我正在研究C#项目,其中服务器和客户端之间的tcp传输是使用SSL进行的。我用makecert程序创建了证书文件,但它只能在生成它的计算机上运行(虽然我已经安装了.cer文件)。我几乎可以肯定,问题出在我投入使用的参数中,但我检查了很多组合,没有(despit follow)工作
makecert -r -pe -n "CN=This is my certificate" -ss my -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 ca.cer
.cer文件仅用于加密传输。我不使用PKI。此外,使用SSL是“死的要求” - 必须使用它,只是为了使用。不应考虑任何安全问题。
如果有人应该回答我,如何创建证书,那将是 X509Certificate.CreateFromCertFile 方法可以使用我会很高兴。
答案 0 :(得分:3)
感谢Roger我找到了你的博客,并设法让它工作,并设置了一个包装,因此它易于使用,我还设法在证书上设置友好名称
using System;
using System.Collections.Generic;
using System.Security.Cryptography.X509Certificates;
using System.Diagnostics;
public class SSLCertificateCreator
{
public static string RunDosCommand(string Cmd, string Arguments)
{//Executes a Dos command in the current directory and then returns the result
string TestMessageText = "";
string filePath = Environment.CurrentDirectory;
ProcessStartInfo pi = new ProcessStartInfo()
{
FileName = filePath + "\\" + Cmd,
Arguments = Arguments + " ",
RedirectStandardOutput = true,
UseShellExecute = false,
CreateNoWindow = false
};
try
{
using (Process p = Process.Start(pi))
{
p.WaitForExit();
TestMessageText = p.StandardOutput.ReadToEnd();
return TestMessageText;
}
}
catch (Exception Ex)
{
return "ERROR :" +Ex.Message;
}
}
public static bool MakeCACertificate(string RootCertificateName, string FriendlyName)
{//Make a CA certificate but only if we don't already have one and then sets the friendly name
if (FindCertificate("Root", RootCertificateName, OpenFlags.ReadOnly) != null) return false; //We already have this root certificate
string Arguments="-pe -n \"CN=" + RootCertificateName + "\" -ss Root -sr CurrentUser -a sha1 -sky signature -r \"" + RootCertificateName + ".cer\" -m 12";
string Result=RunDosCommand("makecert", Arguments);
X509Certificate2 Cert = FindCertificate("Root", RootCertificateName, OpenFlags.ReadWrite);
if (Cert == null || !Result.ToLower().StartsWith("succeeded")) return false;
Cert.FriendlyName = FriendlyName;
return true;
}
public static bool MakeSignedCertificate(string RootCertificateName, string CertificateName, string FriendlyName)
{//Makes a signed certificate but only if we have the root certificate and then sets the friendly name
if (FindCertificate("Root", RootCertificateName, OpenFlags.ReadOnly) == null) return false; //We must have a valid root-certificate first
if (FindCertificate("my",CertificateName, OpenFlags.ReadOnly)!=null) return false;//Nope we alrady have this signed certificate
string Arguments = "-pe -n \"CN=" + CertificateName + "\" -ss my -sr CurrentUser -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -in \"" + RootCertificateName + "\" -is Root -ir CurrentUser -sp \"Microsoft RSA SChannel Cryptographic Provider\" -sy 12 \"" + CertificateName + ".cer\" -m 12";
string Result = RunDosCommand("makecert", Arguments);
X509Certificate2 Cert = FindCertificate("my", CertificateName, OpenFlags.ReadWrite);
if (Cert==null || !Result.ToLower().StartsWith("succeeded")) return false;
Cert.FriendlyName = FriendlyName;
return true;
}
private static X509Certificate2 FindCertificate(string Store, string Name, OpenFlags Mode)
{//Look to see if we can find the certificate store
X509Store store = new X509Store(Store,StoreLocation.CurrentUser);
store.Open(Mode);
foreach (X509Certificate2 Cert in store.Certificates)
{
if (Cert.Subject.ToLower() =="cn="+ Name.ToLower())
return Cert;//Yep found it
}
return null;
}
}
示例用法
SSLCertificateCreator.MakeCACertificate(" DavesRoot"," Nice Name"); SSLCertificateCreator.MakeSignedCertificate(" DavesRoot"," Daves签名证书5","好名字");
makecert.exe需要位于Bin / Release或Debug目录中才能使代码正常工作且此代码仅在Windows-8上进行过测试
答案 1 :(得分:2)
如果您控制所有将使用这些证书的计算机,您可以创建一个受所有计算机信任的CA,然后根据该计算机颁发证书。
这是我的批处理文件。第一个创建CA证书:
:// Create a self-signed certificate (-r),
:// with an exportable private key (-pe),
:// using SHA1 (-r), for signing (-sky signature).
:// The private key is written to a file (-sv).
makecert -r -pe -n "CN=My Root Authority" -ss CA ^
-sr CurrentUser -a sha1 -sky signature -cy authority ^
-sv CA.pvk CA.cer
将.CER文件导入必须连接到服务器的那些计算机上的CA证书存储区(它们必须信任CA):
:// Import that certificate into the
:// "Trusted Root Certification Authorities" store.
certutil -user -addstore Root CA.cer
这个创建服务器证书:
:// Create a server certificate, with an exportable private key (-pe),
:// using SHA1 (-r) for key exchange (-sky exchange).
:// It can be used as an SSL server certificate (-eku 1.3.6.1.5.5.7.3.1).
:// The issuing certificate is in a file (-ic), as is the key (-iv).
:// Use a particular crypto provider (-sp, -sy).
makecert -pe -n "CN=server.example.com" -a sha1 ^
-sky exchange -eku 1.3.6.1.5.5.7.3.1
-ic CA.cer -iv CA.pvk ^
-sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 ^
-sv server.pvk server.cer
pvk2pfx -pvk server.pvk -spc server.cer -pfx server.pfx
安装.pfx文件,然后获取C#服务器代码以使用它。这留给读者练习。
答案 2 :(得分:0)
您需要获得有效证书。 makecert命令生成的那个仅用于测试,不能在其他系统上工作。