RSA数字证书管理分为以下几个部分:
1:在存储区内创建数字证书;
2:导出数字证书私钥;
3:导出数字证书公钥;
4:导入数字证书;
5:读取数字证书。
1:在.net开发环境中,在证书存储区内创建数字证书
数字证书生成,需要指定证书主题,以及本机makecert.exe程序路径,因为证书制作实际上还是用makecert.exe来生成的。生成数字证书代码 如下:
/// <summary>
/// 根据指定的证书名和makecert全路径生成证书(包含公钥和私钥,并保存在MY存储区)
/// </summary>
/// <param name="subjectName"></param>
/// <param name="makecertPath"></param>
/// <returns></returns>
public static bool CreateCertWithPrivateKey(string subjectName, string makecertPath)
{
subjectName = "CN=" + subjectName;
string param = " -pe -ss my -n \"" + subjectName + "\" ";
try
{
Process p = Process.Start(makecertPath, param);
p.WaitForExit();
p.Close();
}
catch (Exception e)
{
return false;
}
return true;
}
2:导出数字证书公钥
导出数字证书的公钥(cer)需要指定需要导出的证书主题,并指定路径,从系统证书存储区导出cer公钥文件,代码如下:
/// <summary>
/// 从WINDOWS证书存储区的个人MY区找到主题为subjectName的证书,并导出为CER文件
/// </summary>
/// <param name="subjectName"></param>
/// <param name="cerFileName"></param>
/// <returns></returns>
public static bool ExportToCerFile(string subjectName, string cerFileName)
{
subjectName = "CN=" + subjectName;
var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadWrite);
var storecollection = store.Certificates;
foreach (var x509 in storecollection)
{
if (x509.Subject == subjectName)
{
Debug.Print(string.Format("certificate name: {0}", x509.Subject));
//byte[] pfxByte = x509.Export(X509ContentType.Pfx, password);
byte[] cerByte = x509.Export(X509ContentType.Cert);
using (var fileStream = new FileStream(cerFileName, FileMode.Create))
{
// Write the data to the file, byte by byte.
; i < cerByte.Length; i++)
fileStream.WriteByte(cerByte[i]);
// Set the stream position to the beginning of the file.
fileStream.Seek(, SeekOrigin.Begin);
// Read and verify the data.
; i < fileStream.Length; i++)
{
if (cerByte[i] != fileStream.ReadByte())
{
fileStream.Close();
return false;
}
}
fileStream.Close();
}
}
}
store.Close();
store = null;
storecollection = null;
return true;
}
3:导出数字证书私钥
导出数字证书的私钥(pfx)需要指定需要导出的证书主题,私钥证书密码,以及保存路径,从系统证书存储区导出pfx私钥文件,代码如下:
/// <summary>
/// 从WINDOWS证书存储区的个人MY区找到主题为subjectName的证书,
/// 并导出为pfx文件,同时为其指定一个密码
/// 并将证书从个人区删除(如果isDelFromstore为true)
/// </summary>
/// <param name="subjectName">证书主题,不包含CN=</param>
/// <param name="pfxFileName">pfx文件名</param>
/// <param name="password">pfx文件密码</param>
/// <param name="isDelFromStore">是否从存储区删除</param>
/// <returns></returns>
public static bool ExportToPfxFile(string subjectName, string pfxFileName,
string password, bool isDelFromStore)
{
subjectName = "CN=" + subjectName;
var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadWrite);
var storecollection = store.Certificates;
foreach (var x509 in storecollection)
{
if (x509.Subject == subjectName)
{
Debug.Print(string.Format("certificate name: {0}", x509.Subject));
byte[] pfxByte = x509.Export(X509ContentType.Pfx, password);
using (var fileStream = new FileStream(pfxFileName, FileMode.Create))
{
// Write the data to the file, byte by byte.
; i < pfxByte.Length; i++)
fileStream.WriteByte(pfxByte[i]);
// Set the stream position to the beginning of the file.
fileStream.Seek(, SeekOrigin.Begin);
// Read and verify the data.
; i < fileStream.Length; i++)
{
if (pfxByte[i] != fileStream.ReadByte())
{
fileStream.Close();
return false;
}
}
fileStream.Close();
}
if (isDelFromStore == true)
store.Remove(x509);
}
}
store.Close();
store = null;
storecollection = null;
return true;
}
4:导入数字证书
在获取了数字证书的公钥与私钥文件之后,
服务器端导入pfx数字证书(私钥),在客户端导入cer数字证书(公钥)。具体导入注意事项如下:
1:数字证书(cer,pfx)导入的存储位置选择“本地计算机”;
2:私钥证书(pfx)导入需要输入数字证书生成密码,并且勾选”标志此密钥为可导出的密钥…“复选框;
3:指定证书导入位置,浏览选择项:“可信任人”选项;
服务器端及客户端均按照上述流程导入即可。
5:读取数字证书
读取私钥证书:
/// <summary>
/// 根据私钥证书得到证书实体,得到实体后可以根据其公钥和私钥进行加解密
/// 加解密函数使用DEncrypt的RSACryption类
/// </summary>
/// <param name="pfxFileName"></param>
/// <param name="password"></param>
/// <returns></returns>
public static X509Certificate2 GetCertificateFromPfxFile(string pfxFileName,
string password)
{
try
{
return new X509Certificate2(pfxFileName, password, X509KeyStorageFlags.Exportable);
}
catch (Exception e)
{
return null;
}
}
读取公钥证书:
/// <summary>
/// 根据公钥证书,返回证书实体
/// </summary>
/// <param name="cerPath"></param>
public static X509Certificate2 GetCertFromCerFile(string cerPath)
{
try
{
return new X509Certificate2(cerPath);
}
catch (Exception e)
{
return null;
}
}