我试图创建使用BouncyCastle.Crypto DLL,然后将其用于对认证SslStream作为服务器的证书时产生“供给到封装体的凭证无法识别”错误在Windows服务进程中,在本地系统帐户下运行。与证书服务器验证使用BouncyCastle的
但是,当我到达SslStream.AuthenticateAsServer(证书)调用时,它会抛出一个Win32异常,并显示错误消息“提供给包的凭据无法识别”。
这里对于有关此错误消息的几个问题,但他们都不来描述,或解决,我的具体问题。
在希望有人也许能够提供一些帮助,我包括我使用的创建和安装证书代码:
// First create a certificate using the BouncyCastle classes
BigInteger serialNumber = BigInteger.ProbablePrime(120, new Random());
AsymmetricCipherKeyPair keyPair = GenerateKeyPair();
X509V1CertificateGenerator generator = new X509V1CertificateGenerator();
generator.SetSerialNumber(serialNumber);
generator.SetIssuerDN(new X509Name("CN=My Issuer"));
generator.SetNotBefore(DateTime.Today);
generator.SetNotAfter(DateTime.Today.AddYears(100));
generator.SetSubjectDN(new X509Name("CN=My Issuer"));
generator.SetPublicKey(keyPair.Public);
generator.SetSignatureAlgorithm("SHA1WITHRSA");
Org.BouncyCastle.X509.X509Certificate cert = generator.Generate(
keyPair.Private, SecureRandom.GetInstance("SHA1PRNG"));
// Ok, now we have a BouncyCastle certificate, we need to convert it to the
// System.Security.Cryptography class, by writing it out to disk and reloading
X509Certificate2 dotNetCert;
string tempStorePassword = "Password01"; // In real life I'd use a random password
FileInfo tempStoreFile = new FileInfo(Path.GetTempFileName());
try
{
Pkcs12Store newStore = new Pkcs12Store();
X509CertificateEntry entry = new X509CertificateEntry(cert);
newStore.SetCertificateEntry(Environment.MachineName, entry);
newStore.SetKeyEntry(
Environment.MachineName,
new AsymmetricKeyEntry(keyPair.Private),
new [] { entry });
using (FileStream s = tempStoreFile.Create())
{
newStore.Save(s,
tempStorePassword.ToCharArray(),
new SecureRandom(new CryptoApiRandomGenerator()));
}
// Reload the certificate from disk
dotNetCert = new X509Certificate2(tempStoreFile.FullName, tempStorePassword);
}
finally
{
tempStoreFile.Delete();
}
// Now install it into the required certificate stores
X509Store targetStore = new X509Store(StoreName.My, StoreLocation.LocalMachine);
targetStore.Open(OpenFlags.ReadWrite);
targetStore.Add(dotNetCert);
targetStore.Close();
好了,现在我已经创建和安装证书。然后,我将Windows服务配置为使用此证书,并将其与生成的证书的指纹一起提供。然后我用这样的证书:
// First load the certificate
X509Certificate2 certificate = null;
X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
foreach (X509Certificate2 certInStore in store.Certificates)
{
if (certInStore.Thumbprint == "...value not shown...")
{
certificate = certInStore;
break;
}
}
SslStream sslStream = new SslStream(new NetworkStream(socket, false), false);
// Now this line throws a Win32Exception
// "The credentials supplied to the package were not recognized"
sslStream.AuthenticateAsServer(certificate);
没有人有任何想法的问题可能是在这里吗?
,如果我安装带有“makecert”创建的证书我不明白的问题,但不适合生产证书。
我还试图建立一个独立的x509v1 CA证书,然后采用X509v3服务器身份验证证书,但我得到了同样的错误,所以我在简单的示例代码移除了这个。
我尝试将我的v1证书生成器更改为v3版本,但将n ovail。我们不可能购买证书 - 我们将在安装时为我们的服务生成证书。显然,它不会有可信的认证路径,但仍然允许我们在传输数据时对其进行加密。 –
我不认为你可以提供有关'缺少扩展名'和'无效CN'的含义的更多细节吗? –
属于“可以写一本书”(参见FAQ)类别;-)您可以通过查看“makecert”(或来自网站的任何SSL证书)的内部内容来获得**最小**猜测制作。很多垃圾(可悲的),但浏览器也接受它们。 – poupou