当前位置:首页 > 编程语言 > .Net 动态签发TLS证书并且Chrome不报错的简陋实现

.Net 动态签发TLS证书并且Chrome不报错的简陋实现

2021-03-01 11:28

阅读:678

标签:col   api   rom   参数   void   rgb   enc   datetime   证书   

https://github.com/LeiKaiFeng-GoodBoy/LeiKaiFeng.X509Certificates

 

很简单,也可以直接上代码,主要用到.net标准库里的CertificateRequest类型

文档地址https://docs.microsoft.com/zh-cn/dotnet/api/system.security.cryptography.x509certificates.certificaterequest?view=netstandard-2.1

public static class TLSCertificate
    {

        static X509Extension CreateSubAltName(string[] subjectAltNames)
        {
            var builder = new SubjectAlternativeNameBuilder();

            Array.ForEach(subjectAltNames, (s) => builder.AddDnsName(s));

            return builder.Build(false);
        }

        static void AddExtension(Collection extensions, string[] subjectAltNames)
        {


            extensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DataEncipherment, false));
            extensions.Add(new X509BasicConstraintsExtension(false, true, 0, false));
            extensions.Add(CreateSubAltName(subjectAltNames));
        }

        public static X509Certificate2 CreateTlsCertificate(string commonName, X509Certificate2 caCertificate, int keySize, int days, params string[] subjectAltNames)
        {
            string subjectName = $"CN = {commonName}";

            var rsa = RSA.Create(keySize);

            var certificateRequest = new CertificateRequest(subjectName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);

            AddExtension(certificateRequest.CertificateExtensions, subjectAltNames);



            var dateTime = DateTime.UtcNow;



            X509Certificate2 tlsCertificate = certificateRequest.Create(caCertificate, new DateTimeOffset(dateTime), new DateTimeOffset(dateTime.AddDays(days)), caCertificate.GetCertHash().Take(20).ToArray());

            return new X509Certificate2(tlsCertificate.CopyWithPrivateKey(rsa).Export(X509ContentType.Pfx));
        }


        public static X509Certificate2 CreateCA(string commonName, int keySize, int days)
        {
            string subjectName = $"CN = {commonName}";

            var rsa = RSA.Create(keySize);



            var certificateRequest = new CertificateRequest(subjectName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);

            certificateRequest.CertificateExtensions.Add(new X509BasicConstraintsExtension(true, true, 1, true));

            var dateTime = DateTime.UtcNow;

            return certificateRequest.CreateSelfSigned(new DateTimeOffset(dateTime), new DateTimeOffset(dateTime.AddDays(days)));

        }

        
    }

 

 

下面是生成CA证书并且签发一个TLS证书的例子

X509Certificate2 ca = TLSCertificate.CreateCA("LeiKaiFeng", 2048, 365);

X509Certificate2 tlsX509Certificate2 = TLSCertificate.CreateTlsCertificate("pornhub.com", ca, 2048, 365, "pornhub.com", "*.pornhub.com");

 

值得注意的地方是返回的X509Certificate2都包含私钥,导出格式不同则可能导出的不会包含私钥

keySize小于1024浏览器会报错,subjectAltNames参数必须要填一个,现代浏览器基本都需要这个,不然就不会信任

 

.Net 动态签发TLS证书并且Chrome不报错的简陋实现

标签:col   api   rom   参数   void   rgb   enc   datetime   证书   

原文地址:https://www.cnblogs.com/leikaifeng/p/14416096.html

上一篇:JS中一些常见的简写方式

下一篇:http长连接

文章来自:搜素材网编程语言模块,转载请注明文章出处。
文章标题:.Net 动态签发TLS证书并且Chrome不报错的简陋实现
文章链接:http://soscw.com/essay/58538.html

评论

亲,登录后才可以留言!

热门文章

推荐文章

最新文章

置顶文章

关于我们 | 版权声明 | 常见问题 | 素材投稿 | 联系我们 | 网站地图 |
搜素材网素材除本站原创外均由用户分享,若发现权利被侵害,请联系及时联系我们,我们会在第一时间进行处理。
特别说明:本站所有资源除本站原创外仅供学习与参考,请勿用于商业用途,如有侵犯您的版权请联系客服服务QQ:点击这里给我发消息
Copyright © 2024 soscw.com 搜素材网素材网版权所有 蜀ICP备18015633号-1