Estoy tratando de crear una cadena de certificados usando el castillo hinchable.
Primero creo un certificado de CA:
public static void CreateCertificateAuthorityCertificate(string commonNameValue, [CanBeNull] out AsymmetricKeyParameter caPrivateKey, out X509Certificate2 caCert)
{
const int keyStrength = 2048;
var random = GetSeededSecureRandom();
// The Certificate Generator
X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();
// Serial Number
BigInteger serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
certificateGenerator.SetSerialNumber(serialNumber);
// Issuer and Subject Name
X509Name subjectDN = new X509Name("CN=" + commonNameValue);
X509Name issuerDN = subjectDN;
certificateGenerator.SetIssuerDN(issuerDN);
certificateGenerator.SetSubjectDN(subjectDN);
// Valid For
DateTime notBefore = DateTime.UtcNow.Date.AddDays(-7);
DateTime notAfter = notBefore.AddYears(2);
certificateGenerator.SetNotBefore(notBefore);
certificateGenerator.SetNotAfter(notAfter);
// Subject Public Key
var keyGenerationParameters = new KeyGenerationParameters(random, keyStrength);
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
var subjectKeyPair = keyPairGenerator.GenerateKeyPair();
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
// Generating the Certificate
var issuerKeyPair = subjectKeyPair;
ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA512WITHRSA", issuerKeyPair.Private, random);
// selfsign certificate
var certificate = certificateGenerator.Generate(signatureFactory);
caPrivateKey = issuerKeyPair.Private;
caCert = new X509Certificate2(certificate.GetEncoded());
}
Luego, uso el siguiente código dos veces.
La primera vez, genero un "Certificado de servidor" que se usará para generar certificados de cliente. En este caso, uso la clave privada del certificado CA y isClientCertificate establecido en falso.
Luego, utilizo el mismo código para generar el "Certificado de Cliente", esta vez usando la clave privada del "Certificado de Servidor" e isClientCertificate establecido en verdadero.
public static X509Certificate2 CreateSelfSignedCertificateBasedOnPrivateKey(string commonNameValue, X509Certificate2 issuerCertificate, AsymmetricKeyParameter issuerPrivKey, bool isClientCertificate, int yearsUntilExpiration)
{
const int keyStrength = 2048;
// Generating Random Numbers
var random = GetSeededSecureRandom();
ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA512WITHRSA", issuerPrivKey, random);
// The Certificate Generator
X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();
if (isClientCertificate)
{
certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage.Id, true, new ExtendedKeyUsage(KeyPurposeID.IdKPClientAuth));
}
else
{
certificateGenerator.AddExtension(X509Extensions.SubjectKeyIdentifier.Id, true,
new X509KeyUsage(X509KeyUsage.KeyCertSign));
}
// Serial Number
BigInteger serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
certificateGenerator.SetSerialNumber(serialNumber);
// Issuer and Subject Name
var readCertificate = new X509CertificateParser().ReadCertificate(issuerCertificate.Export(X509ContentType.Cert));
X509Name subjectDN = new X509Name("CN=" + commonNameValue);
certificateGenerator.SetIssuerDN(readCertificate.SubjectDN);
certificateGenerator.SetSubjectDN(subjectDN);
// Valid For
DateTime notBefore = DateTime.UtcNow.Date.AddDays(-7);
DateTime notAfter = notBefore.AddYears(yearsUntilExpiration);
certificateGenerator.SetNotBefore(notBefore);
certificateGenerator.SetNotAfter(notAfter);
// Subject Public Key
var keyGenerationParameters = new KeyGenerationParameters(random, keyStrength);
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
var subjectKeyPair = keyPairGenerator.GenerateKeyPair();
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
X509Certificate certificate = certificateGenerator.Generate(signatureFactory);
var store = new Pkcs12Store();
string friendlyName = certificate.SubjectDN.ToString();
var certificateEntry = new X509CertificateEntry(certificate);
store.SetCertificateEntry(friendlyName, certificateEntry);
store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(subjectKeyPair.Private), new[] { certificateEntry });
var stream = new MemoryStream();
store.Save(stream, new char[0], random);
var convertedCertificate =
new X509Certificate2(
stream.ToArray(), (string)null,
X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);
stream.Position = 0;
return convertedCertificate;
}
Los certificados de CA y servidor se ven bien, incluida una cadena válida.
Miproblemaesconlacadenadecertificadosdelcliente.
Hayunaadvertenciaamarillaenel"Certificado del servidor" (en la captura de pantalla que se llama CN = iftah-pc), dice: Esta autoridad de certificación no puede emitir certificados o no puede usarse como un certificado de entidad final.
¿Qué estoy haciendo mal?
Utilicé OpenSSL para extraer el contenido del certificado, obtengo:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
45:67:f2:4b:9a:19:ff:f7
Signature Algorithm: sha512WithRSAEncryption
Issuer: CN = IFTAH-PC.ravendb.ca
Validity
Not Before: Sep 4 00:00:00 2017 GMT
Not After : Sep 4 00:00:00 2022 GMT
Subject: CN = iftah-pc
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b4:d1:b9:21:30:fe:d3:25:ec:f5:7d:c0:70:42:
ac:8a:eb:4d:88:5a:ee:8a:a4:c3:93:a8:84:47:bc:
ad:56:0a:c4:d9:4a:4f:2d:4b:a1:35:37:ed:24:d9:
c1:20:40:c3:4a:3f:59:87:8c:da:00:88:52:24:da:
bf:59:bd:48:47:f7:f0:30:ad:87:ec:c6:33:33:8d:
b6:a8:f7:5e:94:64:ff:16:02:7d:f2:7c:b1:7d:a3:
14:0b:5a:13:50:1a:f7:11:02:40:c6:4f:32:a7:a8:
87:a2:e1:73:e9:23:19:1f:5f:53:87:d4:79:5f:20:
d8:d9:f9:cd:a3:c6:3f:44:ee:56:d7:2f:a4:f7:6d:
58:6e:5f:40:80:40:26:e2:31:ff:d4:5b:57:03:77:
f4:e0:3f:48:26:91:a4:cf:11:d7:c9:54:d1:82:8b:
16:4b:09:92:7e:3a:ad:75:48:ba:7b:9b:48:07:45:
37:20:2a:33:cc:5d:70:b2:62:60:e7:38:ea:d2:09:
2f:6f:59:b6:94:f0:f8:c9:fb:7a:53:5f:bb:0b:d8:
16:c0:04:7e:06:1d:60:94:50:ae:d3:49:01:35:0d:
29:f7:3e:cf:67:7b:57:6d:d3:76:86:44:25:6a:c7:
f5:f0:69:34:e8:f3:33:93:d2:32:b5:92:2f:55:96:
53:73
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
Signature Algorithm: sha512WithRSAEncryption
59:d8:27:48:62:05:24:cc:1d:c8:b5:23:c1:ee:64:c8:f3:2a:
f1:ee:67:fb:77:23:ec:a4:80:a3:30:a9:44:b4:4b:36:88:7c:
cf:65:ac:e7:5e:44:63:ba:a3:01:c2:6f:d3:ea:c9:da:31:72:
0b:57:87:07:58:0e:ce:c7:ad:df:5b:ff:02:f6:d4:b0:65:8f:
f7:28:0f:5b:4d:32:75:3b:93:ae:0b:3a:13:c6:29:0f:d2:20:
a8:3e:80:06:13:f4:ef:8d:af:32:25:ee:79:8a:98:3f:63:3f:
b8:35:cb:a9:a2:c2:a2:73:aa:ea:c1:e4:c2:02:2d:0a:42:42:
27:c7:78:2b:3e:c8:a1:89:7c:40:76:75:15:4d:b8:45:a8:06:
6f:85:d0:fd:2c:8c:ae:e4:27:90:0f:56:a6:17:f0:16:e3:5b:
38:62:af:01:d0:e3:72:ee:17:ac:8c:fe:91:fe:37:02:41:c3:
5b:51:26:5d:59:d6:ab:fb:54:6d:05:d3:3c:3c:c7:94:b3:8e:
3d:57:38:3a:cf:35:c5:ac:93:3d:62:39:85:1d:f7:eb:97:54:
b1:b5:03:f1:3d:38:b8:d5:ae:0e:3e:b1:ec:e2:b3:0c:a5:95:
58:58:2d:ba:20:df:a3:35:86:f3:f0:94:9e:13:8e:0c:70:92:
e3:ba:e5:c4
-----BEGIN CERTIFICATE-----
MIICxTCCAa2gAwIBAgIIRWfyS5oZ//cwDQYJKoZIhvcNAQENBQAwHjEcMBoGA1UE
AwwTSUZUQUgtUEMucmF2ZW5kYi5jYTAeFw0xNzA5MDQwMDAwMDBaFw0yMjA5MDQw
MDAwMDBaMBMxETAPBgNVBAMMCGlmdGFoLXBjMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAtNG5ITD+0yXs9X3AcEKsiutNiFruiqTDk6iER7ytVgrE2UpP
LUuhNTftJNnBIEDDSj9Zh4zaAIhSJNq/Wb1IR/fwMK2H7MYzM422qPdelGT/FgJ9
8nyxfaMUC1oTUBr3EQJAxk8yp6iHouFz6SMZH19Th9R5XyDY2fnNo8Y/RO5W1y+k
921Ybl9AgEAm4jH/1FtXA3f04D9IJpGkzxHXyVTRgosWSwmSfjqtdUi6e5tIB0U3
ICozzF1wsmJg5zjq0gkvb1m2lPD4yft6U1+7C9gWwAR+Bh1glFCu00kBNQ0p9z7P
Z3tXbdN2hkQlasf18Gk06PMzk9IytZIvVZZTcwIDAQABoxIwEDAOBgNVHQ8BAf8E
BAMCAQYwDQYJKoZIhvcNAQENBQADggEBAFnYJ0hiBSTMHci1I8HuZMjzKvHuZ/t3
I+ykgKMwqUS0SzaIfM9lrOdeRGO6owHCb9PqydoxcgtXhwdYDs7Hrd9b/wL21LBl
j/coD1tNMnU7k64LOhPGKQ/SIKg+gAYT9O+NrzIl7nmKmD9jP7g1y6miwqJzqurB
5MICLQpCQifHeCs+yKGJfEB2dRVNuEWoBm+F0P0sjK7kJ5APVqYX8BbjWzhirwHQ
43LuF6yM/pH+NwJBw1tRJl1Z1qv7VG0F0zw8x5Szjj1XODrPNcWskz1iOYUd9+uX
VLG1A/E9OLjVrg4+seziswyllVhYLbog36M1hvPwlJ4TjgxwkuO65cQ=
-----END CERTIFICATE-----
Por lo que puedo ver, he hecho las cosas bien, en particular: X509v3 Key Usage: critical Certificate Sign, CRL Sign
está configurado correctamente.
¿Hay algo que me esté perdiendo aquí?