Problem using OpenSSL.net to sign a certificate_问答_开发者

Problem using OpenSSL.net to sign a certificate

开发者 https://www.devze.com 2023-03-23 21:39 出处：网络

I am trying to get OpenSSL.net to 1) create a key pair to use for CA signing and 2) create and sign certificates using this CA. I have managed to create an RSA/SHA1 X509CertificateAuthority, and have

相关专题：.net openssl

I am trying to get OpenSSL.net to 1) create a key pair to use for CA signing and 2) create and sign certificates using this CA. I have managed to create an RSA/SHA1 X509CertificateAuthority, and have created a X509Request and keys, but I am running into problems actually signing the request.

   'create the request and request key
    Dim rsa As OpenSSL.Crypto.RSA = New OpenSSL.Crypto.RSA()
    rsa.GenerateKeys(1024, 65569, Nothing, Nothing)
    Dim req_key As OpenSSL.Crypto.CryptoKey = New OpenSSL.Crypto.CryptoKey(rsa)
    Dim req_key_b As OpenSSL.Core.BIO = OpenSSL.Core.BIO.MemoryBuffer
    req_key_b.Write(req_key.GetRSA.PrivateKeyAsPEM)
    WriteBio(req_key_b, IO.Path.Combine(AppDomain.CurrentDomain.BaseDirectory, "req.key"))

    'make the request
    Dim req As OpenSSL.X509.X509Request = New OpenSSL.X509.X509Request(3, "CN=newcert", req_key)

    Dim req_cert As OpenSSL.X509.X509Certificate = ca.ProcessRequest(req, Now, Now.AddDays(365))
    '** ^^^ Exception on this line ^^^ ***
    Dim req_cert_b As OpenSSL.Core.BIO = OpenSSL.Core.BIO.MemoryBuffer
    req_cert.Write(req_cert_b)
    WriteBio(req_cert_b, IO.Path.Combine(AppDomain.CurrentDomain.BaseDirectory, "req.crt"))

I am getting an OpenSslException on the line noted above, with the message

error:0606B06E:digital envelope routines:EVP_SignFinal:wrong public key type erro开发者_如何学Cr:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP lib

Any ideas?

I had the same error. After some research it seems to work when I manually specify the MessageDigest, like this:

var certificate = ca.ProcessRequest(req, Now, Now.AddDays(365), MessageDigest.SHA1)

You can also specify the default message digest in your openssl.conf: default_md. But you probably initialized the CA without a config, just like me :)

var ca = new X509CertificateAuthority(pkcs12.Certificate, pkcs12.PrivateKey, new SimpleSerialNumber(42), null);

I know you gave up and used BouncyCastle instead, but hopefully this is useful to someone else :)

Actually the problem is that the default digest method DSS1 gives an error when used for signing. So specifying an other signing method will solve the problem.