[英]How to generate CSR like it does IIS
I am working on integration with symantec api and use that code to generate CSR 我正在与symantec api集成,并使用该代码生成CSR
private string GenerateCsr(string domain, string organization, string organizationUnit, string city, string state, string country) {
// Create all the objects that will be required
var objPkcs10 = new CX509CertificateRequestPkcs10();
var objPrivateKey = new CX509PrivateKey();
var objCSP = new CCspInformation();
var objCSPs = new CCspInformations();
var objDN = new CX500DistinguishedName();
var objEnroll = new CX509Enrollment();
var objObjectIds = new CObjectIds();
var objObjectId = new CObjectId();
var objExtensionKeyUsage = new CX509ExtensionKeyUsage();
var objX509ExtensionEnhancedKeyUsage = new CX509ExtensionEnhancedKeyUsage();
string strRequest;
try {
// Initialize the csp object using the desired Cryptograhic Service Provider (CSP)
objCSP.InitializeFromName(
"Microsoft RSA Schannel Cryptographic Provider"
);
// Add this CSP object to the CSP collection object
objCSPs.Add(
objCSP
);
// Provide key container name, key length and key spec to the private key object
//objPrivateKey.ContainerName = "AlejaCMa";
objPrivateKey.Length = 2048;
objPrivateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE;
objPrivateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES;
objPrivateKey.MachineContext = false;
// Provide the CSP collection object (in this case containing only 1 CSP object)
// to the private key object
objPrivateKey.CspInformations = objCSPs;
// Create the actual key pair
objPrivateKey.Create();
// Initialize the PKCS#10 certificate request object based on the private key.
// Using the context, indicate that this is a user certificate request and don't
// provide a template name
objPkcs10.InitializeFromPrivateKey(
X509CertificateEnrollmentContext.ContextUser,
objPrivateKey,
""
);
// Key Usage Extension
objExtensionKeyUsage.InitializeEncode(
X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE |
X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE |
X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE |
X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE
);
objPkcs10.X509Extensions.Add((CX509Extension)objExtensionKeyUsage);
// Enhanced Key Usage Extension
objObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.2");
// OID for Client Authentication usage
objObjectIds.Add(objObjectId);
objX509ExtensionEnhancedKeyUsage.InitializeEncode(objObjectIds);
objPkcs10.X509Extensions.Add((CX509Extension)objX509ExtensionEnhancedKeyUsage);
// Encode the name in using the Distinguished Name object
objDN.Encode(
string.Format("CN={0}, O={1}, OU={2}, L={3}, S={4}, C={5}", domain, organization, organizationUnit, city, state, country),
X500NameFlags.XCN_CERT_NAME_STR_NONE
);
// Assing the subject name by using the Distinguished Name object initialized above
objPkcs10.Subject = objDN;
// Create enrollment request
objEnroll.InitializeFromRequest(objPkcs10);
strRequest = objEnroll.CreateRequest(
EncodingType.XCN_CRYPT_STRING_BASE64
);
return strRequest;
}
catch (Exception ex) {
throw new Exception("Can't generate CSR");
}
}
Symantec then returns base64 encoded certificate but I can't upload it to IIS. Symantec然后返回base64编码的证书,但是我无法将其上传到IIS。 If I send CSR generated manually on IIS to symantec, I am able to upload returned certificate.
如果我将在IIS上手动生成的CSR发送给symantec,则可以上传返回的证书。 So, my question is how to generate CSR like it was generated on IIS.
因此,我的问题是如何像在IIS上一样生成CSR。
It cannot be done the way you want it. 它无法以您想要的方式完成。 Because the csr and private key generated are on one server, the signed certificate returned by the CA, you will need to have the private key that is generated when the CSR is created.
由于生成的csr和私钥位于一台服务器上,是由CA返回的签名证书,因此您将需要具有创建CSR时生成的私钥。 But you are generating the private key on a different server and uploading the signed certificate given by Symantec on iis and IIS does not have the private key.
但是,您正在另一台服务器上生成私钥,并在iis上上载Symantec提供的签名证书,而IIS没有私钥。
If it has to be done then you need to send the parameters directly to the Symantec API and then they will provide you with a PFX file which will be password protected and you can upload the pfx file on the IIS server. 如果必须这样做,则需要将参数直接发送到Symantec API,然后它们将为您提供一个受密码保护的PFX文件,并且您可以将pfx文件上传到IIS服务器上。
I hope i answered you question. 我希望我回答了你的问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.