如何从Bouncy Castle创建X509证书以与AuthenticateAsServer一起使用?
[英]How to create a X509 certificate from Bouncy Castle for use with AuthenticateAsServer?
问题描述
I've used Bouncy Castle to create an X509 certificate, but I can't use that together with SslStream.AuthenticateAsServer or SslStream.AuthenticateAsClient since they (of course) use the .Net version. 
我已经使用Bouncy Castle创建了X509证书,但是我不能将其与SslStream.AuthenticateAsServer或SslStream.AuthenticateAsClient一起使用,因为它们(当然)使用.Net版本。 Although there is a converter , DotNetUtilities.ToX509Certificate() , in Bouncy Castle which takes aa BC X509 and returns a .Net X509. 尽管在Bouncy Castle中有一个转换器DotNetUtilities.ToX509Certificate() ,它使用BC X509并返回.Net X509。 The problem seems to be that AuthenticateAsServer/AuthenticateAsClient needs a certificate with the private key included. 问题似乎是AuthenticateAsServer / AuthenticateAsClient需要包含私钥的证书。 At least when I try to just convert and then use the new certificate I get a CryptographicException: "Key does not exist" when trying to connect using SslStream. 至少当我尝试仅转换然后使用新证书时,会出现CryptographicException: "Key does not exist"尝试使用SslStream连接时出现CryptographicException: "Key does not exist"情况。
So I thought that I need to create an X509Certificate2 from Bouncy Castle, since that can contain the private key as well. 因此,我认为我需要从Bouncy Castle创建一个X509Certificate2,因为它也可以包含私钥。 But the solution I found seems a bit...odd, and I was wondering if anyone else now a better way to use a BC X509Certificate with SslStream. 但是我找到的解决方案似乎有点奇怪,我想知道是否还有其他人现在可以将BC X509证书与SslStream一起使用。
This is how I create a X509Certificate2 from a BC Certificate: 这是我从BC证书创建X509Certificate2的方法:
private static X509Certificate CreateDotNetCertificate(Org.BouncyCastle.X509.X509Certificate certificate, AsymmetricCipherKeyPair keyPair)
{
var store = new Pkcs12Store();
string friendlyName = certificate.SubjectDN.ToString();
var certificateEntry = new X509CertificateEntry(certificate);
store.SetCertificateEntry(friendlyName, certificateEntry);
store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(keyPair.Private), new[] { certificateEntry });
var stream = new MemoryStream();
var password = "a password";
store.Save(stream, password.ToCharArray(), new SecureRandom(randomGenerator));
return new X509Certificate2(stream.ToArray(), password, X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);
}
It seems a bit weird that I need to take a "detour" through a Pkcs12Store to be able to create my X509Certificate2. 我似乎需要通过Pkcs12Store进行“绕行”才能创建我的X509Certificate2。
The solution is taken from this blog: http://blog.differentpla.net/post/20 该解决方案来自以下博客: http : //blog.differentpla.net/post/20
1 个解决方案
解决方案1
0 2014-04-14 13:27:11
Windows works with certificates stored in Windows Certificate Storage . Windows使用Windows证书存储中存储的证书。 I don't know if BouncyCastle provides direct access to Windows CertStorage but if it doesn't, than the only option is to import the certificate to CertStorage from file (or from other source), then use it. 我不知道BouncyCastle是否提供对Windows CertStorage的直接访问,但是如果不提供,则唯一的选择是从文件(或从其他来源)将证书导入CertStorage,然后使用它。 PKCS#12 is the right format to transfer the certificate with its private key together, so it's quite natural to use it as an intermediate medium. PKCS#12是将证书及其私钥一起传输的正确格式,因此将其用作中间介质是很自然的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.