stackoom
  简体   繁体   中英

Certificate Authentication and Message Security without private key in the certificate

 原文  2018-02-21 15:39:59       c#/ wcf/ ssl/ ssl-certificate

Question

I have a problem with the certificates in WCF (client).

I have received three certificates:

  • SSL certificate of the remote server
  • client certificate (for the user authentication)
  • root certificate

Note: no certificate has a private key

In WCF there is the possibility to use the certificate authentication. Here is my sample: 

var sslBinding = new BasicHttpBinding(BasicHttpSecurityMode.TransportWithMessageCredential);
sslBinding.Security.Message.ClientCredentialType = BasicHttpMessageCredentialType.Certificate;
sslBinding.MessageEncoding = WSMessageEncoding.Mtom;

var certificate= new X509Certificate2(_certificatesFullPath, _certificatePassword, X509KeyStorageFlags.MachineKeySet);
var userCertificate = new X509Certificate2(_userCertificate, "", X509KeyStorageFlags.MachineKeySet);

var identity = new X509CertificateEndpointIdentity(userCertificate);
var endPoint = new EndpointAddress(new Uri(_endPointURI), identity);

using (Test.SdIRiceviNotificaClient client = new Test.SdIRiceviNotificaClient( sslBinding, endPoint))
{
        client.ClientCredentials.ClientCertificate.Certificate = certificate;


        client.Open();

        var result = await client.NotificaEsitoAsync(new Test.NotificaEsitoRequest(idSdI.ToString(), fileName, XmlUtils.GetXmlBytes(new NotificaEsitoCommittente())));

        client.Close();
}

My problem is now that I receive this exception:

The private key is not present in the X.509 certificate.

I know that no certificate has a private key and I can not ask for other certificates.

The only info that I have: all certificates should be used in a p12 container.
I have just the problem to create a p12 file (without a private key => ok there is the possibility with the "-nokeys" argument).

I have done this: 

openssl x509 -in CAEntratetest.cer -outform PEM -out CAEntratetest.pem
openssl x509 -in SDI-xxxxxxxxxxx.cer -inform DER -out SDI-xxxxxxxxxxx.pem -outform PEM
openssl x509 -in testservizi.fatturapa.it.cer -inform DER -out testservizi.fatturapa.it.pem -outform PEM

cat CAEntratetest.pem SDI-xxxxxxxxxxx.pem testservizi.fatturapa.it.pem > sum.pem

To create a p12 file I need a private key: 

openssl pkcs12 -export -in sum.pem -inkey private.key -out output.p12

If I create a new key => it doesn't work (no certificate matches private key)

Is it possible to use certificates without a private key?

1 answers

solution1
 0 ACCPTED  2018-02-22 08:01:50

No, you cannot use a certificate for authentication without the private key.

The security of an X.509 based authentication mechanism relies on public-key cryptography, where both public and private keys are generated. Only the private part should remain secret.

What you have is the public key. Signing something with your private key is what proves you 'own' the public key, and how you are authenticated.

Also note: you cannot simply generate a new private key for a public key. The keys are a pair.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question how to install the certificate in certificate store without private key? Private key of the certificate X509Certificate2 Access to a Private key into a security token How do I sign an email message with a certificate and private key? Private key of certificate in certificate-store not readable WCF authentication without certificate C# Decryption with X.509 certificate without private key Exporting X.509 certificate WITHOUT private key Certificate private key permissions in .NET 6 SSL certificate and private key (RSA)
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM