使用 .Net Core 中的公钥创建 X509Certificate2答案

【问题标题】：Create X509Certificate2 from with public key in .Net Core使用 .Net Core 中的公钥创建 X509Certificate2
【发布时间】：2022-01-15 22:10:57
【问题描述】：

我想根据This article使用jwe加密令牌，在他创建的文章中

X509EncryptingCredentials点赞：

var tokenDescriptor = new SecurityTokenDescriptor
{
   Audience = "you",
   Issuer = "me",
   Subject = new ClaimsIdentity(new List<Claim> {new Claim("sub", "scott")}),
   EncryptingCredentials = new X509EncryptingCredentials(new X509Certificate2("key_public.cer")) //here i mean
};

为此，他创建了new X509Certificate2("key_public.cer")

如何创建key_public.cer 以将其传递给X509Certificate2？

【问题讨论】：

你试过你最喜欢的搜索引擎了吗？您可以输入类似“如何创建 x509 证书？”这样的内容

标签： .net-core x509certificate2

【解决方案1】：

DotNetUtilities.ToRSA 将始终将私钥设置为可导出。为了防止这种情况，有另一种方法可以将您的 BouncyCastle 密钥转换为从此处获取的 .NET X509Certificate2

public X509Certificate2 GenerateSelfSignedCertificateNoCA(string subjectName, string issuerName)
    {
        const int keyStrength = 2048;

        // Generating Random Numbers
        CryptoApiRandomGenerator randomGenerator = new CryptoApiRandomGenerator();
        SecureRandom random = new SecureRandom(randomGenerator);

        // The Certificate Generator
        X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();

        // Serial Number
        BigInteger serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
        certificateGenerator.SetSerialNumber(serialNumber);

        // Signature Algorithm
        const string signatureAlgorithm = "SHA256WithRSA";
        certificateGenerator.SetSignatureAlgorithm(signatureAlgorithm);

        // Issuer and Subject Name
        X509Name subjectDN = new X509Name(subjectName);
        X509Name issuerDN = new X509Name(issuerName);
        certificateGenerator.SetIssuerDN(issuerDN);
        certificateGenerator.SetSubjectDN(subjectDN);

        // Valid For
        DateTime notBefore = DateTime.UtcNow.Date;
        DateTime notAfter = notBefore.AddYears(2);

        certificateGenerator.SetNotBefore(notBefore);
        certificateGenerator.SetNotAfter(notAfter);

        // Subject Public Key
        AsymmetricCipherKeyPair subjectKeyPair;
        var keyGenerationParameters = new KeyGenerationParameters(random, keyStrength);
        var keyPairGenerator = new RsaKeyPairGenerator();
        keyPairGenerator.Init(keyGenerationParameters);
        subjectKeyPair = keyPairGenerator.GenerateKeyPair();

        certificateGenerator.SetPublicKey(subjectKeyPair.Public);

        // Generating the Certificate
        AsymmetricCipherKeyPair issuerKeyPair = subjectKeyPair;

        // selfsign certificate
        Org.BouncyCastle.X509.X509Certificate certificate = certificateGenerator.Generate(subjectKeyPair.Private, random);

        //import into store
        var certificateEntry = new X509CertificateEntry(certificate);
        string friendlyName = certificate.SubjectDN.ToString();
        var store = new Pkcs12Store();
        store.SetCertificateEntry(friendlyName, certificateEntry);
        store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(subjectKeyPair.Private), new[] {certificateEntry});

        //save to memorystream
        var password = "password";
        var stream = new MemoryStream();
        store.Save(stream, password.ToCharArray(), random);

        // convert into X509Certificate2
        X509Certificate2 x509 = new System.Security.Cryptography.X509Certificates.X509Certificate2(stream.ToArray(), password, X509KeyStorageFlags.UserKeySet);

        return x509;
    }

私钥现在被标记为 Exportable=false。

【讨论】：