从 Cert 和 Key 创建 X509Certificate2,而不制作 PFX 文件

C#/.NET问题 得得之家
Create X509Certificate2 from Cert and Key, without making a PFX file(从 Cert 和 Key 创建 X509Certificate2,而不制作 PFX 文件)
本文介绍了从 Cert 和 Key 创建 X509Certificate2,而不制作 PFX 文件的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

过去我一直通过导出带有密码的 PFX 证书来制作安全的 TcpListener,但想知道是否可以跳过此步骤.

In the past I have been making secure TcpListener by exporting a PFX certificate with a password, but would like to know if this step could be skipped.

我没有使用商业 SSL 证书,并且有一个根 CA,用于颁发服务器证书.在 C# 中托管 TcpListener 时,这些服务器证书需要额外的步骤(我猜是因为没有使用 CSR)......但是如果我确实有私钥和 OpenSSL 生成/使用的证书怎么办.

I'm not using commercial SSL certificates, and have a Root CA, that I use to issue server certificates. These server certificates require additional steps when hosting a TcpListener in C# (I guess because the CSR wasn't used)... but what if I do have the Private Key, and the Certificate that OpenSSL generates/uses.

sslCertificate = new X509Certificate2("myExportedCert.pfx", "1234");

所以这很好,但是我必须发出一个 openssl 命令来从证书和私钥制作一个 pfx 文件,然后组成一些密码.然后将此密码包含在我的代码中.

So this is great, however I have to issue an openssl command to make a pfx file from the Certificate and the Private Key, then make up some password. Then include this password in my code.

我想知道这一步是否非常必要.有没有办法从证书中组成一个 X509Certificate2,然后应用私钥.构造函数参数只允许 Cert 部分,但由于没有私钥,加密失败.

I was wondering if this step was quite necessary. Is there a way to make up a X509Certificate2 from the Cert, and then apply the Private Key. The constructor arguments allow the Cert only part, but encrypting fails then because there is no private key.

另外,我不想依赖 OpenSSL 或 IIS 来导出 pfx.... 看起来很笨拙.

Also, I don't want to rely on OpenSSL or IIS to export the pfx.... seems clumsy.

理想情况下,我希望:

sslCertificate = new X509Certificate2("myCert.crt");
sslCertificate.ApplyPrivateKey(keyBytes) // <= or "private.key" or whatever

sslStream.AuthenticateAsServer(sslCertificate, false, SslProtocols.Default, false);

推荐答案

你有几个不同的要求,不同程度的轻松.

There are a couple of different things you're asking for, with different levels of ease.

从 .NET Framework 4.7.2 或 .NET Core 2.0 开始,您可以结合使用证书和密钥.它不会修改证书对象,而是生成一个知道密钥的新证书对象.

Starting in .NET Framework 4.7.2 or .NET Core 2.0 you can combine a cert and a key. It doesn't modify the certificate object, but rather produces a new cert object which knows about the key.

using (X509Certificate2 pubOnly = new X509Certificate2("myCert.crt"))
using (X509Certificate2 pubPrivEphemeral = pubOnly.CopyWithPrivateKey(privateKey))
{
    // Export as PFX and re-import if you want "normal PFX private key lifetime"
    // (this step is currently required for SslStream, but not for most other things
    // using certificates)
    return new X509Certificate2(pubPrivEphemeral.Export(X509ContentType.Pfx));
}

在 .NET Framework(但不是 .NET Core)上,如果您的私钥是 RSACryptoServiceProviderDSACryptoServiceProvider,您可以使用 cert.PrivateKey = key,但有复杂的副作用,不鼓励这样做.

on .NET Framework (but not .NET Core) if your private key is RSACryptoServiceProvider or DSACryptoServiceProvider you can use cert.PrivateKey = key, but that has complex side-effects and is discouraged.

这个比较难,除非你已经解决了.

This one is harder, unless you've already solved it.

在大多数情况下,这个问题的答案在 不使用 BouncyCastle 的 c# 中的数字签名中,但如果你可以移动到 .NET Core 3.0 的事情变得容易多了.

For the most part the answer for this is in Digital signature in c# without using BouncyCastle, but if you can move to .NET Core 3.0 things get a lot easier.

从 .NET Core 3.0 开始,您可以相对简单地做到这一点:

Starting in .NET Core 3.0 you can do this relatively simply:

using (RSA rsa = RSA.Create())
{
    rsa.ImportPkcs8PrivateKey(binaryEncoding, out _);
    // do stuff with the key now
}

(当然,如果你有一个 PEM,你需要通过提取 BEGIN 和 END 分隔符之间的内容并通过 Convert.FromBase64String 运行它来de-PEM"它以获得binaryEncoding).

(of course, if you had a PEM you need to "de-PEM" it, by extracting the contents between the BEGIN and END delimiters and running it through Convert.FromBase64String in order to get binaryEncoding).

从 .NET Core 3.0 开始,您可以相对简单地做到这一点:

Starting in .NET Core 3.0 you can do this relatively simply:

using (RSA rsa = RSA.Create())
{
    rsa.ImportEncryptedPkcs8PrivateKey(password, binaryEncoding, out _);
    // do stuff with the key now
}

(如上,如果是 PEM,您需要先去 PEM"它).

(as above, you need to "de-PEM" it first, if it was PEM).

从 .NET Core 3.0 开始,您可以相对简单地做到这一点:

Starting in .NET Core 3.0 you can do this relatively simply:

using (RSA rsa = RSA.Create())
{
    rsa.ImportRSAPrivateKey(binaryEncoding, out _);
    // do stuff with the key now
}

(如果是 PEM,则相同的de-PEM").

(same "de-PEM" if PEM).

这篇关于从 Cert 和 Key 创建 X509Certificate2,而不制作 PFX 文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!

本站部分内容来源互联网,如果有图片或者内容侵犯您的权益请联系我们删除!

相关文档推荐

尝试更新ViewModel中的Ui属性时DispatcherQueue为空
DispatcherQueue null when trying to update Ui property in ViewModel(尝试更新ViewModel中的Ui属性时DispatcherQueue为空)
在多个监视器上绘制所有窗口
Drawing over all windows on multiple monitors(在多个监视器上绘制所有窗口)
以编程方式显示桌面
Programmatically show the desktop(以编程方式显示桌面)
按类型访问对象的C#泛型集实现
c# Generic Setlt;Tgt; implementation to access objects by type(按类型访问对象的C#泛型集实现)
在ASP.NET核心中使用上下文注入时发生InvalidOperationException
InvalidOperationException When using Context Injection in ASP.Net Core(在ASP.NET核心中使用上下文注入时发生InvalidOperationException)
LINQ多对多关系,如何写一个正确的WHERE子句?
LINQ many-to-many relationship, how to write a correct WHERE clause?(LINQ多对多关系,如何写一个正确的WHERE子句?)
前端问题php问题Java问题Python问题C/C++问题C#/.NET问题移动开发问题数据库问题
html vue validate adobe dreamweaver hbuilder vscode aptana editor dedecms ckeditor 编辑器 过滤 规则 织梦 图片本地化 模板 缩略图 图集 图片删除 ajax 瀑布流 无限下拉 cms 判断 sql 清除 tag 文档数 angularjs2 按钮 切换效果 vue3 thinkphp yii2 css 项目列表 li go Beego Buffalo Echo Gin Iris Revel 百度云 虚拟主机 pbootcms 伪静态 框架 排序 数据库 对象 字段 sql语句 php 字符串 分割 D3.js bootstrap 函数 svg selectAll 织梦cms 关键词 解析 采集 长度限制 日期 正则表达式