码迷,mamicode.com
首页 > Web开发 > 详细

.Net 动态签发TLS证书并且Chrome不报错的简陋实现

时间:2021-02-20 12:10:51      阅读:0      评论:0      收藏:0      [点我收藏+]

标签:col   api   rom   参数   void   rgb   enc   datetime   证书   

https://github.com/LeiKaiFeng-GoodBoy/LeiKaiFeng.X509Certificates

 

很简单,也可以直接上代码,主要用到.net标准库里的CertificateRequest类型

文档地址https://docs.microsoft.com/zh-cn/dotnet/api/system.security.cryptography.x509certificates.certificaterequest?view=netstandard-2.1

public static class TLSCertificate
    {

        static X509Extension CreateSubAltName(string[] subjectAltNames)
        {
            var builder = new SubjectAlternativeNameBuilder();

            Array.ForEach(subjectAltNames, (s) => builder.AddDnsName(s));

            return builder.Build(false);
        }

        static void AddExtension(Collection<X509Extension> extensions, string[] subjectAltNames)
        {


            extensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DataEncipherment, false));
            extensions.Add(new X509BasicConstraintsExtension(false, true, 0, false));
            extensions.Add(CreateSubAltName(subjectAltNames));
        }

        public static X509Certificate2 CreateTlsCertificate(string commonName, X509Certificate2 caCertificate, int keySize, int days, params string[] subjectAltNames)
        {
            string subjectName = $"CN = {commonName}";

            var rsa = RSA.Create(keySize);

            var certificateRequest = new CertificateRequest(subjectName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);

            AddExtension(certificateRequest.CertificateExtensions, subjectAltNames);



            var dateTime = DateTime.UtcNow;



            X509Certificate2 tlsCertificate = certificateRequest.Create(caCertificate, new DateTimeOffset(dateTime), new DateTimeOffset(dateTime.AddDays(days)), caCertificate.GetCertHash().Take(20).ToArray());

            return new X509Certificate2(tlsCertificate.CopyWithPrivateKey(rsa).Export(X509ContentType.Pfx));
        }


        public static X509Certificate2 CreateCA(string commonName, int keySize, int days)
        {
            string subjectName = $"CN = {commonName}";

            var rsa = RSA.Create(keySize);



            var certificateRequest = new CertificateRequest(subjectName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);

            certificateRequest.CertificateExtensions.Add(new X509BasicConstraintsExtension(true, true, 1, true));

            var dateTime = DateTime.UtcNow;

            return certificateRequest.CreateSelfSigned(new DateTimeOffset(dateTime), new DateTimeOffset(dateTime.AddDays(days)));

        }

        
    }

 

 

下面是生成CA证书并且签发一个TLS证书的例子

X509Certificate2 ca = TLSCertificate.CreateCA("LeiKaiFeng", 2048, 365);

X509Certificate2 tlsX509Certificate2 = TLSCertificate.CreateTlsCertificate("pornhub.com", ca, 2048, 365, "pornhub.com", "*.pornhub.com");

 

值得注意的地方是返回的X509Certificate2都包含私钥,导出格式不同则可能导出的不会包含私钥

keySize小于1024浏览器会报错,subjectAltNames参数必须要填一个,现代浏览器基本都需要这个,不然就不会信任

 

.Net 动态签发TLS证书并且Chrome不报错的简陋实现

标签:col   api   rom   参数   void   rgb   enc   datetime   证书   

原文地址:https://www.cnblogs.com/leikaifeng/p/14416096.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!