无法将智能卡证书添加到 Yubikey
Cannot add Smart Card Certificate to Yubikey
我正在尝试创建智能卡证书并将其添加回 Yubikey(我使用的是 Yubico 的 Mini 驱动程序,因此 yubikey 的行为类似于智能卡,无法使用其 PIVManager 或 YKMan)。我能够使用以下代码使用 yubikey 成功签署 CSR:
certificateRequest.CertRequest = new CX509CertificateRequestPkcs10();
certificateRequest.CertRequest.Initialize(X509CertificateEnrollmentContext.ContextUser);
certificateRequest.CertRequest.PrivateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_NONE;
certificateRequest.CertRequest.PrivateKey.Length = 2048;
certificateRequest.CertRequest.PrivateKey.ProviderName = "Microsoft Smart Card Key Storage Provider";
certificateRequest.CertRequest.PrivateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_SIGNING_FLAG;
certificateRequest.CertRequest.PrivateKey.KeySpec = X509KeySpec.XCN_AT_NONE;
certificateRequest.CertRequest.PrivateKey.MachineContext = false;
var subjectEncoded = new CX500DistinguishedNameClass();
subjectEncoded.Encode(certificateRequest.SubjectName);
certificateRequest.CertRequest.Subject = subjectEncoded;
certificateRequest.CertRequest.Encode();
certificateRequest.CSR = certificateRequest.CertRequest.RawData[EncodingType.XCN_CRYPT_STRING_BASE64REQUESTHEADER];
然后我去 CA 取回证书。当我尝试将证书添加回 Yubikey 时,出现以下错误:
CertEnroll::CX509Enrollment::InstallResponse: Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)
根据我在 google 上的发现,这意味着系统无法找到用于签署证书的私钥。我用request初始化容器,还是找不到是智能卡完成的,代码参考:
CX509Enrollment objEnroll = new CX509EnrollmentClass();
objEnroll.InitializeFromRequest(certificateRequest.CertRequest);
objEnroll.InstallResponse(
InstallResponseRestrictionFlags.AllowUntrustedRoot,
certificateRequest.StringCert,
EncodingType.XCN_CRYPT_STRING_BASE64,
null
);
有没有办法告诉windows在YubiKey中寻找私钥?
我错过了私钥的实际创建,这里的请求是新的完整代码:
certificateRequest.CertRequest = new CX509CertificateRequestPkcs10();
certificateRequest.CertRequest.Initialize(X509CertificateEnrollmentContext.ContextUser);
certificateRequest.CertRequest.PrivateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_NONE;
certificateRequest.CertRequest.PrivateKey.Length = 2048;
certificateRequest.CertRequest.PrivateKey.ProviderName = "Microsoft Smart Card Key Storage Provider";
certificateRequest.CertRequest.PrivateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_SIGNING_FLAG;
certificateRequest.CertRequest.PrivateKey.KeySpec = X509KeySpec.XCN_AT_NONE;
certificateRequest.CertRequest.PrivateKey.MachineContext = false;
certificateRequest.CertRequest.PrivateKey.Create();
var subjectEncoded = new CX500DistinguishedNameClass();
subjectEncoded.Encode(certificateRequest.SubjectName);
certificateRequest.CertRequest.Subject = subjectEncoded;
certificateRequest.CertRequest.Encode();
certificateRequest.CSR = certificateRequest.CertRequest.RawData[EncodingType.XCN_CRYPT_STRING_BASE64REQUESTHEADER];
然后我去 CA 取回证书。当我尝试将证书添加回 Yubikey 时:
CX509Enrollment objEnroll = new CX509EnrollmentClass();
objEnroll.InitializeFromRequest(certificateRequest.CertRequest);
objEnroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64);
objEnroll.InstallResponse(
InstallResponseRestrictionFlags.AllowUntrustedRoot,
certificateRequest.StringCert,
EncodingType.XCN_CRYPT_STRING_BASE64,
null
);
我正在尝试创建智能卡证书并将其添加回 Yubikey(我使用的是 Yubico 的 Mini 驱动程序,因此 yubikey 的行为类似于智能卡,无法使用其 PIVManager 或 YKMan)。我能够使用以下代码使用 yubikey 成功签署 CSR:
certificateRequest.CertRequest = new CX509CertificateRequestPkcs10();
certificateRequest.CertRequest.Initialize(X509CertificateEnrollmentContext.ContextUser);
certificateRequest.CertRequest.PrivateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_NONE;
certificateRequest.CertRequest.PrivateKey.Length = 2048;
certificateRequest.CertRequest.PrivateKey.ProviderName = "Microsoft Smart Card Key Storage Provider";
certificateRequest.CertRequest.PrivateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_SIGNING_FLAG;
certificateRequest.CertRequest.PrivateKey.KeySpec = X509KeySpec.XCN_AT_NONE;
certificateRequest.CertRequest.PrivateKey.MachineContext = false;
var subjectEncoded = new CX500DistinguishedNameClass();
subjectEncoded.Encode(certificateRequest.SubjectName);
certificateRequest.CertRequest.Subject = subjectEncoded;
certificateRequest.CertRequest.Encode();
certificateRequest.CSR = certificateRequest.CertRequest.RawData[EncodingType.XCN_CRYPT_STRING_BASE64REQUESTHEADER];
然后我去 CA 取回证书。当我尝试将证书添加回 Yubikey 时,出现以下错误:
CertEnroll::CX509Enrollment::InstallResponse: Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)
根据我在 google 上的发现,这意味着系统无法找到用于签署证书的私钥。我用request初始化容器,还是找不到是智能卡完成的,代码参考:
CX509Enrollment objEnroll = new CX509EnrollmentClass();
objEnroll.InitializeFromRequest(certificateRequest.CertRequest);
objEnroll.InstallResponse(
InstallResponseRestrictionFlags.AllowUntrustedRoot,
certificateRequest.StringCert,
EncodingType.XCN_CRYPT_STRING_BASE64,
null
);
有没有办法告诉windows在YubiKey中寻找私钥?
我错过了私钥的实际创建,这里的请求是新的完整代码:
certificateRequest.CertRequest = new CX509CertificateRequestPkcs10();
certificateRequest.CertRequest.Initialize(X509CertificateEnrollmentContext.ContextUser);
certificateRequest.CertRequest.PrivateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_NONE;
certificateRequest.CertRequest.PrivateKey.Length = 2048;
certificateRequest.CertRequest.PrivateKey.ProviderName = "Microsoft Smart Card Key Storage Provider";
certificateRequest.CertRequest.PrivateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_SIGNING_FLAG;
certificateRequest.CertRequest.PrivateKey.KeySpec = X509KeySpec.XCN_AT_NONE;
certificateRequest.CertRequest.PrivateKey.MachineContext = false;
certificateRequest.CertRequest.PrivateKey.Create();
var subjectEncoded = new CX500DistinguishedNameClass();
subjectEncoded.Encode(certificateRequest.SubjectName);
certificateRequest.CertRequest.Subject = subjectEncoded;
certificateRequest.CertRequest.Encode();
certificateRequest.CSR = certificateRequest.CertRequest.RawData[EncodingType.XCN_CRYPT_STRING_BASE64REQUESTHEADER];
然后我去 CA 取回证书。当我尝试将证书添加回 Yubikey 时:
CX509Enrollment objEnroll = new CX509EnrollmentClass();
objEnroll.InitializeFromRequest(certificateRequest.CertRequest);
objEnroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64);
objEnroll.InstallResponse(
InstallResponseRestrictionFlags.AllowUntrustedRoot,
certificateRequest.StringCert,
EncodingType.XCN_CRYPT_STRING_BASE64,
null
);