
            attrs.Add(X509Name.O, "The Legion of the Bouncy Castle");
            attrs.Add(X509Name.L, "Melbourne");
            attrs.Add(X509Name.CN, "Eric H. Echidna");
            attrs.Add(X509Name.EmailAddress, "feedback-crypto@bouncycastle.org");

            order.Add(X509Name.C);
            order.Add(X509Name.O);
            order.Add(X509Name.L);
            order.Add(X509Name.CN);
            order.Add(X509Name.EmailAddress);

            //
            // create the certificate - version 3
            //
            v3CertGen.Reset();

            v3CertGen.SetSerialNumber(BigInteger.Three);
            v3CertGen.SetIssuerDN(new X509Name(sOrder, sAttrs));
            v3CertGen.SetNotBefore(DateTime.UtcNow.AddMonths(-1));
            v3CertGen.SetNotAfter(DateTime.UtcNow.AddMonths(1));
            v3CertGen.SetSubjectDN(new X509Name(order, attrs));
            v3CertGen.SetPublicKey(pubKey);
            v3CertGen.SetSignatureAlgorithm("SHA1WithRSAEncryption");

            //
            // add the extensions
            //
            v3CertGen.AddExtension(
                X509Extensions.SubjectKeyIdentifier,
                false,
                new SubjectKeyIdentifierStructure(pubKey));

            v3CertGen.AddExtension(
                X509Extensions.AuthorityKeyIdentifier,
                false,
                new AuthorityKeyIdentifierStructure(caPubKey));

            X509Certificate cert = v3CertGen.Generate(caPrivKey);

            cert.CheckValidity(DateTime.UtcNow);

            cert.Verify(caPubKey);

            IDictionary bagAttr = new Hashtable();


            bagAttr.Add(PkcsObjectIdentifiers.Pkcs9AtFriendlyName.Id,
                new DerBmpString("Eric's Key"));
            bagAttr.Add(PkcsObjectIdentifiers.Pkcs9AtLocalKeyID.Id,
                new SubjectKeyIdentifierStructure(pubKey));

            return new X509CertificateEntry(cert, bagAttr);
        }

        public static void Main(
            string[] args)
        {
//          Security.addProvider(new BouncyCastleProvider());

            //
            // personal keys
            //
//          RSAPublicKeySpec pubKeySpec = new RSAPublicKeySpec(
            RsaKeyParameters pubKey = new RsaKeyParameters(false,
                new BigInteger("b4a7e46170574f16a97082b22be58b6a2a629798419be12872a4bdba626cfae9900f76abfb12139dce5de56564fab2b6543165a040c606887420e33d91ed7ed7", 16),
                new BigInteger("11", 16));

//          RSAPrivateCrtKeySpec privKeySpec = new RSAPrivateCrtKeySpec(
            RsaPrivateCrtKeyParameters privKey = new RsaPrivateCrtKeyParameters(
                new BigInteger("b4a7e46170574f16a97082b22be58b6a2a629798419be12872a4bdba626cfae9900f76abfb12139dce5de56564fab2b6543165a040c606887420e33d91ed7ed7", 16),
                new BigInteger("11", 16),
                new BigInteger("9f66f6b05410cd503b2709e88115d55daced94d1a34d4e32bf824d0dde6028ae79c5f07b580f5dce240d7111f7ddb130a7945cd7d957d1920994da389f490c89", 16),
                new BigInteger("c0a0758cdf14256f78d4708c86becdead1b50ad4ad6c5c703e2168fbf37884cb", 16),
                new BigInteger("f01734d7960ea60070f1b06f2bb81bfac48ff192ae18451d5e56c734a5aab8a5", 16),
                new BigInteger("b54bb9edff22051d9ee60f9351a48591b6500a319429c069a3e335a1d6171391", 16),
                new BigInteger("d3d83daf2a0cecd3367ae6f8ae1aeb82e9ac2f816c6fc483533d8297dd7884cd", 16),
                new BigInteger("b8f52fc6f38593dabb661d3f50f8897f8106eee68b1bce78a95b132b4e5b5d19", 16));

            //
            // intermediate keys.
            //
//          RSAPublicKeySpec intPubKeySpec = new RSAPublicKeySpec(
            RsaKeyParameters intPubKey = new RsaKeyParameters(false,
                new BigInteger("8de0d113c5e736969c8d2b047a243f8fe18edad64cde9e842d3669230ca486f7cfdde1f8eec54d1905fff04acc85e61093e180cadc6cea407f193d44bb0e9449b8dbb49784cd9e36260c39e06a947299978c6ed8300724e887198cfede20f3fbde658fa2bd078be946a392bd349f2b49c486e20c405588e306706c9017308e69", 16),
                new BigInteger("ffff", 16));


//          RSAPrivateCrtKeySpec intPrivKeySpec = new RSAPrivateCrtKeySpec(
            RsaPrivateCrtKeyParameters intPrivKey = new RsaPrivateCrtKeyParameters(
                new BigInteger("8de0d113c5e736969c8d2b047a243f8fe18edad64cde9e842d3669230ca486f7cfdde1f8eec54d1905fff04acc85e61093e180cadc6cea407f193d44bb0e9449b8dbb49784cd9e36260c39e06a947299978c6ed8300724e887198cfede20f3fbde658fa2bd078be946a392bd349f2b49c486e20c405588e306706c9017308e69", 16),
                new BigInteger("ffff", 16),
                new BigInteger("7deb1b194a85bcfd29cf871411468adbc987650903e3bacc8338c449ca7b32efd39ffc33bc84412fcd7df18d23ce9d7c25ea910b1ae9985373e0273b4dca7f2e0db3b7314056ac67fd277f8f89cf2fd73c34c6ca69f9ba477143d2b0e2445548aa0b4a8473095182631da46844c356f5e5c7522eb54b5a33f11d730ead9c0cff", 16),
                new BigInteger("ef4cede573cea47f83699b814de4302edb60eefe426c52e17bd7870ec7c6b7a24fe55282ebb73775f369157726fcfb988def2b40350bdca9e5b418340288f649", 16),
                new BigInteger("97c7737d1b9a0088c3c7b528539247fd2a1593e7e01cef18848755be82f4a45aa093276cb0cbf118cb41117540a78f3fc471ba5d69f0042274defc9161265721", 16),
                new BigInteger("6c641094e24d172728b8da3c2777e69adfd0839085be7e38c7c4a2dd00b1ae969f2ec9d23e7e37090fcd449a40af0ed463fe1c612d6810d6b4f58b7bfa31eb5f", 16),
                new BigInteger("70b7123e8e69dfa76feb1236d0a686144b00e9232ed52b73847e74ef3af71fb45ccb24261f40d27f98101e230cf27b977a5d5f1f15f6cf48d5cb1da2a3a3b87f", 16),
                new BigInteger("e38f5750d97e270996a286df2e653fd26c242106436f5bab0f4c7a9e654ce02665d5a281f2c412456f2d1fa26586ef04a9adac9004ca7f913162cb28e13bf40d", 16));

            //
            // ca keys
            //
//          RSAPublicKeySpec caPubKeySpec = new RSAPublicKeySpec(
            RsaKeyParameters caPubKey = new RsaKeyParameters(false,
                new BigInteger("b259d2d6e627a768c94be36164c2d9fc79d97aab9253140e5bf17751197731d6f7540d2509e7b9ffee0a70a6e26d56e92d2edd7f85aba85600b69089f35f6bdbf3c298e05842535d9f064e6b0391cb7d306e0a2d20c4dfb4e7b49a9640bdea26c10ad69c3f05007ce2513cee44cfe01998e62b6c3637d3fc0391079b26ee36d5", 16),
                new BigInteger("11", 16));

//          RSAPrivateCrtKeySpec   caPrivKeySpec = new RSAPrivateCrtKeySpec(
            RsaPrivateCrtKeyParameters caPrivKey = new RsaPrivateCrtKeyParameters(
                new BigInteger("b259d2d6e627a768c94be36164c2d9fc79d97aab9253140e5bf17751197731d6f7540d2509e7b9ffee0a70a6e26d56e92d2edd7f85aba85600b69089f35f6bdbf3c298e05842535d9f064e6b0391cb7d306e0a2d20c4dfb4e7b49a9640bdea26c10ad69c3f05007ce2513cee44cfe01998e62b6c3637d3fc0391079b26ee36d5", 16),
                new BigInteger("11", 16),
                new BigInteger("92e08f83cc9920746989ca5034dcb384a094fb9c5a6288fcc4304424ab8f56388f72652d8fafc65a4b9020896f2cde297080f2a540e7b7ce5af0b3446e1258d1dd7f245cf54124b4c6e17da21b90a0ebd22605e6f45c9f136d7a13eaac1c0f7487de8bd6d924972408ebb58af71e76fd7b012a8d0e165f3ae2e5077a8648e619", 16),
                new BigInteger("f75e80839b9b9379f1cf1128f321639757dba514642c206bbbd99f9a4846208b3e93fbbe5e0527cc59b1d4b929d9555853004c7c8b30ee6a213c3d1bb7415d03", 16),
                new BigInteger("b892d9ebdbfc37e397256dd8a5d3123534d1f03726284743ddc6be3a709edb696fc40c7d902ed804c6eee730eee3d5b20bf6bd8d87a296813c87d3b3cc9d7947", 16),
                new BigInteger("1d1a2d3ca8e52068b3094d501c9a842fec37f54db16e9a67070a8b3f53cc03d4257ad252a1a640eadd603724d7bf3737914b544ae332eedf4f34436cac25ceb5", 16),
                new BigInteger("6c929e4e81672fef49d9c825163fec97c4b7ba7acb26c0824638ac22605d7201c94625770984f78a56e6e25904fe7db407099cad9b14588841b94f5ab498dded", 16),
                new BigInteger("dae7651ee69ad1d081ec5e7188ae126f6004ff39556bde90e0b870962fa7b926d070686d8244fe5a9aa709a95686a104614834b0ada4b10f53197a5cb4c97339", 16));



            //
            // set up the keys
            //
//          KeyFactory          fact = KeyFactory.getInstance("RSA", "BC");
//          PrivateKey          caPrivKey = fact.generatePrivate(caPrivKeySpec);
//          PublicKey           caPubKey = fact.generatePublic(caPubKeySpec);
//          PrivateKey          intPrivKey = fact.generatePrivate(intPrivKeySpec);
//          PublicKey           intPubKey = fact.generatePublic(intPubKeySpec);
//          PrivateKey          privKey = fact.generatePrivate(privKeySpec);
//          PublicKey           pubKey = fact.generatePublic(pubKeySpec);

            X509CertificateEntry[] chain = new X509CertificateEntry[3];

            chain[2] = CreateMasterCert(caPubKey, caPrivKey);
            chain[1] = CreateIntermediateCert(intPubKey, caPrivKey, chain[2].Certificate);
            chain[0] = CreateCert(pubKey, intPrivKey, intPubKey);

            IDictionary bagAttr = new Hashtable();
            bagAttr.Add(PkcsObjectIdentifiers.Pkcs9AtFriendlyName.Id,
                new DerBmpString("Eric's Key"));
            bagAttr.Add(PkcsObjectIdentifiers.Pkcs9AtLocalKeyID.Id,
                new SubjectKeyIdentifierStructure(pubKey));

            //
            // store the key and the certificate chain
            //
//          KeyStore store = KeyStore.getInstance("PKCS12", "BC");
//          store.load(null, null);
            Pkcs12Store store = new Pkcs12StoreBuilder().Build();

            //
            // if you haven't set the friendly name and local key id above
            // the name below will be the name of the key
            //
            store.SetKeyEntry("Eric's Key", new AsymmetricKeyEntry(privKey, bagAttr), chain);

//          FileOutputStream fOut = new FileOutputStream("id.p12");
//
//          store.store(fOut, passwd);
            FileStream fOut = File.Create("id.p12");
            store.Save(fOut, passwd, new SecureRandom());
            fOut.Close();



            X509Certificate cert2 = chain[2].Certificate;
            // convert to "Microsoft" x509cert.
            System.Security.Cryptography.X509Certificates.X509Certificate newcert2 = Org.BouncyCastle.Security.DotNetUtilities.ToX509Certificate(cert2);
            //convert to Microsoft X509Certificate to Microsoft X509Certificate2 
            System.Security.Cryptography.X509Certificates.X509Certificate2 netcert2 = new System.Security.Cryptography.X509Certificates.X509Certificate2(newcert2);
            netcert2.FriendlyName = "AAAA root certificate";
            PutCertificateInstore(netcert2);

            X509Certificate cert1 = chain[1].Certificate;
            // convert to "Microsoft" x509cert.
            System.Security.Cryptography.X509Certificates.X509Certificate newcert1 = Org.BouncyCastle.Security.DotNetUtilities.ToX509Certificate(cert1);
            //convert to Microsoft X509Certificate to Microsoft X509Certificate2 
            System.Security.Cryptography.X509Certificates.X509Certificate2 netcert1 = new System.Security.Cryptography.X509Certificates.X509Certificate2(newcert1);
            netcert1.FriendlyName = "AAAA Intermediate Certificate";
            PutCertificateInstore(netcert1);

            X509Certificate cert0 = chain[0].Certificate;
            // convert to "Microsoft" x509cert.
            System.Security.Cryptography.X509Certificates.X509Certificate newcert0 = Org.BouncyCastle.Security.DotNetUtilities.ToX509Certificate(cert0);
            //convert to Microsoft X509Certificate to Microsoft X509Certificate2 
            System.Security.Cryptography.X509Certificates.X509Certificate2 netcert0 = new System.Security.Cryptography.X509Certificates.X509Certificate2(newcert0);
            netcert0.FriendlyName = "AAAA key for hostName: " ;
            PutCertificateInstore(netcert0);






        }

        public static void PutCertificateInstore(System.Security.Cryptography.X509Certificates.X509Certificate2 ServerCertificate)
        {
            System.Security.Cryptography.X509Certificates.X509Store store = new System.Security.Cryptography.X509Certificates.X509Store(System.Security.Cryptography.X509Certificates.StoreName.AuthRoot, System.Security.Cryptography.X509Certificates.StoreLocation.LocalMachine);
            store.Open(System.Security.Cryptography.X509Certificates.OpenFlags.ReadWrite);
            store.Add(ServerCertificate);
            store.Close();

        }

        private static void CreateCertNew(out System.Security.Cryptography.RSACryptoServiceProvider rcsp, out System.Security.Cryptography.X509Certificates.X509Certificate2 importcert)
        {
            X509Name x2 = new X509Name("CN=Some Root CA, C=NL, OU=BleedingEdge, ST=Somewhere, L=Somelane");
            RsaKeyPairGenerator rkpg = new RsaKeyPairGenerator();
            rkpg.Init(new KeyGenerationParameters(new SecureRandom(), 2048));
            AsymmetricCipherKeyPair ackp = rkpg.GenerateKeyPair();

            RsaPrivateCrtKeyParameters rsaprivkey = ((RsaPrivateCrtKeyParameters)ackp.Private);

            ArrayList us = new ArrayList
                                    {
                                        KeyPurposeID.IdKPCodeSigning,
                                        KeyPurposeID.IdKPEmailProtection,
                                        KeyPurposeID.IdKPIpsecEndSystem,
                                        KeyPurposeID.IdKPIpsecTunnel,
                                        KeyPurposeID.IdKPServerAuth,
                                        KeyPurposeID.IdKPTimeStamping,
                                        KeyPurposeID.IdKPOcspSigning,
                                        KeyPurposeID.IdKPClientAuth,
                                        KeyPurposeID.IdKPIpsecUser
                                    };



            X509V3CertificateGenerator certgen = new X509V3CertificateGenerator();
            certgen.SetIssuerDN(x2);
            certgen.SetSubjectDN(x2);
            certgen.SetPublicKey(ackp.Public);
            certgen.SetSerialNumber(new BigInteger("1"));
            certgen.SetSignatureAlgorithm("SHA1WITHRSA");
            certgen.SetNotAfter(DateTime.Today.AddYears(10));
            certgen.SetNotBefore(DateTime.Today);
            certgen.AddExtension(X509Extensions.ExtendedKeyUsage, false, new ExtendedKeyUsage(us));
            certgen.AddExtension(X509Extensions.KeyUsage, true,
                                    new KeyUsage(KeyUsage.CrlSign | KeyUsage.KeyCertSign));
            certgen.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(true));
            X509Certificate cert = certgen.Generate(ackp.Private);

            System.Security.Cryptography.CspParameters cparms = new System.Security.Cryptography.CspParameters
            {
                CryptoKeySecurity = new System.Security.AccessControl.CryptoKeySecurity(),
                Flags = System.Security.Cryptography.CspProviderFlags.UseMachineKeyStore,
            };

            rcsp = new System.Security.Cryptography.RSACryptoServiceProvider(cparms);

            System.Security.Cryptography.RSAParameters parms = new System.Security.Cryptography.RSAParameters
            {
                Modulus = rsaprivkey.Modulus.ToByteArrayUnsigned(),
                P = rsaprivkey.P.ToByteArrayUnsigned(),
                Q = rsaprivkey.Q.ToByteArrayUnsigned(),
                DP = rsaprivkey.DP.ToByteArrayUnsigned(),
                DQ = rsaprivkey.DQ.ToByteArrayUnsigned(),
                InverseQ = rsaprivkey.QInv.ToByteArrayUnsigned(),
                D = rsaprivkey.Exponent.ToByteArrayUnsigned(),
                Exponent = rsaprivkey.PublicExponent.ToByteArrayUnsigned()
            };

            rcsp.ImportParameters(parms);

            importcert = new System.Security.Cryptography.X509Certificates.X509Certificate2(DotNetUtilities.ToX509Certificate(cert));
        }
    }
}

4 个答案:

答案 0 :(得分:2)

我自己做一些PKCS12-Certificates测试我可能已经对你/我的问题有所了解。

如果根本没有注册的根证书或者注册的根证书与当前证书链(旧版本)的证书不匹配,我会收到有关任何结束证书的无效签名的错误提及。

如果没有注册的根证书,它只会声明它无法验证签名。

如果确实存在匹配的根证书,则表明签名有效。

答案 1 :(得分:1)

我认为问题是由您个人证书中的512位密钥大小引起的。非常接近您开始观察问题的时间,Microsoft发布了一个安全patch(KB2661254),可以阻止RSA密钥长度小于1024位。

尝试使用1024位或更高密钥长度创建个人证书,并查看问题是否消失。

答案 2 :(得分:0)

我遇到了这个问题,因为我使用的是错误 私钥,而不是与CA证书对应的那个。从技术上讲,我正在创造一个新的,我不知道为什么。这是一个愚蠢的错误,但值得一提,因为我试图找到错误好几天。

答案 3 :(得分:0)

签署中间CA的CSR时,我也遇到了类似的问题。我所犯的错误是使用 中间CA的公钥 作为扩展程序中的 AuthorityKeyIdentifier 。我将其更改为 CA的公钥 ,并将 subjectKeyIdentifier 保留为 中间CA'解决了无效数字签名的公钥