I have been attempting to create an SSL server that loads a certificate from a .crt. I have tried both X509Certificate.CreateFromCertFile(@".\\Secure\\Certificate\\" + CertName + ".crt");
and the cert.import, and neither works. On both, I get an issue saying "The server mode SSL must use a certificate with the associated private key". And the key is there! My directory:
Secure/
Certificate/
ZeusHTTP.crt
ZeusHTTP.csr
ZeusHTTP.key
Plugins/
...
The certs are created with OpenSSL.
A simple read of the docs tells us that you should be using a pkcs7 file that usually has file suffix p7b. You'll need to either convert your OpenSSL cert to this format, or find a utility that can generate one from scratch.
The server mode SSL must use a certificate with the associated private key". And the key is there...
As other have stated, they must be in the same file. Here are the steps to do it.
First
Copy ZeusHTTP.crt
to ZeusHTTP-chain.crt
:
cp ZeusHTTP.crt ZeusHTTP-chain.crt
Second
Open ZeusHTTP-chain.crt
and ensure it has all the intermediates certificates required to validate the server certificate. So you will have 2 or more certificates:
-----BEGIN CERTIFICATE-----
<server certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<intermediate certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<intermediate certificate>
-----END CERTIFICATE-----
Add certificates as required. For example, if you got a free Startcom certificate, then you need to add the sub.class1.server.ca.pem
intermediate from StartSSL's Index of Certs .
Sending all certificates is required to solve the "which directory" problem in PKI. Its a well known problem in PKI, and essentially it means a client does not know where to go to fetch missing intermediate certificates.
Third
Perform the following to generate a PKCS 12 file:
openssl pkcs12 -export -in ZeusHTTP-chain.crt -inkey ZeusHTTP.key -out ZeusHTTP.p12
Fourth
Finally, install the certificate on IIS as a test.
For your code, I believe you need to load it into a Certificate2
and not a Certificate
.
Also see How to read a .p12 file in my web service on Stack Overflow and how to create x509 certificate and use it in sslstream on MSDN.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.