如何以编程方式为WCF服务创建自签名证书?
我有一个自托管的WCF服务器作为本地系统帐户下的Windows服务运行。 我正在尝试以编程方式在c#中创建自签名证书,以便使用消息级别安全性与net.tcp端点一起使用。
我使用以下代码,它非常基于如何使用C#创建自签名证书中的接受答案? 试图解决我的问题的一些小变化。
public static X509Certificate2 CreateSelfSignedCertificate(string subjectName, TimeSpan expirationLength) { // create DN for subject and issuer var dn = new CX500DistinguishedName(); dn.Encode("CN=" + subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE); CX509PrivateKey privateKey = new CX509PrivateKey(); privateKey.ProviderName = "Microsoft Strong Cryptographic Provider"; privateKey.Length = 1024; privateKey.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE; privateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_DECRYPT_FLAG | X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_KEY_AGREEMENT_FLAG; privateKey.MachineContext = true; privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG; privateKey.Create(); // Use the stronger SHA512 hashing algorithm var hashobj = new CObjectId(); hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, "SHA1"); // Create the self signing request var cert = new CX509CertificateRequestCertificate(); cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, ""); cert.Subject = dn; cert.Issuer = dn; // the issuer and the subject are the same cert.NotBefore = DateTime.Now.Date; // this cert expires immediately. Change to whatever makes sense for you cert.NotAfter = cert.NotBefore + expirationLength; //cert.X509Extensions.Add((CX509Extension)eku); // add the EKU cert.HashAlgorithm = hashobj; // Specify the hashing algorithm cert.Encode(); // encode the certificate // Do the final enrollment process var enroll = new CX509Enrollment(); enroll.InitializeFromRequest(cert); // load the certificate enroll.CertificateFriendlyName = subjectName; // Optional: add a friendly name string csr = enroll.CreateRequest(); // Output the request in base64 // and install it back as the response enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password // output a base64 encoded PKCS#12 so we can import it back to the .Net security classes var base64encoded = enroll.CreatePFX("", // no password, this is for internal consumption PFXExportOptions.PFXExportChainWithRoot); // instantiate the target class with the PKCS#12 data (and the empty password) return new System.Security.Cryptography.X509Certificates.X509Certificate2( System.Convert.FromBase64String(base64encoded), "", // mark the private key as exportable (this is usually what you want to do) // mark private key to go into the Machine store instead of the current users store X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet ); } 我用这段代码存储它:
X509Store store = new X509Store(storeName, StoreLocation.LocalMachine); store.Open(OpenFlags.ReadWrite); store.Add(newCert); store.Close();
这将创建证书并将其放入LocalMachine证书库中。 问题是当我尝试启动WCF服务时,我得到以下exception:
证书’CN = myCertificate’可能没有能够进行密钥交换的私钥,或者该进程可能没有私钥的访问权限。 详情请见内部exception。 内部exception:Keyset不存在
我的证书的FindPrivateKey示例( http://msdn.microsoft.com/en-us/library/aa717039%28v=vs.100%29.aspx )的输出是:
Private key directory: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys Private key file name: f0d47c7826b8ef5148b6d412f1c40024_4a8a026f-58e4-40f7-b779-3ae9b6aae1a7
我可以在资源管理器中看到这个1.43KB的文件。 如果我查看属性|安全性,我看到SYSTEM和管理员都具有完全控制权。
在研究此错误时,我看到许多关于私钥丢失或权限不正确的答案。 我看不出是什么问题。
真奇怪的是,如果我使用mmc Certificate插件,请转到证书并选择All Tasks | Manage Private Keys …我看到相同的安全设置。 查看之后,即使我只是打开对话框并点击取消按钮,证书现在可以在WCF中正常工作。 我可以简单地重启服务,一切都运行完美。
如果我使用MakeCert创建证书,它从一开始就可以正常工作。 我不知道它的作用有何不同。
另一条可能不相关的信息是,证书不仅放在我告诉它放入的我的商店,而且还放在“中级证书颁发机构”商店中。 我不知道为什么或是否重要。
那么……任何想法我做错了什么?
更新:嗯,这不仅仅是一个WCF问题。 当我尝试使用HttpSetServiceConfiguration使用证书绑定到具有http.sys的端点时,我基本上遇到了同样的问题。 该方法返回1312 – “指定的登录会话不存在。它可能已经被终止”。 这实际上不是真正的错误。 我在安全事件日志中看到一个审计失败,说:
Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: Not Available. Key Name: {A23712D0-9A7B-4377-89DB-B1B39E3DA8B5} Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x80090011
0x80090011未找到对象。 所以这似乎是同样的问题。 再次,在我打开证书的“管理私钥”对话框之后,这也非常有效。
我仍然在寻找问题的原因。
更新#2:我能够使用下面接受的答案来解决这个问题。 有趣的是,此代码现在似乎将证书放在机器商店中而不调用X509Store代码。 我仍然会调用代码,因为我不确定它并没有伤害任何东西。 这是我用来创建证书的最终代码。
static public X509Certificate2 CreateSelfSignedCertificate(string subjectName, TimeSpan expirationLength) { // create DN for subject and issuer var dn = new CX500DistinguishedName(); dn.Encode("CN=" + subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE); CX509PrivateKey privateKey = new CX509PrivateKey(); privateKey.ProviderName = "Microsoft Strong Cryptographic Provider"; privateKey.Length = 2048; privateKey.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE; privateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_DECRYPT_FLAG | X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_KEY_AGREEMENT_FLAG; privateKey.MachineContext = true; privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG; privateKey.Create(); // Use the stronger SHA512 hashing algorithm var hashobj = new CObjectId(); hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, "SHA512"); // Create the self signing request var cert = new CX509CertificateRequestCertificate(); cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, ""); cert.Subject = dn; cert.Issuer = dn; // the issuer and the subject are the same cert.NotBefore = DateTime.Now.Date; // this cert expires immediately. Change to whatever makes sense for you cert.NotAfter = cert.NotBefore + expirationLength; cert.HashAlgorithm = hashobj; // Specify the hashing algorithm cert.Encode(); // encode the certificate // Do the final enrollment process var enroll = new CX509Enrollment(); enroll.InitializeFromRequest(cert); // load the certificate enroll.CertificateFriendlyName = subjectName; // Optional: add a friendly name string csr = enroll.CreateRequest(); // Output the request in base64 // and install it back as the response enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password // output a base64 encoded PKCS#12 so we can import it back to the .Net security classes var base64encoded = enroll.CreatePFX("", // no password, this is for internal consumption PFXExportOptions.PFXExportChainWithRoot); // instantiate the target class with the PKCS#12 data (and the empty password) return new System.Security.Cryptography.X509Certificates.X509Certificate2( System.Convert.FromBase64String(base64encoded), "", // mark the private key as exportable (this is usually what you want to do) // mark private key to go into the Machine store instead of the current users store X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet ); }
我在PowerShell中使用等效代码时遇到了同样的问题。 看来有时私钥就消失了。 我使用了Process Monitor,您可以看到要删除的密钥文件。
我解决这个问题的方法是将X509KeyStorageFlags.PersistKeySet添加到X509Certificate2构造函数中。
我无法做到这一点,但我找到了另一种解决方案。 (2014年12月更新:我现在已经使用接受的答案让它工作了。)
我能够使用PluralSight.Crypto库来实现我的需求。 我不得不稍微修改源代码以获取存储在LocalMachine存储中的私钥。 我所做的更改是CryptContext.cs文件。 我更改了CreateSelfSignedCertificate方法。 以下是一段代码,包括我所做的更改。 本质上,如果CryptContext对象在其Flags中包含此值,我将CryptKeyProviderInformation结构的Flags成员设置为0x20(CRYPT_MACHINE_KEYSET)。
byte[] asnName = properties.Name.RawData; GCHandle asnNameHandle = GCHandle.Alloc(asnName, GCHandleType.Pinned); int flags = 0; // New code if ((this.Flags & 0x20) == 0x20) // New code flags = 0x20; // New code var kpi = new Win32Native.CryptKeyProviderInformation { ContainerName = this.ContainerName, KeySpec = (int)KeyType.Exchange, ProviderType = 1, // default RSA Full provider Flags = flags // New code };
然后我在我自己的代码中使用这个函数,如下所示:
using (Pluralsight.Crypto.CryptContext ctx = new Pluralsight.Crypto.CryptContext()) { ctx.Flags = 0x8 | 0x20; ctx.Open(); X509Certificate2 cert = ctx.CreateSelfSignedCertificate( new Pluralsight.Crypto.SelfSignedCertProperties { IsPrivateKeyExportable = true, KeyBitLength = 4096, Name = new X500DistinguishedName("CN=" + subjectName), ValidFrom = DateTime.Today, ValidTo = DateTime.Today + expirationLength, }); return cert; }
请注意,我将CryptContext对象的Flags设置为0x8 | 0x20(CRYPT_NEWKEYSET | CRYPT_MACHINE_KEYSET)。
我希望我能弄明白我的原始解决方案有什么问题。 但我需要一些工作,在我的测试中,这个解决方案可以满足我的需求。 我希望它能帮助其他人。
您还可以在CodePlex上使用CLR安全库( https://clrsecurity.codeplex.com/ )。 下面是创建自签名证书的示例代码,并使用SSLStream对其进行测试。
var machineName = Environment.MachineName; var keyCreationParameters = new CngKeyCreationParameters(); keyCreationParameters.KeyUsage = CngKeyUsages.AllUsages; keyCreationParameters.KeyCreationOptions = CngKeyCreationOptions.OverwriteExistingKey; keyCreationParameters.Parameters.Add(new CngProperty("Length", BitConverter.GetBytes(4096), CngPropertyOptions.None)); var cngKey = CngKey.Create(CngAlgorithm2.Rsa, "Test", keyCreationParameters); var x500DistinguishedName = new X500DistinguishedName("CN=" + machineName); x500DistinguishedName.Oid.Value = "1.3.6.1.5.5.7.3.1"; var certificateCreationParameters = new X509CertificateCreationParameters(x500DistinguishedName); certificateCreationParameters.SignatureAlgorithm = X509CertificateSignatureAlgorithm.RsaSha512; certificateCreationParameters.TakeOwnershipOfKey = true; certificateCreationParameters.CertificateCreationOptions = X509CertificateCreationOptions.None; certificateCreationParameters.EndTime = new DateTime(9999, 12,31, 23, 59, 59, 999, DateTimeKind.Utc); var certificate = cngKey.CreateSelfSignedCertificate(certificateCreationParameters); var certificateStore = new X509Store(StoreName.Root, StoreLocation.CurrentUser); certificateStore.Open(OpenFlags.ReadWrite); certificateStore.Add(certificate); certificateStore.Close(); var tcpListener = TcpListener.Create(6666); tcpListener.Start(); var client = new TcpClient("localhost", 6666); var acceptedClient = tcpListener.AcceptTcpClient(); var acceptedClinetSslStream = new SslStream( acceptedClient.GetStream(), false); var serverAuthTask = acceptedClinetSslStream.AuthenticateAsServerAsync(certificate, false, SslProtocols.Tls, true); SslStream clientSslStream = new SslStream( client.GetStream(), false, delegate(object o, X509Certificate x509Certificate, X509Chain chain, SslPolicyErrors errors) { if (errors == SslPolicyErrors.None) return true; Console.WriteLine("Certificate error: {0}", errors); // Do not allow this client to communicate with unauthenticated servers. return false; }, null); var clientAuthTask = clientSslStream.AuthenticateAsClientAsync(machineName); Task.WaitAll(serverAuthTask, clientAuthTask);