我正在为android设备设置一个管道来请求证书,如下所示:
var subjectName = $"CN={GetFQDN()},O=My Org,OU=Test,T=Test,ST=OK,C=US";
// Create new Object for Issuer and Subject
var subject = new X509Name(subjectName);
// Generate the key Value Pair, which in our case is a public Key
var random = new SecureRandom();
const int strength = 2048;
var keyGenerationParameters = new KeyGenerationParameters(random, strength);
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
AsymmetricCipherKeyPair subjectKeyPair = keyPairGenerator.GenerateKeyPair();
//PKCS #10 Certificate Signing Request
Pkcs10CertificationRequest csr = new Pkcs10CertificationRequest("SHA1WITHRSA", subject, subjectKeyPair.Public, null, subjectKeyPair.Private);
//Convert BouncyCastle CSR to .PEM file.
StringBuilder CSRPem = new StringBuilder();
PemWriter CSRPemWriter = new PemWriter(new StringWriter(CSRPem));
CSRPemWriter.WriteObject(csr);
CSRPemWriter.Writer.Flush();
//get CSR text
var CSRtext = CSRPem.ToString();
// Write content into a Txt file
using (StreamWriter f = new StreamWriter(Path.Combine(System.Environment.GetFolderPath(System.Environment.SpecialFolder.ApplicationData), @"MyCsr.txt"), false))
{
f.Write(CSRtext);
}
CSRPem = new StringBuilder();
CSRPemWriter = new PemWriter(new StringWriter(CSRPem));
CSRPemWriter.WriteObject(subjectKeyPair.Private);
CSRPemWriter.Writer.Flush();
CSRtext = CSRPem.ToString();
using (StreamWriter f = new StreamWriter(Path.Combine(System.Environment.GetFolderPath(System.Environment.SpecialFolder.ApplicationData), @"PrivateKey.pem"), false))
{
f.Write(CSRtext);
}
csr被发送到Windows CA服务器,然后使用以下openssl命令(在Windows 11上(将生成的.cer与私钥组合:
openssl pkcs12 -export -in myCer.cer -inkey myKey.pem -out myPfx.pfx
无论密码设置为什么,包括空白,当通过系统对话进行安装时,证书都会在任何Windows PC上正确安装,但在任何Android设备上显示错误的密码。当尝试以编程方式解码.pfx时,如:
Application.Context.Assets.Open("newCert.pfx").CopyTo(mmstream);
byte[] b = mmstream.ToArray();
var myCert = new X509Certificate2(b, String.Empty);
我得到以下错误:
System.Security.Cryptography.CryptographicException: Unable to decode certificate. ---> System.Security.Cryptography.CryptographicException: `MonoBtlsPkcs12.Import` failed.
看起来安卓可能在默认情况下使用不同的算法来加密密码?但我发现的每一篇关于从openssl导出到Android的帖子都只使用默认参数。
看起来Android接受我用32位openssl而不是64位生成的证书。不确定原因。
openssl pkcs12 -export -in myCer.cer -inkey myKey.pem -out myPfx.pfx
在32位openssl 中运行良好