![](/img/trans.png)
[英]How to generate IIS7 CSR (for SSL) from C# code or using Powershell on server which IIS is running
[英]How to generate CSR like it does IIS
我正在與symantec api集成,並使用該代碼生成CSR
private string GenerateCsr(string domain, string organization, string organizationUnit, string city, string state, string country) {
// Create all the objects that will be required
var objPkcs10 = new CX509CertificateRequestPkcs10();
var objPrivateKey = new CX509PrivateKey();
var objCSP = new CCspInformation();
var objCSPs = new CCspInformations();
var objDN = new CX500DistinguishedName();
var objEnroll = new CX509Enrollment();
var objObjectIds = new CObjectIds();
var objObjectId = new CObjectId();
var objExtensionKeyUsage = new CX509ExtensionKeyUsage();
var objX509ExtensionEnhancedKeyUsage = new CX509ExtensionEnhancedKeyUsage();
string strRequest;
try {
// Initialize the csp object using the desired Cryptograhic Service Provider (CSP)
objCSP.InitializeFromName(
"Microsoft RSA Schannel Cryptographic Provider"
);
// Add this CSP object to the CSP collection object
objCSPs.Add(
objCSP
);
// Provide key container name, key length and key spec to the private key object
//objPrivateKey.ContainerName = "AlejaCMa";
objPrivateKey.Length = 2048;
objPrivateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE;
objPrivateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES;
objPrivateKey.MachineContext = false;
// Provide the CSP collection object (in this case containing only 1 CSP object)
// to the private key object
objPrivateKey.CspInformations = objCSPs;
// Create the actual key pair
objPrivateKey.Create();
// Initialize the PKCS#10 certificate request object based on the private key.
// Using the context, indicate that this is a user certificate request and don't
// provide a template name
objPkcs10.InitializeFromPrivateKey(
X509CertificateEnrollmentContext.ContextUser,
objPrivateKey,
""
);
// Key Usage Extension
objExtensionKeyUsage.InitializeEncode(
X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE |
X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE |
X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE |
X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE
);
objPkcs10.X509Extensions.Add((CX509Extension)objExtensionKeyUsage);
// Enhanced Key Usage Extension
objObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.2");
// OID for Client Authentication usage
objObjectIds.Add(objObjectId);
objX509ExtensionEnhancedKeyUsage.InitializeEncode(objObjectIds);
objPkcs10.X509Extensions.Add((CX509Extension)objX509ExtensionEnhancedKeyUsage);
// Encode the name in using the Distinguished Name object
objDN.Encode(
string.Format("CN={0}, O={1}, OU={2}, L={3}, S={4}, C={5}", domain, organization, organizationUnit, city, state, country),
X500NameFlags.XCN_CERT_NAME_STR_NONE
);
// Assing the subject name by using the Distinguished Name object initialized above
objPkcs10.Subject = objDN;
// Create enrollment request
objEnroll.InitializeFromRequest(objPkcs10);
strRequest = objEnroll.CreateRequest(
EncodingType.XCN_CRYPT_STRING_BASE64
);
return strRequest;
}
catch (Exception ex) {
throw new Exception("Can't generate CSR");
}
}
Symantec然后返回base64編碼的證書,但是我無法將其上傳到IIS。 如果我將在IIS上手動生成的CSR發送給symantec,則可以上傳返回的證書。 因此,我的問題是如何像在IIS上一樣生成CSR。
它無法以您想要的方式完成。 由於生成的csr和私鑰位於一台服務器上,是由CA返回的簽名證書,因此您將需要具有創建CSR時生成的私鑰。 但是,您正在另一台服務器上生成私鑰,並在iis上上載Symantec提供的簽名證書,而IIS沒有私鑰。
如果必須這樣做,則需要將參數直接發送到Symantec API,然后它們將為您提供一個受密碼保護的PFX文件,並且您可以將pfx文件上傳到IIS服務器上。
我希望我回答了你的問題。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.