Net8 使用BouncyCastle 生成自签名证书

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
private AsymmetricCipherKeyPair GenerateKeyPair()
{
    var generator = new RsaKeyPairGenerator();
    generator.Init(new KeyGenerationParameters(new SecureRandom(new CryptoApiRandomGenerator()), 2048));
 
    return generator.GenerateKeyPair();
}
 
private X509Certificate GenerateRootCertificate(AsymmetricCipherKeyPair keyPair, string subject, string[] ipAddresses)
{
 
    Asn1SignatureFactory signatureFactory = new Asn1SignatureFactory("SHA256WithRSA", keyPair.Private, null);
    var certGenerator = new X509V3CertificateGenerator();
    certGenerator.SetSerialNumber(BigInteger.ValueOf(DateTime.Now.Ticks));
    certGenerator.SetIssuerDN(new X509Name(subject));
    certGenerator.SetSubjectDN(new X509Name(subject));
    certGenerator.SetNotBefore(DateTime.UtcNow);
    certGenerator.SetNotAfter(DateTime.UtcNow.AddYears(1));
 
    List<Asn1Encodable> asn1Encodables = new List<Asn1Encodable>();
    foreach (var ipAddress in ipAddresses)
    {
        asn1Encodables.Add(new GeneralName(GeneralName.IPAddress, ipAddress));
    }
    certGenerator.AddExtension(X509Extensions.SubjectAlternativeName, false, new DerSequence(new Asn1EncodableVector([.. asn1Encodables])));
    certGenerator.SetPublicKey(keyPair.Public);
    var cert = certGenerator.Generate(signatureFactory);
    return cert;
}
 
private X509Certificate GenerateCertificate(AsymmetricCipherKeyPair keyPair, X509Certificate issuerCert, AsymmetricKeyParameter issuerKey, string subject, string[] ipAddresses)
{
    Asn1SignatureFactory signatureFactory = new Asn1SignatureFactory("SHA256WithRSA", issuerKey, null);
    var certGenerator = new X509V3CertificateGenerator();
    certGenerator.SetSerialNumber(BigInteger.ValueOf(DateTime.Now.Ticks));
    certGenerator.SetIssuerDN(issuerCert.SubjectDN);
    certGenerator.SetSubjectDN(new X509Name(subject));
    certGenerator.SetNotBefore(DateTime.UtcNow);
    certGenerator.SetNotAfter(DateTime.UtcNow.AddYears(1));
    certGenerator.SetPublicKey(keyPair.Public);
    List<Asn1Encodable> asn1Encodables = new List<Asn1Encodable>();
    foreach (var ipAddress in ipAddresses)
    {
        asn1Encodables.Add(new GeneralName(GeneralName.IPAddress, ipAddress));
    }
    certGenerator.AddExtension(X509Extensions.SubjectAlternativeName, false, new DerSequence(new Asn1EncodableVector([.. asn1Encodables])));
    var cert = certGenerator.Generate(signatureFactory);
    return cert;
}
 
private void SaveToPem(string certFileName, string keyFileName, X509Certificate cert, AsymmetricKeyParameter key)
{
    // 保存证书
    using (TextWriter certTW = File.CreateText(certFileName))
    {
        PemWriter certPemWriter = new PemWriter(certTW);
        certPemWriter.WriteObject(cert);
        certPemWriter.Writer.Flush();
    }
 
    // 保存私钥
    using (TextWriter keyTW = File.CreateText(keyFileName))
    {
        PemWriter keyPemWriter = new PemWriter(keyTW);
        keyPemWriter.WriteObject(key);
        keyPemWriter.Writer.Flush();
    }
}
 
 
public static void ExportCertificateToPfx(X509Certificate2 certificate, string fileName, string password)
{
    File.WriteAllBytes(fileName, certificate.Export(X509ContentType.Pfx, password));
}
 
public X509Certificate LoadBouncyCastleCertificate(string certFilePath)
{
    // 读取Bouncy Castle生成的证书文件
    X509CertificateParser parser = new X509CertificateParser();
    X509Certificate bcCert = parser.ReadCertificate(File.ReadAllBytes(certFilePath));
    return bcCert;
}
 
 
 public void GenerateCertificates()
 {
     string[] ipAddresses = { "192.168.0.101", "10.0.0.1" };
 
     // 生成根证书
     AsymmetricCipherKeyPair rootKeyPair = GenerateKeyPair();
     X509Certificate rootCert = GenerateRootCertificate(rootKeyPair, "CN=Root CA", ipAddresses);
 
     // 生成客户端证书
     AsymmetricCipherKeyPair clientKeyPair = GenerateKeyPair();
     X509Certificate clientCert = GenerateCertificate(clientKeyPair, rootCert, rootKeyPair.Private, "CN=Client", ipAddresses);
 
     // 生成服务端证书
     AsymmetricCipherKeyPair serverKeyPair = GenerateKeyPair();
     X509Certificate serverCert = GenerateCertificate(serverKeyPair, rootCert, rootKeyPair.Private, "CN=Server", ipAddresses);
 
 
     // 将证书和私钥保存为PEM格式的文件
     // 将证书和私钥分别保存为PEM格式的文件
     SaveToPem("bouncyCastle/ca.crt", "bouncyCastle/ca.key", rootCert, rootKeyPair.Private);
     SaveToPem("bouncyCastle/client.crt", "bouncyCastle/client.key", clientCert, clientKeyPair.Private);
     SaveToPem("bouncyCastle/server.crt", "bouncyCastle/server.key", serverCert, serverKeyPair.Private);
 
 
     // Convert to X509Certificate2 format
     X509Certificate2 certRoot = new X509Certificate2(rootCert.GetEncoded());
     ExportCertificateToPfx(certRoot, "bouncyCastle/ca.pfx", "123456");
 
     X509Certificate2 certServer = new X509Certificate2(serverCert.GetEncoded());
     ExportCertificateToPfx(certServer, "bouncyCastle/server.pfx", "123456");
 
     X509Certificate2 certClient = new X509Certificate2(clientCert.GetEncoded());
     ExportCertificateToPfx(certClient, "bouncyCastle/client.pfx", "123456");
 }

  源码地址 https://github.com/zhenglong2015/CAManager

posted @   扫地僧2015  阅读(106)  评论(0编辑  收藏  举报
努力加载评论中...
点击右上角即可分享
微信分享提示