我需要建立一个通过C#代码识别的有效我的电脑上的自签名X509证书。
如果需要,这可以用管理员权限跑出。
我当前的代码如下
public static X509Certificate2 GenerateCertificate(string name)
{
string subjectName = $"CN={name}";
using (RSA rsa = RSA.Create(2048))
{
CertificateRequest req = new CertificateRequest(
subjectName,
rsa,
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
req.CertificateExtensions.Add(
new X509BasicConstraintsExtension(false, false, 0, false));
req.CertificateExtensions.Add(
new X509KeyUsageExtension(
X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.NonRepudiation,
false));
req.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(
new OidCollection
{
new Oid("1.3.6.1.5.5.7.3.8")
},
true));
req.CertificateExtensions.Add(
new X509SubjectKeyIdentifierExtension(req.PublicKey, false));
return req.CreateSelfSigned(
DateTimeOffset.UtcNow.AddDays(-1),
DateTimeOffset.UtcNow.AddYears(50));
}
}
public static X509Certificate2 GetOrCreateCertificate(string serverName)
{
using (X509Store store = new X509Store(StoreLocation.LocalMachine))
{
X509Certificate2 certificate;
store.Open(OpenFlags.ReadWrite);
X509Certificate2Collection certificateCollection = store.Certificates.Find(X509FindType.FindBySubjectName, serverName, true);//With true, my certificates are not returned
if (certificateCollection.Count > 0)
{
certificate = certificateCollection[0];
return certificate;
}
certificate = GenerateCertificate(serverName);
store.Add(certificate);
return certificate;
}
}
目前,如果我在windows MMC去,证书管理单元中,我看到了证书,但它被认为是无效的。
我错过了什么?
编辑
你遇到的问题似乎是,该系统不信任新的证书。
在被信任命令,一个证书链的根必须以下列的商店之一来表示:
(也有一些涉及其他门店,域管理的根颁发机构)
所以,你以后做
certificate = GenerateCertificate(serverName);
store.Add(certificate);
你也想这样做
using (X509Store rootStore = new X509Store(StoreName.Root, StoreLocation.LocalMachine))
using (X509Certificate2 withoutPrivateKey = new X509Certificate2(certificate.RawData))
{
rootStore.Open(OpenFlags.ReadWrite);
rootStore.Add(withoutPrivateKey);
}
现在,系统将能够验证(单节点)环比上升到可信的证书,并找到validOnly: true
约束会考虑证书“有效”(对于该方法,意味着连锁信任和未过期)。