堆栈内存溢出
  简体   繁体   English

无法将智能卡证书添加到Yubikey

[英]Cannot add Smart Card Certificate to Yubikey

 原文  2019-05-22 20:54:55       .net/ x509certificate/ smartcard/ yubico

问题描述

I am trying to create a smartcard certificate and add it back to the Yubikey (I am using Yubico's Mini driver so the yubikey behaves like a smartcard and cannot use their PIVManager or YKMan). 我正在尝试创建智能卡证书并将其添加回Yubikey(我正在使用Yubico的Mini驱动程序,因此yubikey的行为类似于智能卡,不能使用他们的PIVManager或YKMan)。 I am able to successfully sign the CSR with the yubikey with the following code: 我可以使用以下代码使用yubikey成功签署CSR: 

certificateRequest.CertRequest = new CX509CertificateRequestPkcs10();
certificateRequest.CertRequest.Initialize(X509CertificateEnrollmentContext.ContextUser);
certificateRequest.CertRequest.PrivateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_NONE;
certificateRequest.CertRequest.PrivateKey.Length = 2048;
certificateRequest.CertRequest.PrivateKey.ProviderName = "Microsoft Smart Card Key Storage Provider";
certificateRequest.CertRequest.PrivateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_SIGNING_FLAG;
certificateRequest.CertRequest.PrivateKey.KeySpec = X509KeySpec.XCN_AT_NONE;
certificateRequest.CertRequest.PrivateKey.MachineContext = false;
var subjectEncoded = new CX500DistinguishedNameClass();
subjectEncoded.Encode(certificateRequest.SubjectName);
certificateRequest.CertRequest.Subject = subjectEncoded;
certificateRequest.CertRequest.Encode();
certificateRequest.CSR = certificateRequest.CertRequest.RawData[EncodingType.XCN_CRYPT_STRING_BASE64REQUESTHEADER];

then I go to the CA and get the certificate back. 然后我去CA并获得证书。 When I try to to add the certificate back to the Yubikey i get the following error: 当我尝试将证书添加回Yubikey时,我收到以下错误:

CertEnroll::CX509Enrollment::InstallResponse: Cannot find object or property. CertEnroll :: CX509Enrollment :: InstallResponse:找不到对象或属性。 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND) 0x80092004(-2146885628 CRYPT_E_NOT_FOUND)

which according with what I found on google it means that the System cannot find the private key with which the certificate was signed. 根据我在谷歌上发现的内容,这意味着系统无法找到证书签名的私钥。 I am using the request to initialize the container and it still cant find that it was done by a smartcard, here is the code for reference: 我正在使用请求初始化容器,它仍然无法发现它是由智能卡完成的,这里是代码供参考: 

CX509Enrollment objEnroll = new CX509EnrollmentClass();
objEnroll.InitializeFromRequest(certificateRequest.CertRequest);
objEnroll.InstallResponse(
    InstallResponseRestrictionFlags.AllowUntrustedRoot,
    certificateRequest.StringCert,
    EncodingType.XCN_CRYPT_STRING_BASE64,
    null
);

Is there a way to tell windows to look for the private key in the YubiKey? 有没有办法告诉Windows在YubiKey中查找私钥?

1 个解决方案

解决方案1
 0 已采纳  2019-06-20 21:28:54

I was missing the actual creation of the private Key and of the request here is the new complete code: 我错过了私钥的实际创建,这里的请求是新的完整代码: 

certificateRequest.CertRequest = new CX509CertificateRequestPkcs10();
certificateRequest.CertRequest.Initialize(X509CertificateEnrollmentContext.ContextUser);
certificateRequest.CertRequest.PrivateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_NONE;
certificateRequest.CertRequest.PrivateKey.Length = 2048;
certificateRequest.CertRequest.PrivateKey.ProviderName = "Microsoft Smart Card Key Storage Provider";
certificateRequest.CertRequest.PrivateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_SIGNING_FLAG;
certificateRequest.CertRequest.PrivateKey.KeySpec = X509KeySpec.XCN_AT_NONE;
certificateRequest.CertRequest.PrivateKey.MachineContext = false;
certificateRequest.CertRequest.PrivateKey.Create();
var subjectEncoded = new CX500DistinguishedNameClass();
subjectEncoded.Encode(certificateRequest.SubjectName);
certificateRequest.CertRequest.Subject = subjectEncoded;
certificateRequest.CertRequest.Encode();
certificateRequest.CSR = certificateRequest.CertRequest.RawData[EncodingType.XCN_CRYPT_STRING_BASE64REQUESTHEADER];

then I go to the CA and get the certificate back. 然后我去CA并获得证书。 When I try to to add the certificate back to the Yubikey: 当我尝试将证书添加回Yubikey时: 

CX509Enrollment objEnroll = new CX509EnrollmentClass();
objEnroll.InitializeFromRequest(certificateRequest.CertRequest);
objEnroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64);
objEnroll.InstallResponse(
    InstallResponseRestrictionFlags.AllowUntrustedRoot,
    certificateRequest.StringCert,
    EncodingType.XCN_CRYPT_STRING_BASE64,
    null
);

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用Silverlight从智能卡中提取证书 - extracting certificate from smart card using silverlight 删除X509Certificate2对象的智能卡时的事件 - Event when smart card of the X509Certificate2 object is removed 问题阅读智能卡 - Issue reading smart card .NET或COM HID iCLASS智能卡读卡器 - .NET or COM HID iCLASS Smart Card Reader CSP未在远程桌面上检测到智能卡微型驱动程序 - CSP not detecting smart card minidriver on remote desktop CSP未检测到智能卡微型驱动程序C# - CSP not detecting smart card minidriver C# 连接金雅拓智能卡时出现错误6 - Error 6 when connecting Gemalto smart card 是否可以在 Windows 中禁用特定智能卡硬件 ID 的自动智能卡微型驱动程序安装? - Is it possible to disable the automatic smart card minidriver installation for a specific smart card hardware ID in Windows? 如何从智能卡中删除RSA密钥对 - How to remove RSA Key Pair from Smart Card 如何添加响应卡 - How to add response card
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM