Net8 使用BouncyCastle 生成自签名证书
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 | private AsymmetricCipherKeyPair GenerateKeyPair() { var generator = new RsaKeyPairGenerator(); generator.Init( new KeyGenerationParameters( new SecureRandom( new CryptoApiRandomGenerator()), 2048)); return generator.GenerateKeyPair(); } private X509Certificate GenerateRootCertificate(AsymmetricCipherKeyPair keyPair, string subject, string [] ipAddresses) { Asn1SignatureFactory signatureFactory = new Asn1SignatureFactory( "SHA256WithRSA" , keyPair.Private, null ); var certGenerator = new X509V3CertificateGenerator(); certGenerator.SetSerialNumber(BigInteger.ValueOf(DateTime.Now.Ticks)); certGenerator.SetIssuerDN( new X509Name(subject)); certGenerator.SetSubjectDN( new X509Name(subject)); certGenerator.SetNotBefore(DateTime.UtcNow); certGenerator.SetNotAfter(DateTime.UtcNow.AddYears(1)); List<Asn1Encodable> asn1Encodables = new List<Asn1Encodable>(); foreach ( var ipAddress in ipAddresses) { asn1Encodables.Add( new GeneralName(GeneralName.IPAddress, ipAddress)); } certGenerator.AddExtension(X509Extensions.SubjectAlternativeName, false , new DerSequence( new Asn1EncodableVector([.. asn1Encodables]))); certGenerator.SetPublicKey(keyPair.Public); var cert = certGenerator.Generate(signatureFactory); return cert; } private X509Certificate GenerateCertificate(AsymmetricCipherKeyPair keyPair, X509Certificate issuerCert, AsymmetricKeyParameter issuerKey, string subject, string [] ipAddresses) { Asn1SignatureFactory signatureFactory = new Asn1SignatureFactory( "SHA256WithRSA" , issuerKey, null ); var certGenerator = new X509V3CertificateGenerator(); certGenerator.SetSerialNumber(BigInteger.ValueOf(DateTime.Now.Ticks)); certGenerator.SetIssuerDN(issuerCert.SubjectDN); certGenerator.SetSubjectDN( new X509Name(subject)); certGenerator.SetNotBefore(DateTime.UtcNow); certGenerator.SetNotAfter(DateTime.UtcNow.AddYears(1)); certGenerator.SetPublicKey(keyPair.Public); List<Asn1Encodable> asn1Encodables = new List<Asn1Encodable>(); foreach ( var ipAddress in ipAddresses) { asn1Encodables.Add( new GeneralName(GeneralName.IPAddress, ipAddress)); } certGenerator.AddExtension(X509Extensions.SubjectAlternativeName, false , new DerSequence( new Asn1EncodableVector([.. asn1Encodables]))); var cert = certGenerator.Generate(signatureFactory); return cert; } private void SaveToPem( string certFileName, string keyFileName, X509Certificate cert, AsymmetricKeyParameter key) { // 保存证书 using (TextWriter certTW = File.CreateText(certFileName)) { PemWriter certPemWriter = new PemWriter(certTW); certPemWriter.WriteObject(cert); certPemWriter.Writer.Flush(); } // 保存私钥 using (TextWriter keyTW = File.CreateText(keyFileName)) { PemWriter keyPemWriter = new PemWriter(keyTW); keyPemWriter.WriteObject(key); keyPemWriter.Writer.Flush(); } } public static void ExportCertificateToPfx(X509Certificate2 certificate, string fileName, string password) { File.WriteAllBytes(fileName, certificate.Export(X509ContentType.Pfx, password)); } public X509Certificate LoadBouncyCastleCertificate( string certFilePath) { // 读取Bouncy Castle生成的证书文件 X509CertificateParser parser = new X509CertificateParser(); X509Certificate bcCert = parser.ReadCertificate(File.ReadAllBytes(certFilePath)); return bcCert; } public void GenerateCertificates() { string [] ipAddresses = { "192.168.0.101" , "10.0.0.1" }; // 生成根证书 AsymmetricCipherKeyPair rootKeyPair = GenerateKeyPair(); X509Certificate rootCert = GenerateRootCertificate(rootKeyPair, "CN=Root CA" , ipAddresses); // 生成客户端证书 AsymmetricCipherKeyPair clientKeyPair = GenerateKeyPair(); X509Certificate clientCert = GenerateCertificate(clientKeyPair, rootCert, rootKeyPair.Private, "CN=Client" , ipAddresses); // 生成服务端证书 AsymmetricCipherKeyPair serverKeyPair = GenerateKeyPair(); X509Certificate serverCert = GenerateCertificate(serverKeyPair, rootCert, rootKeyPair.Private, "CN=Server" , ipAddresses); // 将证书和私钥保存为PEM格式的文件 // 将证书和私钥分别保存为PEM格式的文件 SaveToPem( "bouncyCastle/ca.crt" , "bouncyCastle/ca.key" , rootCert, rootKeyPair.Private); SaveToPem( "bouncyCastle/client.crt" , "bouncyCastle/client.key" , clientCert, clientKeyPair.Private); SaveToPem( "bouncyCastle/server.crt" , "bouncyCastle/server.key" , serverCert, serverKeyPair.Private); // Convert to X509Certificate2 format X509Certificate2 certRoot = new X509Certificate2(rootCert.GetEncoded()); ExportCertificateToPfx(certRoot, "bouncyCastle/ca.pfx" , "123456" ); X509Certificate2 certServer = new X509Certificate2(serverCert.GetEncoded()); ExportCertificateToPfx(certServer, "bouncyCastle/server.pfx" , "123456" ); X509Certificate2 certClient = new X509Certificate2(clientCert.GetEncoded()); ExportCertificateToPfx(certClient, "bouncyCastle/client.pfx" , "123456" ); } |
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】凌霞软件回馈社区,博客园 & 1Panel & Halo 联合会员上线
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】博客园社区专享云产品让利特惠,阿里云新客6.5折上折
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步