标签:col api rom 参数 void rgb enc datetime 证书
https://github.com/LeiKaiFeng-GoodBoy/LeiKaiFeng.X509Certificates
很简单,也可以直接上代码,主要用到.net标准库里的CertificateRequest类型
文档地址https://docs.microsoft.com/zh-cn/dotnet/api/system.security.cryptography.x509certificates.certificaterequest?view=netstandard-2.1
public static class TLSCertificate { static X509Extension CreateSubAltName(string[] subjectAltNames) { var builder = new SubjectAlternativeNameBuilder(); Array.ForEach(subjectAltNames, (s) => builder.AddDnsName(s)); return builder.Build(false); } static void AddExtension(Collection<X509Extension> extensions, string[] subjectAltNames) { extensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DataEncipherment, false)); extensions.Add(new X509BasicConstraintsExtension(false, true, 0, false)); extensions.Add(CreateSubAltName(subjectAltNames)); } public static X509Certificate2 CreateTlsCertificate(string commonName, X509Certificate2 caCertificate, int keySize, int days, params string[] subjectAltNames) { string subjectName = $"CN = {commonName}"; var rsa = RSA.Create(keySize); var certificateRequest = new CertificateRequest(subjectName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); AddExtension(certificateRequest.CertificateExtensions, subjectAltNames); var dateTime = DateTime.UtcNow; X509Certificate2 tlsCertificate = certificateRequest.Create(caCertificate, new DateTimeOffset(dateTime), new DateTimeOffset(dateTime.AddDays(days)), caCertificate.GetCertHash().Take(20).ToArray()); return new X509Certificate2(tlsCertificate.CopyWithPrivateKey(rsa).Export(X509ContentType.Pfx)); } public static X509Certificate2 CreateCA(string commonName, int keySize, int days) { string subjectName = $"CN = {commonName}"; var rsa = RSA.Create(keySize); var certificateRequest = new CertificateRequest(subjectName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); certificateRequest.CertificateExtensions.Add(new X509BasicConstraintsExtension(true, true, 1, true)); var dateTime = DateTime.UtcNow; return certificateRequest.CreateSelfSigned(new DateTimeOffset(dateTime), new DateTimeOffset(dateTime.AddDays(days))); } }
下面是生成CA证书并且签发一个TLS证书的例子
X509Certificate2 ca = TLSCertificate.CreateCA("LeiKaiFeng", 2048, 365); X509Certificate2 tlsX509Certificate2 = TLSCertificate.CreateTlsCertificate("pornhub.com", ca, 2048, 365, "pornhub.com", "*.pornhub.com");
值得注意的地方是返回的X509Certificate2都包含私钥,导出格式不同则可能导出的不会包含私钥
keySize小于1024浏览器会报错,subjectAltNames参数必须要填一个,现代浏览器基本都需要这个,不然就不会信任
.Net 动态签发TLS证书并且Chrome不报错的简陋实现
标签:col api rom 参数 void rgb enc datetime 证书
原文地址:https://www.cnblogs.com/leikaifeng/p/14416096.html
