可能重复:
Generated signed X.509 client certificate is invalid (no certificate chain to its CA)
我按照以下示例进行了操作:
但是在Windows中打开时,生成的签名客户端证书会出现以下错误:
“此文件无效,可用作以下内容:安全证书”
如果我仍然安装它并使用certmgr查看它,证书路径看起来没问题 - 我看到我的自签名证书颁发机构(这很好,没有问题)但客户端证书具有以下状态:
“此证书的数字签名无效。”
如果我调用X509Certificate.Verify(),则会抛出以下异常:
“公开密钥不是用于证书签名”
然而,我使用从Pkcs10CertificationRequest中提取的相同的公钥,当我调用Verify()时,它没问题。
有什么想法吗?经过几天的努力,我已经完成了所有工作,除了最后一个 - 而且真正令人困惑的是我的自签名CA证书很好。客户端证书正在发生一些事情。这是整个代码块:
TextReader textReader = new StreamReader("certificaterequest.pkcs10");
PemReader pemReader = new PemReader(textReader);
Pkcs10CertificationRequest certificationRequest = (Pkcs10CertificationRequest)pemReader.ReadObject();
CertificationRequestInfo certificationRequestInfo = certificationRequest.GetCertificationRequestInfo();
SubjectPublicKeyInfo publicKeyInfo = certificationRequestInfo.SubjectPublicKeyInfo;
RsaPublicKeyStructure publicKeyStructure = RsaPublicKeyStructure.GetInstance(publicKeyInfo.GetPublicKey());
RsaKeyParameters publicKey = new RsaKeyParameters(false, publicKeyStructure.Modulus, publicKeyStructure.PublicExponent);
bool certIsOK = certificationRequest.Verify(publicKey);
// public key is OK here...
// get the server certificate
Org.BouncyCastle.X509.X509Certificate serverCertificate = DotNetUtilities.FromX509Certificate(System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromCertFile("servermastercertificate.cer"));
// get the server private key
byte[] privateKeyBytes = File.ReadAllBytes("serverprivate.key");
AsymmetricKeyParameter serverPrivateKey = PrivateKeyFactory.CreateKey(privateKeyBytes);
// generate the client certificate
X509V3CertificateGenerator generator = new X509V3CertificateGenerator();
generator.SetSerialNumber(BigInteger.ProbablePrime(120, new Random()));
generator.SetIssuerDN(serverCertificate.SubjectDN);
generator.SetNotBefore(DateTime.Now);
generator.SetNotAfter(DateTime.Now.AddYears(5));
generator.SetSubjectDN(certificationRequestInfo.Subject);
generator.SetPublicKey(publicKey);
generator.SetSignatureAlgorithm("SHA512withRSA");
generator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(serverCertificate));
generator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(publicKey));
var newClientCert = generator.Generate(serverPrivateKey);
newClientCert.Verify(publicKey); // <-- this blows up
return DotNetUtilities.ToX509Certificate(newClientCert).Export(X509ContentType.Pkcs12, "user password");
答案 0 :(得分:1)
我想出来了。如果您致电X509Certificate.Verify(publicKey),则必须传递CA的公钥,而不是Pkcs10CertificationRequest中客户的公钥。