我们使用CertEnroll在客户端上生成了有效的PKCS#10证书申请。
现在我们需要对其进行签名并将结果返回给客户端,其中CertEnroll将处理本地证书库的内容。
这是一个B2B应用程序,根签名证书将自行生成,或者我们可以使用我们现有的Thawte SSL证书。
Server(2008)没有运行Active Directory,除非绝对必要,否则我们不希望为此创建独立的签名基础结构/服务。不需要撤销等 - 我们希望以编程方式进行撤销。
我很乐意使用BouncyCastle库但是C#lib缺少任何有意义的文档,而原始的Java文档无疑是相似的,而C#实现的不同之处让我更加困惑。
是否有人知道(或拥有)样本C#(或VB)代码或使用BouncyCastle或本地.Net类的已知相关链接?
非常感谢任何协助完成这项工作!
答案 0 :(得分:10)
至少可以说这是一个有趣的练习: - )
我们使用了BouncyCastle和.Net证书对象。解决方案仍然有很多!改进的余地,但确实有效。
它的内心(Cert Gen)如下。当我们到达这里时,CSR已经在客户端上生成,当我们离开时,生成的证书由客户端代码安装(请参阅this blog了解客户端工作。)
同样,我不是将此作为成品提供,但希望对面临同样任务的人有一定的价值。快乐加密: - )
// Jul 10, 2012 see
// http://social.technet.microsoft.com/Forums/en-NZ/winserversecurity/thread/45781b46-3eb7-4715-b877-883bf0dc2ae7
// instaed of CX509CertificateRequestPkcs10 csr = new CX509CertificateRequestPkcs10(); use:
IX509CertificateRequestPkcs10 csr = (IX509CertificateRequestPkcs10)Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX509CertificateRequestPkcs10"));
csr.InitializeDecode(csrText, EncodingType.XCN_CRYPT_STRING_BASE64);
csr.CheckSignature(Pkcs10AllowedSignatureTypes.AllowedKeySignature);
//get Bouncy CSRInfo Object
Trace.Write("get Bouncy CSRInfo Object");
Byte[] csrBytes = Convert.FromBase64String(csrText);
CertificationRequestInfo csrInfo = CertificateTools.GetCsrInfo(csrBytes);
SubjectPublicKeyInfo pki = csrInfo.SubjectPublicKeyInfo;
//pub key for the signed cert
Trace.Write("pub key for the signed cert");
AsymmetricKeyParameter publicKey = PublicKeyFactory.CreateKey(pki);
// Build a Version1 (No Extensions) Certificate
DateTime startDate = DateTime.Now;
DateTime expiryDate = startDate.AddYears(100);
BigInteger serialNumber = new BigInteger(32, new Random());
Trace.Write("Build a Version1 (No Extensions) Certificate");
X509V1CertificateGenerator certGen = new X509V1CertificateGenerator();
string signerCN = ConfigurationManager.AppSettings["signerCN"].ToString();
X509Name dnName = new X509Name(String.Format("CN={0}", signerCN));
X509Name cName = new X509Name(csr.Subject.Name);
certGen.SetSerialNumber(serialNumber);
certGen.SetIssuerDN(dnName);
certGen.SetNotBefore(startDate);
certGen.SetNotAfter(expiryDate);
certGen.SetSubjectDN(cName);
certGen.SetSignatureAlgorithm("SHA1withRSA");
certGen.SetPublicKey(publicKey);
//get our Private Key to Sign with
Trace.Write("get our Private Key to Sign with");
X509Store store = new X509Store(StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
string signerThumbprint = ConfigurationManager.AppSettings["signerThumbprint"].ToString();
X509Certificate2Collection collection = (X509Certificate2Collection)store.Certificates;
X509Certificate2Collection fcollection = (X509Certificate2Collection)collection.Find(X509FindType.FindByThumbprint, signerThumbprint, false);
X509Certificate2 caCert = fcollection[0];
Trace.Write("Found:" + caCert.FriendlyName);
Trace.Write("Has Private " + caCert.HasPrivateKey.ToString());
Trace.Write("Key Size " + caCert.PrivateKey.KeySize.ToString());
//Get our Signing Key as a Bouncy object
Trace.Write("Get our Signing Key as a Bouncy object from key ");
AsymmetricCipherKeyPair caPair = DotNetUtilities.GetKeyPair(caCert.PrivateKey);
//gen BouncyCastle object
Trace.Write("gen BouncyCastle object");
Org.BouncyCastle.X509.X509Certificate cert = certGen.Generate(caPair.Private);
//convert to windows type 2 and get Base64 String
Trace.Write("convert to windows type 2 and get Base64 String");
X509Certificate2 cert2 = new X509Certificate2(DotNetUtilities.ToX509Certificate(cert));
byte[] encoded = cert2.GetRawCertData();
string certOutString = Convert.ToBase64String(encoded);
//output to the page (hidden)
Certificate.Value = certOutString;