如何生成CSR像它IIS

Question

我工作的整合與賽門鐵克API和使用代碼來生成CSR

private string GenerateCsr(string domain, string organization, string organizationUnit, string city, string state, string country) { 
     // Create all the objects that will be required 
     var objPkcs10 = new CX509CertificateRequestPkcs10(); 
     var objPrivateKey = new CX509PrivateKey(); 
     var objCSP = new CCspInformation(); 
     var objCSPs = new CCspInformations(); 
     var objDN = new CX500DistinguishedName(); 
     var objEnroll = new CX509Enrollment(); 
     var objObjectIds = new CObjectIds(); 
     var objObjectId = new CObjectId(); 
     var objExtensionKeyUsage = new CX509ExtensionKeyUsage(); 
     var objX509ExtensionEnhancedKeyUsage = new CX509ExtensionEnhancedKeyUsage(); 
     string strRequest; 
     try { 
      // Initialize the csp object using the desired Cryptograhic Service Provider (CSP) 
      objCSP.InitializeFromName(
       "Microsoft RSA Schannel Cryptographic Provider" 
       ); 
      // Add this CSP object to the CSP collection object 
      objCSPs.Add(
       objCSP 
       ); 
      // Provide key container name, key length and key spec to the private key object 
      //objPrivateKey.ContainerName = "AlejaCMa"; 
      objPrivateKey.Length = 2048; 
      objPrivateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; 
      objPrivateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES; 
      objPrivateKey.MachineContext = false; 
      // Provide the CSP collection object (in this case containing only 1 CSP object) 
      // to the private key object 
      objPrivateKey.CspInformations = objCSPs; 
      // Create the actual key pair 
      objPrivateKey.Create(); 
      // Initialize the PKCS#10 certificate request object based on the private key. 
      // Using the context, indicate that this is a user certificate request and don't 
      // provide a template name 
      objPkcs10.InitializeFromPrivateKey(
       X509CertificateEnrollmentContext.ContextUser, 
       objPrivateKey, 
       "" 
       ); 
      // Key Usage Extension 
      objExtensionKeyUsage.InitializeEncode(
       X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE | 
       X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE | 
       X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE | 
       X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE 
       ); 
      objPkcs10.X509Extensions.Add((CX509Extension)objExtensionKeyUsage); 
      // Enhanced Key Usage Extension 
      objObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.2"); 
      // OID for Client Authentication usage     
      objObjectIds.Add(objObjectId); 
      objX509ExtensionEnhancedKeyUsage.InitializeEncode(objObjectIds); 
      objPkcs10.X509Extensions.Add((CX509Extension)objX509ExtensionEnhancedKeyUsage); 
      // Encode the name in using the Distinguished Name object 
      objDN.Encode(
       string.Format("CN={0}, O={1}, OU={2}, L={3}, S={4}, C={5}", domain, organization, organizationUnit, city, state, country), 
       X500NameFlags.XCN_CERT_NAME_STR_NONE 
       ); 
      // Assing the subject name by using the Distinguished Name object initialized above 
      objPkcs10.Subject = objDN; 
      // Create enrollment request 
      objEnroll.InitializeFromRequest(objPkcs10); 
      strRequest = objEnroll.CreateRequest(
       EncodingType.XCN_CRYPT_STRING_BASE64 
       ); 
      return strRequest; 
     } 
     catch (Exception ex) { 
      throw new Exception("Can't generate CSR"); 
     } 
    } 

賽門鐵克然後返回編碼證書的base64，但我不能把它上傳到IIS。如果我將在IIS上手動生成的CSR發送到賽門鐵克，我可以上傳返回的證書。 所以，我的問題是如何生成它在IIS上生成的CSR。

Answer 1

它不能按照你想要的方式完成。由於生成的csr和私鑰在一臺服務器上，即由CA返回的簽名證書，因此您需要擁有在創建CSR時生成的私鑰。但是，您正在另一臺服務器上生成私鑰，並在iis上上傳賽門鐵克提供的簽名證書，而IIS沒有私鑰。

如果必須完成，則需要將參數直接發送到Symantec API，然後他們將爲您提供一個受密碼保護的PFX文件，並且您可以在IIS服務器上上載pfx文件。

我希望我回答你的問題。