在WCF中使用創建自簽名證書

Question

您好，我有一個使用自簽名證書的wcf服務。以前的版本沒有安全性，我只在新版本中實施。但我需要更新舊版本的程序。這就是爲什麼我需要在代碼中創建證書並添加到存儲中。我使用的代碼1個回答How to create a self-signed certificate using C#?例如蒙山細微的變化

public class CertificateTools 
{ 
    public static X509Certificate2 CreateSelfSignedCertificate(string subjectName) 
    { 
     // create DN for subject and issuer 
     var dn = new CX500DistinguishedName(); 
     dn.Encode("CN=" + subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE); 

     // create a new private key for the certificate 
     CX509PrivateKey privateKey = new CX509PrivateKey(); 
     privateKey.KeyProtection = X509PrivateKeyProtection.XCN_NCRYPT_UI_NO_PROTECTION_FLAG; 
     privateKey.ProviderName = "Microsoft Base Cryptographic Provider v1.0"; 
     privateKey.MachineContext = true; 
     privateKey.Length = 1024; 
     privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; // use is not limited 
     privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG; 
     privateKey.Create(); 


     // Use the stronger SHA512 hashing algorithm 
     var hashobj = new CObjectId(); 
     hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, 
      ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, 
      AlgorithmFlags.AlgorithmFlagsNone, "SHA1"); 

     // add extended key usage if you want - look at MSDN for a list of possible OIDs 
     var oid = new CObjectId(); 
     oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // SSL server 
     var oidlist = new CObjectIds(); 
     oidlist.Add(oid); 
     var eku = new CX509ExtensionEnhancedKeyUsage(); 
     eku.InitializeEncode(oidlist); 


     //KeyUseg 
     CX509ExtensionKeyUsage extensionKeyUsage = new CX509ExtensionKeyUsage(); 
     // Key Usage Extension 
     extensionKeyUsage.InitializeEncode(
      X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE | 
      X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE | 
      X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE 
     ); 


     // Create the self signing request 
     var cert = new CX509CertificateRequestCertificate(); 
     cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, ""); 
     cert.Subject = dn; 
     cert.Issuer = dn; // the issuer and the subject are the same 
     cert.NotBefore = DateTime.Now.AddYears(-1); 
     // this cert expires immediately. Change to whatever makes sense for you 
     cert.NotAfter = DateTime.Now.AddYears(100); 
     cert.X509Extensions.Add((CX509Extension) extensionKeyUsage);//add the KU 
     cert.X509Extensions.Add((CX509Extension)eku); // add the EKU 
     cert.HashAlgorithm = hashobj; // Specify the hashing algorithm 
     cert.Encode(); // encode the certificate 

     // Do the final enrollment process 
     var enroll = new CX509Enrollment(); 
     enroll.InitializeFromRequest(cert); // load the certificate 
     enroll.CertificateFriendlyName = subjectName; // Optional: add a friendly name 
     string csr = enroll.CreateRequest(); // Output the request in base64 
     // and install it back as the response 
     enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, 
      csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password 
     // output a base64 encoded PKCS#12 so we can import it back to the .Net security classes 
     var base64encoded = enroll.CreatePFX("", // no password, this is for internal consumption 
      PFXExportOptions.PFXExportChainWithRoot); 

     // instantiate the target class with the PKCS#12 data (and the empty password) 
     return new X509Certificate2(Convert.FromBase64String(base64encoded), "",X509KeyStorageFlags.Exportable); 
    } 
} 

和代碼

 X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine); 
     store.Open(OpenFlags.ReadWrite | OpenFlags.IncludeArchived); 
     var certificate = CertificateTools.CreateSelfSignedCertificate("ServerAdminService");  
     store.Add(certificate);   
     store.Close(); 

使用碼

  scb = new ServiceCredentials(); 
     scb.ServiceCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindBySubjectName, "ServerAdminService"); 

這將創建證書，並添加它，但是當我試圖使用它發生錯誤。在錯誤中說沒有私鑰或進程沒有權限。它看起來像我需要改變一些標誌，但我不知道哪個。

Answer 1

沒有看到添加到商店的證書。看看這是否有幫助，

store.Open(OpenFlags.ReadWrite | OpenFlags.IncludeArchived); 
    var certificate = CertificateTools.CreateSelfSignedCertificate("ServerAdminService"); 
    store.Add(certificate) ;    
    store.Close(); 

Answer 2

這是方式晚了，但我認爲問題是你沒有堅持私鑰。在證書創建的最後一行

return new X509Certificate2(Convert.FromBase64String(base64encoded), "",X509KeyStorageFlags.Exportable); 

您沒有設置「X509KeyStorageFlags.PersistKeySet」。這會導致私鑰在您正在創建的新證書中保留。否則...證書安裝時沒有私鑰。

嘗試：

return new X509Certificate2(Convert.FromBase64String(base64encoded), "",X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet); 

我還沒有運行......所以沒有保證。

將X509Certificate2從文件添加到商店中也是如此。在構建X509Certificate2時，必須傳遞X509KeyStorageFlags.PersistKeySet標誌以使其保留私鑰。我知道這一點（從文件加載），因爲我花了很多時間進行故障排除。