如何向 CertificateRequest 提供 X509KeyStorageFlags
How to provide X509KeyStorageFlags to CertificateRequest
可以在 X509Certificate2 构造函数中指定 X509KeyStorageFlags,如下所示:
var cert = new X509Certificate2(bytes, password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);
但在我的例子中,我使用 CertificateRequest 创建自签名证书,所以我没有证书构造函数:
var rsaKeyPair = RSA.Create();
var request = new CertificateRequest(
$"cn = {Environment.MachineName}",
rsaKeyPair,
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs);
request.CertificateExtensions.Add(
new X509KeyUsageExtension(X509KeyUsageFlags.KeyEncipherment |
X509KeyUsageFlags.DigitalSignature, true));
var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow),
new DateTimeOffset(DateTime.UtcNow.AddYears(2)));
有没有办法将 KeyStorageFags 添加到 request.CertificateExtension 或类似的东西?
How to provide X509KeyStorageFlags to CertificateRequest
CertificateRequest 对密钥存储一无所知。它所做的就是构建证书,然后调用 cert.CopyWithPrivateKey(privateKey).
移动目标:
How to provide X509KeyStorageFlags to CopyWithPrivateKey
CopyWithPrivateKey 复制当前状态的密钥。临时密钥保持临时状态。持久键保持不变。
移动目标:
How to provide X509KeyStorageFlags to RSA.Create()
RSA.Create() 总是创建临时密钥,它根本不理解密钥存储。您必须使用一个特定的 RSA 实现来理解持久性——但是这会将您锁定在 Windows 中(当然,您可以让您的调用代码在 OS 上有所不同)。
RSA rsaKeyPair = BuildMachinePersistedKeyPair(2048);
...
private static RSA BuildMachinePersistedKeyPair(int keySize)
{
CngKeyCreationParameters creationParameters = new CngKeyCreationParameters()
{
ExportPolicy = CngExportPolicies.Exportable,
Provider = CngProvider.MicrosoftSoftwareKeyStorageProvider,
KeyCreationOptions =
CngKeyCreationOptions.OverwriteExistingKey |
CngKeyCreationOptions.MachineKey,
};
CngProperty keySizeProperty = new CngProperty(
KeyPropertyName.Length,
BitConverter.GetBytes(keySize),
CngPropertyOptions.None);
creationParameters.Parameters.Add(keySizeProperty);
using (CngKey cngKey = CngKey.Create(CngAlgorithm.Rsa, Guid.NewGuid().ToString(), creationParameters))
{
return new RSACng(cngKey);
}
}
Is there an easier way?
当然,只是 export/import 短暂的。
X509Certificate2 certificate;
using (X509Certificate2 ephemeral = request.CreateSelfSigned(...))
{
certificate = new X509Certificate2(
ephemeral.Export(X509ContentType.Pkcs12),
string.Empty,
X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);
}
可以在 X509Certificate2 构造函数中指定 X509KeyStorageFlags,如下所示:
var cert = new X509Certificate2(bytes, password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);
但在我的例子中,我使用 CertificateRequest 创建自签名证书,所以我没有证书构造函数:
var rsaKeyPair = RSA.Create();
var request = new CertificateRequest(
$"cn = {Environment.MachineName}",
rsaKeyPair,
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs);
request.CertificateExtensions.Add(
new X509KeyUsageExtension(X509KeyUsageFlags.KeyEncipherment |
X509KeyUsageFlags.DigitalSignature, true));
var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow),
new DateTimeOffset(DateTime.UtcNow.AddYears(2)));
有没有办法将 KeyStorageFags 添加到 request.CertificateExtension 或类似的东西?
How to provide X509KeyStorageFlags to CertificateRequest
CertificateRequest 对密钥存储一无所知。它所做的就是构建证书,然后调用 cert.CopyWithPrivateKey(privateKey).
移动目标:
How to provide X509KeyStorageFlags to CopyWithPrivateKey
CopyWithPrivateKey 复制当前状态的密钥。临时密钥保持临时状态。持久键保持不变。
移动目标:
How to provide X509KeyStorageFlags to RSA.Create()
RSA.Create() 总是创建临时密钥,它根本不理解密钥存储。您必须使用一个特定的 RSA 实现来理解持久性——但是这会将您锁定在 Windows 中(当然,您可以让您的调用代码在 OS 上有所不同)。
RSA rsaKeyPair = BuildMachinePersistedKeyPair(2048);
...
private static RSA BuildMachinePersistedKeyPair(int keySize)
{
CngKeyCreationParameters creationParameters = new CngKeyCreationParameters()
{
ExportPolicy = CngExportPolicies.Exportable,
Provider = CngProvider.MicrosoftSoftwareKeyStorageProvider,
KeyCreationOptions =
CngKeyCreationOptions.OverwriteExistingKey |
CngKeyCreationOptions.MachineKey,
};
CngProperty keySizeProperty = new CngProperty(
KeyPropertyName.Length,
BitConverter.GetBytes(keySize),
CngPropertyOptions.None);
creationParameters.Parameters.Add(keySizeProperty);
using (CngKey cngKey = CngKey.Create(CngAlgorithm.Rsa, Guid.NewGuid().ToString(), creationParameters))
{
return new RSACng(cngKey);
}
}
Is there an easier way?
当然,只是 export/import 短暂的。
X509Certificate2 certificate;
using (X509Certificate2 ephemeral = request.CreateSelfSigned(...))
{
certificate = new X509Certificate2(
ephemeral.Export(X509ContentType.Pkcs12),
string.Empty,
X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);
}