[英]Clearly recognize a certificate in Windows certificate store
I'm developing a library which generates XML data and signates the generated XML. 我正在开发一个库,它生成XML数据并指示生成的XML。 I've installed a pkcs12 certificate (generated with OpenSSL from pem file) into the windows certificate store.
我已经安装了一个pkcs12证书(使用pem文件中的OpenSSL生成)到windows证书库中。
I'm loading the certificate from C# code with 我正在使用C#代码加载证书
X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
X509Certificate2 cert = null;
foreach (var item in store.Certificates)
{
if (item.SubjectName.Name.Contains("CN=IDENTIFIER"))
{
cert = item;
break;
}
}
store.Close();
In my case the CN identifier is: my prename + surname. 在我的情况下,CN标识符是:我的名字+姓氏。 The cert comes from a third party.
证书来自第三方。 So I think I have no influence on the identifiers.
所以我认为我对标识符没有影响。
And here comes the question: 这里有一个问题:
Is there any way to identify exactly this certificate from C#. 有没有办法从C#中准确识别此证书。 In future it could be possible, that multiple certificates have the same X509 parameters (CN etc etc).
将来有可能,多个证书具有相同的X509参数(CN等)。
Thank you in advance. 先感谢您。
Yes, it's possible that CN contains the same identifier (eg. when the certificate is issued for business entity). 是的,CN可能包含相同的标识符(例如,在为业务实体颁发证书时)。
Certificates are usually distinguished by one of following combinations: 1) Issuer name (not CN, but RDN, complete name record with multiple fields) + certificate serial number (it's unique within one CA) 2) Issuer name + certificate hash 证书通常通过以下组合之一进行区分:1)颁发者名称(不是CN,但是RDN,具有多个字段的完整名称记录)+证书序列号(它在一个CA中是唯一的)2)颁发者名称+证书哈希
If you don't know the issuer name before searching for the certificate, you can present the list of found certificates to the user and once he select one of certificates, store certificate hash for future reference. 如果在搜索证书之前您不知道颁发者名称,则可以向用户显示找到的证书列表,一旦他选择了其中一个证书,就存储证书哈希以供将来参考。
On smaller systems (end-user's computer) the number of certificates in MY store is usually small and the chance of hash collision is minimal. 在较小的系统(最终用户的计算机)上,MY商店中的证书数量通常较小,并且哈希冲突的可能性很小。 On large systems the chance is higher and that's why Issuer name is used as well.
在大型系统上,机会更高,这就是使用Issuer名称的原因。
Expanding on Eugene's answer... 扩展Eugene的答案......
The Certificates
property of X509Store
is an X509CertificateCollection
. X509Store
的Certificates
属性是X509CertificateCollection
。
You'll probably be interested in its Find
method and the X509FindType
. 你可能会对它的
Find
方法和X509FindType
。 It offers a number of ways to search for a certificate. 它提供了许多搜索证书的方法。 Strictly speaking, both the subject DN and the subject alternative names should matter to identify the entity associated with a certificate.
严格地说, 主题DN和主题替代名称对于识别与证书相关联的实体而言应该是重要的。 However, few tools do this from a presentation point of view (this could get quite cluttered in a table for example).
但是,从演示的角度来看,很少有工具可以做到这一点(例如,这可能会在表格中变得非常混乱)。
As GregS and Eugene pointed out, the certificate thumbprint (also known as fingerprint/hash in other tools) will identify a specific certificate uniquely, irrespectively of its issuer. 正如GregS和Eugene指出的那样, 证书指纹(在其他工具中也称为指纹/哈希)将唯一地标识特定证书,而不管其发行者。 It can be used with
X509FindType
. 它可以与
X509FindType
一起使用 。
Thumbprints are used in multiple places in the Windows/.Net/SSL world. 指纹用于Windows / .Net / SSL世界中的多个位置。 In particular, it's the way to pick a given certificate to install on an HTTPS port .
特别是, 它是选择要在HTTPS端口上安装的给定证书的方法 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.