Sto provando a creare una catena di certificati usando il castello rimbalzato.
Per prima cosa creo un certificato CA:
public static void CreateCertificateAuthorityCertificate(string commonNameValue, [CanBeNull] out AsymmetricKeyParameter caPrivateKey, out X509Certificate2 caCert)
{
const int keyStrength = 2048;
var random = GetSeededSecureRandom();
// The Certificate Generator
X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();
// Serial Number
BigInteger serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
certificateGenerator.SetSerialNumber(serialNumber);
// Issuer and Subject Name
X509Name subjectDN = new X509Name("CN=" + commonNameValue);
X509Name issuerDN = subjectDN;
certificateGenerator.SetIssuerDN(issuerDN);
certificateGenerator.SetSubjectDN(subjectDN);
// Valid For
DateTime notBefore = DateTime.UtcNow.Date.AddDays(-7);
DateTime notAfter = notBefore.AddYears(2);
certificateGenerator.SetNotBefore(notBefore);
certificateGenerator.SetNotAfter(notAfter);
// Subject Public Key
var keyGenerationParameters = new KeyGenerationParameters(random, keyStrength);
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
var subjectKeyPair = keyPairGenerator.GenerateKeyPair();
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
// Generating the Certificate
var issuerKeyPair = subjectKeyPair;
ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA512WITHRSA", issuerKeyPair.Private, random);
// selfsign certificate
var certificate = certificateGenerator.Generate(signatureFactory);
caPrivateKey = issuerKeyPair.Private;
caCert = new X509Certificate2(certificate.GetEncoded());
}
Quindi, uso il seguente codice due volte.
La prima volta, creo un "Certificato server" che verrà utilizzato per generare certificati client. In questo caso, utilizzo la chiave privata del certificato CA e isClientCertificate impostato su false.
Quindi, utilizzo lo stesso codice per generare il "Certificato client", questa volta utilizzando la chiave privata del "Certificato server" e isClientCertificate impostato su true.
public static X509Certificate2 CreateSelfSignedCertificateBasedOnPrivateKey(string commonNameValue, X509Certificate2 issuerCertificate, AsymmetricKeyParameter issuerPrivKey, bool isClientCertificate, int yearsUntilExpiration)
{
const int keyStrength = 2048;
// Generating Random Numbers
var random = GetSeededSecureRandom();
ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA512WITHRSA", issuerPrivKey, random);
// The Certificate Generator
X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();
if (isClientCertificate)
{
certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage.Id, true, new ExtendedKeyUsage(KeyPurposeID.IdKPClientAuth));
}
else
{
certificateGenerator.AddExtension(X509Extensions.SubjectKeyIdentifier.Id, true,
new X509KeyUsage(X509KeyUsage.KeyCertSign));
}
// Serial Number
BigInteger serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
certificateGenerator.SetSerialNumber(serialNumber);
// Issuer and Subject Name
var readCertificate = new X509CertificateParser().ReadCertificate(issuerCertificate.Export(X509ContentType.Cert));
X509Name subjectDN = new X509Name("CN=" + commonNameValue);
certificateGenerator.SetIssuerDN(readCertificate.SubjectDN);
certificateGenerator.SetSubjectDN(subjectDN);
// Valid For
DateTime notBefore = DateTime.UtcNow.Date.AddDays(-7);
DateTime notAfter = notBefore.AddYears(yearsUntilExpiration);
certificateGenerator.SetNotBefore(notBefore);
certificateGenerator.SetNotAfter(notAfter);
// Subject Public Key
var keyGenerationParameters = new KeyGenerationParameters(random, keyStrength);
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
var subjectKeyPair = keyPairGenerator.GenerateKeyPair();
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
X509Certificate certificate = certificateGenerator.Generate(signatureFactory);
var store = new Pkcs12Store();
string friendlyName = certificate.SubjectDN.ToString();
var certificateEntry = new X509CertificateEntry(certificate);
store.SetCertificateEntry(friendlyName, certificateEntry);
store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(subjectKeyPair.Private), new[] { certificateEntry });
var stream = new MemoryStream();
store.Save(stream, new char[0], random);
var convertedCertificate =
new X509Certificate2(
stream.ToArray(), (string)null,
X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);
stream.Position = 0;
return convertedCertificate;
}
I certificati CA e Server sembrano buoni, inclusa una catena valida.
Ilmioproblemaèconlacatenadicertificatidelcliente.
C'èunavvisogiallosul"Certificato server" (nello screenshot si chiama CN = iftah-pc), dice: Questa autorità di certificazione non può emettere certificati o non può essere utilizzata come certificato di entità finale.
Che cosa sto sbagliando?
Ho usato OpenSSL per estrarre il contenuto del certificato, ottengo:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
45:67:f2:4b:9a:19:ff:f7
Signature Algorithm: sha512WithRSAEncryption
Issuer: CN = IFTAH-PC.ravendb.ca
Validity
Not Before: Sep 4 00:00:00 2017 GMT
Not After : Sep 4 00:00:00 2022 GMT
Subject: CN = iftah-pc
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b4:d1:b9:21:30:fe:d3:25:ec:f5:7d:c0:70:42:
ac:8a:eb:4d:88:5a:ee:8a:a4:c3:93:a8:84:47:bc:
ad:56:0a:c4:d9:4a:4f:2d:4b:a1:35:37:ed:24:d9:
c1:20:40:c3:4a:3f:59:87:8c:da:00:88:52:24:da:
bf:59:bd:48:47:f7:f0:30:ad:87:ec:c6:33:33:8d:
b6:a8:f7:5e:94:64:ff:16:02:7d:f2:7c:b1:7d:a3:
14:0b:5a:13:50:1a:f7:11:02:40:c6:4f:32:a7:a8:
87:a2:e1:73:e9:23:19:1f:5f:53:87:d4:79:5f:20:
d8:d9:f9:cd:a3:c6:3f:44:ee:56:d7:2f:a4:f7:6d:
58:6e:5f:40:80:40:26:e2:31:ff:d4:5b:57:03:77:
f4:e0:3f:48:26:91:a4:cf:11:d7:c9:54:d1:82:8b:
16:4b:09:92:7e:3a:ad:75:48:ba:7b:9b:48:07:45:
37:20:2a:33:cc:5d:70:b2:62:60:e7:38:ea:d2:09:
2f:6f:59:b6:94:f0:f8:c9:fb:7a:53:5f:bb:0b:d8:
16:c0:04:7e:06:1d:60:94:50:ae:d3:49:01:35:0d:
29:f7:3e:cf:67:7b:57:6d:d3:76:86:44:25:6a:c7:
f5:f0:69:34:e8:f3:33:93:d2:32:b5:92:2f:55:96:
53:73
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
Signature Algorithm: sha512WithRSAEncryption
59:d8:27:48:62:05:24:cc:1d:c8:b5:23:c1:ee:64:c8:f3:2a:
f1:ee:67:fb:77:23:ec:a4:80:a3:30:a9:44:b4:4b:36:88:7c:
cf:65:ac:e7:5e:44:63:ba:a3:01:c2:6f:d3:ea:c9:da:31:72:
0b:57:87:07:58:0e:ce:c7:ad:df:5b:ff:02:f6:d4:b0:65:8f:
f7:28:0f:5b:4d:32:75:3b:93:ae:0b:3a:13:c6:29:0f:d2:20:
a8:3e:80:06:13:f4:ef:8d:af:32:25:ee:79:8a:98:3f:63:3f:
b8:35:cb:a9:a2:c2:a2:73:aa:ea:c1:e4:c2:02:2d:0a:42:42:
27:c7:78:2b:3e:c8:a1:89:7c:40:76:75:15:4d:b8:45:a8:06:
6f:85:d0:fd:2c:8c:ae:e4:27:90:0f:56:a6:17:f0:16:e3:5b:
38:62:af:01:d0:e3:72:ee:17:ac:8c:fe:91:fe:37:02:41:c3:
5b:51:26:5d:59:d6:ab:fb:54:6d:05:d3:3c:3c:c7:94:b3:8e:
3d:57:38:3a:cf:35:c5:ac:93:3d:62:39:85:1d:f7:eb:97:54:
b1:b5:03:f1:3d:38:b8:d5:ae:0e:3e:b1:ec:e2:b3:0c:a5:95:
58:58:2d:ba:20:df:a3:35:86:f3:f0:94:9e:13:8e:0c:70:92:
e3:ba:e5:c4
-----BEGIN CERTIFICATE-----
MIICxTCCAa2gAwIBAgIIRWfyS5oZ//cwDQYJKoZIhvcNAQENBQAwHjEcMBoGA1UE
AwwTSUZUQUgtUEMucmF2ZW5kYi5jYTAeFw0xNzA5MDQwMDAwMDBaFw0yMjA5MDQw
MDAwMDBaMBMxETAPBgNVBAMMCGlmdGFoLXBjMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAtNG5ITD+0yXs9X3AcEKsiutNiFruiqTDk6iER7ytVgrE2UpP
LUuhNTftJNnBIEDDSj9Zh4zaAIhSJNq/Wb1IR/fwMK2H7MYzM422qPdelGT/FgJ9
8nyxfaMUC1oTUBr3EQJAxk8yp6iHouFz6SMZH19Th9R5XyDY2fnNo8Y/RO5W1y+k
921Ybl9AgEAm4jH/1FtXA3f04D9IJpGkzxHXyVTRgosWSwmSfjqtdUi6e5tIB0U3
ICozzF1wsmJg5zjq0gkvb1m2lPD4yft6U1+7C9gWwAR+Bh1glFCu00kBNQ0p9z7P
Z3tXbdN2hkQlasf18Gk06PMzk9IytZIvVZZTcwIDAQABoxIwEDAOBgNVHQ8BAf8E
BAMCAQYwDQYJKoZIhvcNAQENBQADggEBAFnYJ0hiBSTMHci1I8HuZMjzKvHuZ/t3
I+ykgKMwqUS0SzaIfM9lrOdeRGO6owHCb9PqydoxcgtXhwdYDs7Hrd9b/wL21LBl
j/coD1tNMnU7k64LOhPGKQ/SIKg+gAYT9O+NrzIl7nmKmD9jP7g1y6miwqJzqurB
5MICLQpCQifHeCs+yKGJfEB2dRVNuEWoBm+F0P0sjK7kJ5APVqYX8BbjWzhirwHQ
43LuF6yM/pH+NwJBw1tRJl1Z1qv7VG0F0zw8x5Szjj1XODrPNcWskz1iOYUd9+uX
VLG1A/E9OLjVrg4+seziswyllVhYLbog36M1hvPwlJ4TjgxwkuO65cQ=
-----END CERTIFICATE-----
Per quanto posso vedere, ho fatto le cose bene, in particolare: X509v3 Key Usage: critical Certificate Sign, CRL Sign
è impostato correttamente.
C'è qualcosa che mi manca qui?