如何像IIS一样生成CSR

Question

I am working on integration with symantec api and use that code to generate CSR

private string GenerateCsr(string domain, string organization, string organizationUnit, string city, string state, string country) {
        //  Create all the objects that will be required
        var objPkcs10 = new CX509CertificateRequestPkcs10();
        var objPrivateKey = new CX509PrivateKey();
        var objCSP = new CCspInformation();
        var objCSPs = new CCspInformations();
        var objDN = new CX500DistinguishedName();
        var objEnroll = new CX509Enrollment();
        var objObjectIds = new CObjectIds();
        var objObjectId = new CObjectId();
        var objExtensionKeyUsage = new CX509ExtensionKeyUsage();
        var objX509ExtensionEnhancedKeyUsage = new CX509ExtensionEnhancedKeyUsage();
        string strRequest;
        try {
            //  Initialize the csp object using the desired Cryptograhic Service Provider (CSP)
            objCSP.InitializeFromName(
                "Microsoft RSA Schannel Cryptographic Provider"
                );
            //  Add this CSP object to the CSP collection object
            objCSPs.Add(
                objCSP
                );
            //  Provide key container name, key length and key spec to the private key object
            //objPrivateKey.ContainerName = "AlejaCMa";
            objPrivateKey.Length = 2048;
            objPrivateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE;
            objPrivateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES;
            objPrivateKey.MachineContext = false;
            //  Provide the CSP collection object (in this case containing only 1 CSP object)
            //  to the private key object
            objPrivateKey.CspInformations = objCSPs;
            //  Create the actual key pair
            objPrivateKey.Create();
            //  Initialize the PKCS#10 certificate request object based on the private key.
            //  Using the context, indicate that this is a user certificate request and don't
            //  provide a template name
            objPkcs10.InitializeFromPrivateKey(
                X509CertificateEnrollmentContext.ContextUser,
                objPrivateKey,
                ""
                );
            // Key Usage Extension 
            objExtensionKeyUsage.InitializeEncode(
                X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE |
                X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE |
                X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE |
                X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE
                );
            objPkcs10.X509Extensions.Add((CX509Extension)objExtensionKeyUsage);
            // Enhanced Key Usage Extension
            objObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.2");
            // OID for Client Authentication usage                
            objObjectIds.Add(objObjectId);
            objX509ExtensionEnhancedKeyUsage.InitializeEncode(objObjectIds);
            objPkcs10.X509Extensions.Add((CX509Extension)objX509ExtensionEnhancedKeyUsage);
            //  Encode the name in using the Distinguished Name object
            objDN.Encode(
                string.Format("CN={0}, O={1}, OU={2}, L={3}, S={4}, C={5}", domain, organization, organizationUnit, city, state, country),
                X500NameFlags.XCN_CERT_NAME_STR_NONE
                );
            //  Assing the subject name by using the Distinguished Name object initialized above
            objPkcs10.Subject = objDN;
            // Create enrollment request
            objEnroll.InitializeFromRequest(objPkcs10);
            strRequest = objEnroll.CreateRequest(
                EncodingType.XCN_CRYPT_STRING_BASE64
                );
            return strRequest;
        }
        catch (Exception ex) {
            throw new Exception("Can't generate CSR");
        }
    }

Symantec then returns base64 encoded certificate but I can't upload it to IIS. If I send CSR generated manually on IIS to symantec, I am able to upload returned certificate. So, my question is how to generate CSR like it was generated on IIS.

Answer 1

It cannot be done the way you want it. Because the csr and private key generated are on one server, the signed certificate returned by the CA, you will need to have the private key that is generated when the CSR is created. But you are generating the private key on a different server and uploading the signed certificate given by Symantec on iis and IIS does not have the private key.

If it has to be done then you need to send the parameters directly to the Symantec API and then they will provide you with a PFX file which will be password protected and you can upload the pfx file on the IIS server.

I hope i answered you question.