如何生成CSR像它IIS

Question

我工作的整合与赛门铁克API和使用代码来生成CSR

private string GenerateCsr(string domain, string organization, string organizationUnit, string city, string state, string country) { 
     // Create all the objects that will be required 
     var objPkcs10 = new CX509CertificateRequestPkcs10(); 
     var objPrivateKey = new CX509PrivateKey(); 
     var objCSP = new CCspInformation(); 
     var objCSPs = new CCspInformations(); 
     var objDN = new CX500DistinguishedName(); 
     var objEnroll = new CX509Enrollment(); 
     var objObjectIds = new CObjectIds(); 
     var objObjectId = new CObjectId(); 
     var objExtensionKeyUsage = new CX509ExtensionKeyUsage(); 
     var objX509ExtensionEnhancedKeyUsage = new CX509ExtensionEnhancedKeyUsage(); 
     string strRequest; 
     try { 
      // Initialize the csp object using the desired Cryptograhic Service Provider (CSP) 
      objCSP.InitializeFromName(
       "Microsoft RSA Schannel Cryptographic Provider" 
       ); 
      // Add this CSP object to the CSP collection object 
      objCSPs.Add(
       objCSP 
       ); 
      // Provide key container name, key length and key spec to the private key object 
      //objPrivateKey.ContainerName = "AlejaCMa"; 
      objPrivateKey.Length = 2048; 
      objPrivateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; 
      objPrivateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES; 
      objPrivateKey.MachineContext = false; 
      // Provide the CSP collection object (in this case containing only 1 CSP object) 
      // to the private key object 
      objPrivateKey.CspInformations = objCSPs; 
      // Create the actual key pair 
      objPrivateKey.Create(); 
      // Initialize the PKCS#10 certificate request object based on the private key. 
      // Using the context, indicate that this is a user certificate request and don't 
      // provide a template name 
      objPkcs10.InitializeFromPrivateKey(
       X509CertificateEnrollmentContext.ContextUser, 
       objPrivateKey, 
       "" 
       ); 
      // Key Usage Extension 
      objExtensionKeyUsage.InitializeEncode(
       X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE | 
       X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE | 
       X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE | 
       X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE 
       ); 
      objPkcs10.X509Extensions.Add((CX509Extension)objExtensionKeyUsage); 
      // Enhanced Key Usage Extension 
      objObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.2"); 
      // OID for Client Authentication usage     
      objObjectIds.Add(objObjectId); 
      objX509ExtensionEnhancedKeyUsage.InitializeEncode(objObjectIds); 
      objPkcs10.X509Extensions.Add((CX509Extension)objX509ExtensionEnhancedKeyUsage); 
      // Encode the name in using the Distinguished Name object 
      objDN.Encode(
       string.Format("CN={0}, O={1}, OU={2}, L={3}, S={4}, C={5}", domain, organization, organizationUnit, city, state, country), 
       X500NameFlags.XCN_CERT_NAME_STR_NONE 
       ); 
      // Assing the subject name by using the Distinguished Name object initialized above 
      objPkcs10.Subject = objDN; 
      // Create enrollment request 
      objEnroll.InitializeFromRequest(objPkcs10); 
      strRequest = objEnroll.CreateRequest(
       EncodingType.XCN_CRYPT_STRING_BASE64 
       ); 
      return strRequest; 
     } 
     catch (Exception ex) { 
      throw new Exception("Can't generate CSR"); 
     } 
    } 

赛门铁克然后返回编码证书的base64，但我不能把它上传到IIS。如果我将在IIS上手动生成的CSR发送到赛门铁克，我可以上传返回的证书。 所以，我的问题是如何生成它在IIS上生成的CSR。

Answer 1

它不能按照你想要的方式完成。由于生成的csr和私钥在一台服务器上，即由CA返回的签名证书，因此您需要拥有在创建CSR时生成的私钥。但是，您正在另一台服务器上生成私钥，并在iis上上传赛门铁克提供的签名证书，而IIS没有私钥。

如果必须完成，则需要将参数直接发送到Symantec API，然后他们将为您提供一个受密码保护的PFX文件，并且您可以在IIS服务器上上载pfx文件。

我希望我回答你的问题。