通过代码从CA要求证书与模板

时间:2020-07-30 19:47:08

标签: c# active-directory x509certificate x509certificate2 ca

我想务实地使用我们的CA模板为我们的每个用户创建新证书(签署数字化会计凭证)。 手动,我设法做到了

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control#feedback

我还设法通过非常错误的方法来创建一个简单的请求

string certificatePath = Server.MapPath("~/Files/comp-crt-ca.crt");
        string privateKeyPath = Server.MapPath("~/Files/comp-pem-ca.key");
        string certificateText = System.IO.File.ReadAllText(certificatePath);
        string privateKeyText = System.IO.File.ReadAllText(privateKeyPath);
        System.Security.Cryptography.X509Certificates.X509Certificate2 certificate = new System.Security.Cryptography.X509Certificates.X509Certificate2(certificatePath);
pass = "111111";  
            X509Certificate certBaseForm = Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate(certificate);
            var newStore = new Pkcs12Store();
            var certEntry = new X509CertificateEntry(certBaseForm);

            newStore.SetCertificateEntry(signatureAliasTemplate, certEntry);
            newStore.SetKeyEntry(signatureAliasTemplate, new AsymmetricKeyEntry(kp.Private), new[] { certEntry });

            using (var certFile = System.IO.File.Create(pathPfx))
            {
                newStore.Save(certFile, pass.ToCharArray(), new SecureRandom(new CryptoApiRandomGenerator()));
            }

            System.Security.Cryptography.X509Certificates.X509Certificate2 newCert = new System.Security.Cryptography.X509Certificates.X509Certificate2(pathPfx);
            using (System.Security.Cryptography.X509Certificates.X509Store store = new System.Security.Cryptography.X509Certificates.X509Store(
                System.Security.Cryptography.X509Certificates.StoreName.CertificateAuthority,
                System.Security.Cryptography.X509Certificates.StoreLocation.LocalMachine))
            {
                store.Open(System.Security.Cryptography.X509Certificates.OpenFlags.ReadWrite);
                store.Add(newCert); //where cert is an X509Certificate object
            }

显然,由于.pem位于我的根目录上,因此这是一个非常糟糕的做法,但我这样做只是为了查看是否要创建证书-而且确实是,但要在根目录授权而不是模板上。 / p>

我添加了一个截图来演示,最后一行是由我的代码创建的,其中的行带有“ signserver-newdoc_4”。其余的-手动创建的,这是我试图实现的目标 enter image description here

有人能指出我的方向吗?在过去的两周里,我浏览了无数篇文章。.如果我知道正确的库,那么简单的事情对我来说似乎没什么。

0 个答案:

没有答案
相关问题
最新问题