生成DKIM的公钥和私钥
生成一个公钥和私钥
可以使用下述网站生成公钥和私钥(当然,使用外部网站来生成公钥和私钥是不安全的,建议仅作为测试时使用)
https://easydmarc.com/tools/dkim-record-generator
通过证书生成一个公钥和私钥
使用OpenSSL创建证书、
※ 参考连接:https://serverfault.com/questions/889581/how-to-generate-a-pem-certificate-in-an-easy-way-for-testing,https://stackoverflow.com/questions/808669/convert-a-cert-pem-certificate-to-a-pfx-certificate
使用OpenSSL创建证书
1.安装 OpenSSL:首先,在计算机上安装 OpenSSL。可以从 OpenSSL 官方网站(https://www.openssl.org/)下载适用于操作系统的适当版本。
官方网站只有源码,没有安装包,如果只需要安装包的话可以从这个网站下载https://slproweb.com/products/Win32OpenSSL.html 对应版本的openssl安装文件
另外,如果环境安装了Git的话,也可以在下面的目录找到openssl(C:\Program Files\Git\mingw64\bin),直接用来创建证书
2.openssl req -new -newkey rsa:4096 -nodes -keyout C:\GitLab\dkim\snakeoil.key -out C:\GitLab\dkim\snakeoil.csr 这将生成一个名为 snakeoil.key 的key文件和为 snakeoil.csr 的csr文件。
在生成 CSR 过程中,您将需要提供一些证书的相关信息,例如组织名称、常用名称 (CN) 等。
3. openssl x509 -req -sha256 -days 365 -in C:\GitLab\dkim\snakeoil.csr -signkey C:\GitLab\dkim\snakeoil.key -out C:\GitLab\dkim\snakeoil.pem 基于snakeoil.key和key生成snakeoil.csr的pem文件
4. openssl pkcs12 -inkey C:\GitLab\dkim\snakeoil.key -in C:\GitLab\dkim\snakeoil.pem -export -out C:\GitLab\dkim\rootCA.pfx 基于snakeoil.pem生成rootCA.pfx的pfx文件
在生成 pfx过程中,您将需要输入password。
使用C# code创建证书
.Net创建证书存在限制,出于防止私钥被意外泄露的安全考虑,证书的私钥正常是无法导出的(RSACng 类的 AllowPlaintextExport 属性不再可用)
当然,我们也可以通过其他方式绕过这种限制,具体可以参考下面的code
创建证书
1 /// <summary> 2 /// Use this method to create a certificate 3 /// </summary> 4 /// <returns></returns> 5 public static X509Certificate2 CreateCertificateWithPrivateKey() 6 { 7 // 创建 RSA 密钥对 8 RSA rsa = RSA.Create(); 9 10 // 创建证书请求 11 CertificateRequest request = new CertificateRequest("CN=My Certificate", rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); 12 13 // 添加扩展名,可选 14 request.CertificateExtensions.Add(new X509BasicConstraintsExtension(false, false, 0, false)); 15 request.CertificateExtensions.Add(new X509KeyUsageExtension(System.Security.Cryptography.X509Certificates.X509KeyUsageFlags.DigitalSignature, false)); 16 17 // 创建自签名证书 18 X509Certificate2 certificate = request.CreateSelfSigned(DateTimeOffset.Now.AddDays(-1), DateTimeOffset.Now.AddYears(1)); 19 20 //var content = certificate.Export(X509ContentType.Pfx, password); 21 //File.WriteAllBytes(exportPath, content); 22 return certificate; 23 }
导出证书的私钥
/// <summary> /// Use this method to export private key /// certificate not support export private key if created by C# code /// use this method to support export private key /// refer path:https://stackoverflow.com/questions/65242917/unable-to-export-rsa-private-parameters-when-running-as-administrator /// for now, not find a method to support .Net Framwork to export private key. /// </summary> /// <param name="cert"></param> /// <returns></returns> public static RSA GetExportableRSAPrivateKey(X509Certificate2 cert) { const CngExportPolicies exportability = CngExportPolicies.AllowExport | CngExportPolicies.AllowPlaintextExport; var rsa = cert.GetRSAPrivateKey(); // Thankfully we don't have to deal with all this shit on Linux if (!RuntimeInformation.IsOSPlatform(OSPlatform.Windows)) return rsa; // We always expect an RSACng on Windows these days, but that could change if (!(rsa is RSACng rsaCng)) return rsa; // Is the AllowPlaintextExport policy flag already set? if ((rsaCng.Key.ExportPolicy & exportability) != CngExportPolicies.AllowExport) return rsa; try { // Export the original RSA private key to an encrypted blob - note you will get "The requested operation // is not supported" if trying to export without encryption, so we export with encryption! var exported = rsa.ExportEncryptedPkcs8PrivateKey(nameof(GetExportableRSAPrivateKey), new PbeParameters(PbeEncryptionAlgorithm.Aes256Cbc, HashAlgorithmName.SHA256, 2048)); // Load the exported blob into a fresh RSA object, which will have the AllowPlaintextExport policy without // having to do anything else RSA copy = RSA.Create(); copy.ImportEncryptedPkcs8PrivateKey(nameof(GetExportableRSAPrivateKey), exported, out _); return copy; } finally { rsa.Dispose(); } }
