[英]how do I create a pfx compatible with X509Certificate2 with openssl
I'm trying to create an RSA keypair that I can use with System.Security.Cryptography.X509Certificates.X509Certificate2
using OpenSSL.我正在尝试使用 OpenSSL 创建一个可以与
System.Security.Cryptography.X509Certificates.X509Certificate2
使用的 RSA 密钥对。
The PFX I've managed to generate gives me this stack trace我设法生成的 PFX 给了我这个堆栈跟踪
create a private key, unencrypted (I realize this is not best practice)创建一个未加密的私钥(我意识到这不是最佳实践)
openssl genrsa -out private.pem 2048
create a public key from the private key从私钥创建公钥
openssl rsa -in private.pem -outform PEM -pubout -out public.pem
create a certificate file from the private key从私钥创建证书文件
openssl req -x509 -key private.pem -out cert.pem -days 365 -nodes -subj "/C=US/ST=Colorado/L=Colorado Springs/O=Contoso/OU=Security/CN=mypurpose.contoso.org"
create a pfx file using the self-signed certificate使用自签名证书创建 pfx 文件
openssl pkcs12 -in cert.pem -inkey private.pem -export -out combined.pfx
prompts for a password to secure the pkcs
提示输入密码以保护 pkcs
Trying to instantiate the instance of X509Certificate2
with尝试实例化
X509Certificate2
的实例
new X509Certificate2(@"C:\\path\\to\\combined.pfx", "password", X509KeyStorageFlags.Exportable);
at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromFile(String fileName, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx)
at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromFile(String fileName, Object password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags)
at Program.Main()
The stack trace is telling me everything.堆栈跟踪告诉我一切。
at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromFile(String fileName, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx)
at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromFile(String fileName, Object password, X509KeyStorageFlags keyStorageFlags)
This means that there's no CERTIFICATE in my PFX file, because I used -nocerts
in the openssl pkcs12
command.这意味着我的 PFX 文件中没有 CERTIFICATE,因为我在
openssl pkcs12
命令中使用了-nocerts
。
In cryptography, PKCS #12 defines an archive file format for storing many cryptography objects as a single file.
在密码学中,PKCS #12 定义了一种存档文件格式,用于将许多密码学对象存储为单个文件。 It is commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust.
它通常用于将私钥与其 X.509 证书捆绑在一起或捆绑信任链的所有成员。 PKCS 12
PKCS 12
A pkcs12 file really wants to contain something besides just a Private/Public Key, It wants an X.509 certificate;一个 pkcs12 文件真的想包含除了私钥/公钥之外的其他东西,它需要一个 X.509 证书; which is:
即:
This is the final command that worked the way I wanted to:这是按照我想要的方式工作的最终命令:
openssl pkcs12 -in cert.pem -inkey private.pem -export -clcerts -out combined.pfx -passout pass:
This allows me to instantiate using this code:这允许我使用此代码实例化:
new X509Certificate2(@"C:\\path\\to\\combined.pfx", (string)null, X509KeyStorageFlags.Exportable);
There's some additional code I'm using to load the private.pem and public.pem generated by openssl genrsa
and openssl rsa
here: https://stackoverflow.com/a/32243171/26877 .我正在使用一些额外的代码来加载由
openssl genrsa
和openssl rsa
生成的 private.pem 和 public.pem: https : //stackoverflow.com/a/32243171/26877 。 This code is loading the raw PEM data (just the private/public keys) into RSACryptoServiceProvider
instance, which can be used to encrypt & decrypt.此代码将原始 PEM 数据(仅私钥/公钥)加载到
RSACryptoServiceProvider
实例中,该实例可用于加密和解密。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.