在 C# 中使用 Bouncy Castle 簽署 CSR

Question

我在C#中使用Bouncy Castle創建了根證書和中間證書。 現在我想接受並使用證書簽署CSR 。 我到處都是 Java 解決方案。 我想將 java 代碼轉換為 C# 但沒有獲得 C# 的確切文檔。 有人可以幫忙嗎？

Answer 1

這是我的解決方案：

public string SignCSR(string str_csr, int validityInYears)
        {
            try
            {
                char[] characters = str_csr.Replace("-----BEGIN CERTIFICATE REQUEST-----", "").Replace("-----END CERTIFICATE REQUEST-----", "").ToCharArray();

                byte[] csrEncode = Convert.FromBase64CharArray(characters, 0, characters.Length);
                Pkcs10CertificationRequest pk10Holder = new Pkcs10CertificationRequest(csrEncode);

                bool verify = pk10Holder.Verify();
                if (verify == false)
                {
                    return constants.INVALIDCERTIFICATEREQUEST;
                }
                // Generating Random Numbers
                CryptoApiRandomGenerator randomGenerator = new CryptoApiRandomGenerator();
                SecureRandom random = new SecureRandom(randomGenerator);

                X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();

                // Serial Number
                BigInteger serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
                certificateGenerator.SetSerialNumber(serialNumber);

                //Import intermediate certificate and get issuer details
                string pathToRootCert = Configuration["intermediatecertificatelocation"];
                string intermediateIssuer = rootBusinessLogic.ImportIssuerFromPem(pathToRootCert);

                // Issuer and Subject Name
                //X509Name issuerDN = new X509Name(issuerName);
                X509Name issuerDN = new X509Name(intermediateIssuer);  //issuer is intermediate certificate here whi will sign
                certificateGenerator.SetIssuerDN(issuerDN);
                certificateGenerator.SetSubjectDN(pk10Holder.GetCertificationRequestInfo().Subject);

                // Valid For
                DateTime notBefore = DateTime.UtcNow.Date;
                DateTime notAfter = notBefore.AddYears(validityInYears);

                certificateGenerator.SetNotBefore(notBefore);
                certificateGenerator.SetNotAfter(notAfter);

                certificateGenerator.SetPublicKey(pk10Holder.GetPublicKey());


                //Import root certificate and get issuer details
                //get root private key from file
                string rootKeyPathFromConfig = Configuration["intermediate_privatekeylocation"];
                AsymmetricKeyParameter issuerPrivKey = rootBusinessLogic.ImportPrivateKeyFromPemFile(rootKeyPathFromConfig);
                if (issuerPrivKey == null)
                {
                    return constants.INTERMEDIATEKEYERROR;
                }

                ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA256WITHRSA", issuerPrivKey, random);

                // Selfsign certificate
                Org.BouncyCastle.X509.X509Certificate certificate = certificateGenerator.Generate(signatureFactory);

                X509Certificate2 x509 = new X509Certificate2(certificate.GetEncoded());
                StringBuilder builder = new StringBuilder();
                builder.AppendLine("-----BEGIN CERTIFICATE-----");
                builder.AppendLine(Convert.ToBase64String(x509.Export(X509ContentType.Cert), Base64FormattingOptions.InsertLineBreaks));
                builder.AppendLine("-----END CERTIFICATE-----");
                var str_certificate = builder.ToString();
                return str_certificate ;
            }
            catch (Exception ex)
            {
                return ex.Message;
            }
    }

pathToRootCert是存儲在設備中的中間證書的路徑， ImportIssuerFromPem是獲取中間證書頒發者名稱的方法， ImportPrivateKeyFromPemFile rootKeyPathFromConfig獲取私鑰的方法采用AsymmetricKeyParameter格式。 此方法返回 PEM 格式的證書。

Answer 2

我正在尋找（我認為）一個非常相似的解決方案 - 詳細信息在這里Using C# + BouncyCastle to sign a client certificate against my own CA 。

我希望您的解決方案可能解決了我的問題，但我仍然無法讓證書也包含 CA。

如果您能提供任何建議，我將不勝感激！