从 RSACryptoServiceProvider 创建 RSA 密钥?
Create RSA key from RSACryptoServiceProvider?
我想使用通过 CSP 创建的密钥(我使用 Utimaco 界面 'CSP Tool'),
要生成 CA 证书,我使用此代码(基于 ):
var csp = new CspParameters()
{
ProviderName = "Utimaco CryptoServer CSP",
ProviderType = 1,
KeyContainerName = "Default Container"
};
RSACryptoServiceProvider rsaProvider = new RSACryptoServiceProvider(1024, csp);
RSAParameters myRSA = rsaProvider.ExportParameters(false);
using (RSA parent = RSA.Create(myRSA))
using (RSA rsa = RSA.Create(2048))
{
CertificateRequest parentReq = new CertificateRequest(
"CN=Experimental Issuing Authority",
parent,
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
parentReq.CertificateExtensions.Add(
new X509BasicConstraintsExtension(true, false, 0, true));
parentReq.CertificateExtensions.Add(
new X509SubjectKeyIdentifierExtension(parentReq.PublicKey, false));
using (X509Certificate2 parentCert = parentReq.CreateSelfSigned(
DateTimeOffset.UtcNow.AddDays(-45),
DateTimeOffset.UtcNow.AddDays(365)))
{
CertificateRequest req = new CertificateRequest(
"CN=Valid-Looking Timestamp Authority",
rsa,
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
req.CertificateExtensions.Add(
new X509BasicConstraintsExtension(false, false, 0, false));
req.CertificateExtensions.Add(
new X509KeyUsageExtension(
System.Security.Cryptography.X509Certificates.X509KeyUsageFlags.DigitalSignature |
System.Security.Cryptography.X509Certificates.X509KeyUsageFlags.NonRepudiation,
false));
req.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(
new OidCollection
{
new Oid("1.3.6.1.5.5.7.3.8")
},
true));
req.CertificateExtensions.Add(
new X509SubjectKeyIdentifierExtension(req.PublicKey, false));
using (X509Certificate2 cert = req.Create(
parentCert,
DateTimeOffset.UtcNow.AddDays(-1),
DateTimeOffset.UtcNow.AddDays(90),
new byte[] { 1, 2, 3, 4 }))
{
// Do something with these certs, like export them to PFX,
// or add them to an X509Store, or whatever.
X509Store store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadWrite);
store.Add(cert);
store.Add(parentCert);
store.Close();
}
}
}
它在 parentReq.CreateSelfSigned(..) 调用时抛出:System.Security.Cryptography.CryptographicException:'Key does not exist.'。
这是关键信息:
RSAParameters myRSA = rsaProvider.ExportParameters(false);
using (RSA parent = RSA.Create(myRSA))
这使得 parent 只是 public 密钥部分,这意味着它无法签署证书。
假设您希望 CA 证书知道其私钥,只需使用 rsaProvider 而不是 exporting/importing 进入 parent。 (RSA parent = rsaProvider; 或仅将 parent 的所有用法替换为 rsaProvider)
我想使用通过 CSP 创建的密钥(我使用 Utimaco 界面 'CSP Tool'),
要生成 CA 证书,我使用此代码(基于
var csp = new CspParameters()
{
ProviderName = "Utimaco CryptoServer CSP",
ProviderType = 1,
KeyContainerName = "Default Container"
};
RSACryptoServiceProvider rsaProvider = new RSACryptoServiceProvider(1024, csp);
RSAParameters myRSA = rsaProvider.ExportParameters(false);
using (RSA parent = RSA.Create(myRSA))
using (RSA rsa = RSA.Create(2048))
{
CertificateRequest parentReq = new CertificateRequest(
"CN=Experimental Issuing Authority",
parent,
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
parentReq.CertificateExtensions.Add(
new X509BasicConstraintsExtension(true, false, 0, true));
parentReq.CertificateExtensions.Add(
new X509SubjectKeyIdentifierExtension(parentReq.PublicKey, false));
using (X509Certificate2 parentCert = parentReq.CreateSelfSigned(
DateTimeOffset.UtcNow.AddDays(-45),
DateTimeOffset.UtcNow.AddDays(365)))
{
CertificateRequest req = new CertificateRequest(
"CN=Valid-Looking Timestamp Authority",
rsa,
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
req.CertificateExtensions.Add(
new X509BasicConstraintsExtension(false, false, 0, false));
req.CertificateExtensions.Add(
new X509KeyUsageExtension(
System.Security.Cryptography.X509Certificates.X509KeyUsageFlags.DigitalSignature |
System.Security.Cryptography.X509Certificates.X509KeyUsageFlags.NonRepudiation,
false));
req.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(
new OidCollection
{
new Oid("1.3.6.1.5.5.7.3.8")
},
true));
req.CertificateExtensions.Add(
new X509SubjectKeyIdentifierExtension(req.PublicKey, false));
using (X509Certificate2 cert = req.Create(
parentCert,
DateTimeOffset.UtcNow.AddDays(-1),
DateTimeOffset.UtcNow.AddDays(90),
new byte[] { 1, 2, 3, 4 }))
{
// Do something with these certs, like export them to PFX,
// or add them to an X509Store, or whatever.
X509Store store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadWrite);
store.Add(cert);
store.Add(parentCert);
store.Close();
}
}
}
它在 parentReq.CreateSelfSigned(..) 调用时抛出:System.Security.Cryptography.CryptographicException:'Key does not exist.'。
这是关键信息:
RSAParameters myRSA = rsaProvider.ExportParameters(false);
using (RSA parent = RSA.Create(myRSA))
这使得 parent 只是 public 密钥部分,这意味着它无法签署证书。
假设您希望 CA 证书知道其私钥,只需使用 rsaProvider 而不是 exporting/importing 进入 parent。 (RSA parent = rsaProvider; 或仅将 parent 的所有用法替换为 rsaProvider)