Encryption and decryption practice using the digital certificate of the first degree (i)--Certificate acquisition and management

Source: Internet
Author: User

First, obtain the certificate

1. Obtained from CA

2. Obtained from WINDOWS2003 Certificate service

3, using the MakeCert tool to obtain

Second, the preservation of certificates

1. Save in certificate store

2. Save in file Form

2.1. Certificate with private key

2.2. Binary-encoded certificate

2.3. BASE64 Encoded Certificate

3, the certificate in the storage area and the certificate file conversion

3.1. Using tools to convert each other

3.1.1 Importing a certificate store from a certificate file

3.1.2 Export from the certificate store as a certificate file

3.2. Using code to convert each other

3.2.1 Importing a certificate store from a certificate file

3.2.2 Export from the certificate store as a certificate file

A digital certificate (also known as a digital certificate) binds the identity to a pair of electronic keys that can be used to encrypt and sign digital information. Digital certificates can verify a person's right to use a given key, which helps prevent someone from impersonating another user with a fake key. Digital certificates are used in conjunction with encryption to provide a more complete solution to ensure the identities of the parties in the transaction.

First, obtain the certificate 1, obtain from CA

If it is a business application it is best to obtain a certificate from the issuing authority CA, such as VeriSign, such a large CA-issued certificate has been defaulted by some systems to a trusted certificate authority, and the certificate issued by it is also trusted. But such a certificate needs to be purchased.

If it's not a commercial application, here's a CA:www.cacert.org that can apply for a free certificate.

2. Obtained from WINDOWS2003 Certificate service

To install a Certificate Server in Windows2003, the WINDOWS2003 server can be used as a small CA to request the issuance of a certificate.

3, using the MakeCert tool to obtain

Microsoft provides a command-line tool, Makecert.exe, to generate a digital certificate for the next generation of certificates in the Framework SDK.

The MakeCert generated certificate is saved to the certificate store specified in the command.

For example, use the following command to generate a certificate:

MAKECERT-SR currentuser-ss my-n Cn=mytestcert-sky exchange-pe

Parameter description:

-SR CurrentUser--Specifies the location of the certificate store for the subject. Location can be CurrentUser (default) or LocalMachine

-SS My--Specifies the name of the certificate store for the subject, where the output certificate is stored. My representation is saved in the "personal"

-N Cn=mytestcert--Specifies the name of the certificate for the subject. This name must conform to the X.500 standard. The simplest method is to specify this name in double quotation marks and prefix cn=; for example, "Cn=myname".

-sky Exchange-Specifies the issuer's key type, which must be signature, Exchange, or an integer representing the provider type. By default, 1 is passed in to represent the interchange key, and incoming 2 represents the signing key.

-pe--marks the generated private key as exportable. This allows the private key to be included in the certificate.

This command generates a certificate named Mytestcert, which is saved in the current user's personal certificate store.

Makecert

Second, the certificate is saved 1, saved in the certificate store

The certificate generated by the MakeCert command is saved in the certificate store. The certificate store is a special area in the system that is dedicated to saving the digital certificate of the previous month.

You can manage the certificate store in the Certificates snap-in for MMC. Windows did not give us a direct access to the management certificate. Add your own in the MMC, steps as follows:

L start à run àmmc, open an empty MMC console.

L In the Console menu, file à Add/Remove snap-in à add button à select "Certificate" à add à select "my user account" à close à ok

L In the Console menu, file à Add/Remove snap-in à add button à select "Certificate" à add à select "computer account" à close à ok

When you are finished, you have two MMC snap-ins in the MMC console


Figure 1. Certificate Management

After adding the Certificates snap-in, you can save the settings for this MMC console for later reuse. Select "Save" in the File menu, such as "certificate. msc".

These two snap-in correspond to two types of storage locations for certificates, respectively:

Current User (CurrentUser)-The current user's use of the certificate store.

Local computer (LocalMachine)--a certificate store that is assigned to the local computer.

The subdirectories below each storage location represent the store for the certificate, and the following stores are preset:

AddressBook

The storage area for the other user's certificates.

Authroot

The third-party certification authority (CA) of the certificate store.

Certificateauthority

An intermediate certification authority (CA) of the certificate store.

Disallowed

The certificate store for the certificates that are revoked.

My

The certificate store for each of the certificates.

Root

A trusted Root certification authority (CA) for the certificate store.

Trustedpeople

The certificate store for direct trusted people and resources.

Trustedpublisher

The certificate store for the direct-trusted publisher's.

2. Save in file Form

A certificate that exists as a file typically has these types of forms:

2.1. Certificate with private key

Defined by the public key Cryptography Standards #12, the PKCS#12 standard, which contains the form of a certificate in the binary format of the private key and the secret key, with PFX as the certificate file suffix name.

2.2. Binary-encoded certificate

There is no private key in the certificate, DER encodes the certificate file in binary format, and a CER is used as the certificate file suffix name.

2.3. BASE64 Encoded Certificate

The certificate does not have a private key, a certificate file in the BASE64 encoded format, and a CER as the certificate file suffix name.

3, the certificate in the storage area and the certificate file conversion 3.1. Using tools to convert each other

Windows provides built-in tools to complete the ability to import digital certificates from a file into a certificate store and export them as certificate files from the certificate store.

3.1.1 Importing a certificate store from a certificate file

In Explorer, locate the certificate file you want to import, right-click the certificate in PFX or CER format (for example, using the Mytestcert certificate generated above with MakeCert), select Install, and the Certificate Import Wizard:


Figure 2. Certificate Import Wizard

Next, show the path to import the certificate file, confirm it, and then proceed to the next step.

If you are importing a PFX certificate that contains a private key, you need to provide a password:


Figure 3. Require password when importing PFX

The PFX certificate contains the private key, which is set to secure the private key when saved as a certificate file, so this step needs to provide the private key key that was set when the certificate was saved.

If you select identify this key as exportable, the certificate that you import into the certificate store can also export a certificate that contains a private key, or you can only export a certificate that does not have a private key.

Next, if you are importing a CER certificate, the Import Wizard starts directly to this step.


Figure 4. Select certificate Store

According to the type of certificate can be automatically stored in the appropriate area, you can choose the storage area, general selection of personal storage area.

The import is complete. To view certificate management, the certificate has been imported:


Figure 5. View the imported certificate 1

Double-click the Mytestcert Certificate:


Figure 6. View the imported Certificate 2

This is the specific information for the certificate and you can see that the certificate contains a private key. If you are importing a CER certificate and the certificate does not contain a private key, the corresponding private key is not displayed here.

3.1.2 Export from the certificate store as a certificate file

Export the certificate previously imported to the certificate store as a certificate file.

On the Mytestcert certificate right click à all Tasks à import ..., the Certificate Export Wizard runs:


Figure 7. Certificate Export Wizard

The Mytestcert certificate to be exported here is a certificate that contains the private key, so the wizard first asks you to select whether the exported certificate is exported with the private key. If you choose to export the private key, the next step:


Figure 8. Certificate options with private key PFX format

Select Export certificate with private key to generate a certificate in PFX format. Here are some options for exporting PFX certificates.

If you choose not to export the private key or if you choose to export the certificate itself does not contain the private key, then this step can only select the certificate format without the private key (the option to import the private key is dark):


Figure 9. Certificate option with CER format without private key

Here is an option to export without a private key certificate, typically exported as a CER certificate.

Der encoding is the certificate that is stored in binary format, which is the exported certificate.

BASE64 encoding, is the certificate's binary encoding into the base64 of the encoded stored certificates.

Next, if you are exporting a certificate with a private key, you need to provide a private key protection password:


Figure 10. To export a certificate with a private key requires a private key protection password

Next, provide the path to the certificate file:


Figure 11. Specify the path to export the certificate

Export certificate completion.

3.2. Using code to convert each other

In addition to importing or exporting certificates using the tools that Windows provides, you can also use code in your program to import and export certificates to suit the requirements for operating certificates in your application system.

The following code is done using the tool to import the certificate file, and then export the imported certificate as the same functionality as the certificate file.

3.2.1 Importing a certificate store from a certificate file

L read the certificate into the certificate object

The Myx509certificate2 class in Framework2.0 represents a certificate.

To load a certificate from a certificate file, if you have a private key, you need to provide the password you set when saving the certificate

X509Certificate2 myx509certificate2 = new X509Certificate2 (

@ "c:/samples/partneraencryptmsg/mytestcert.pfx",//certificate path

"Password",//certificate's private key protection password

X509keystorageflags.exportable//indicates that the private key of this certificate can also be exported later

);

X509Certificate2

L Create the appropriate store object and save the certificate

The X509store class in Framework2.0 represents the certificate store, the certificate store is discussed earlier, the certificate store is actually a hierarchy, the first layer is the storage location storelocation, the second level is the store Storename,x509store actually represents a storage location A storage area.

Create a new store X509store and deposit the above certificate objects:

Creates a new X509store object that points to the current user, the personal certificate storage area

X509store store = new X509store (storename.my,storelocation.currentuser);

Store. Open (Openflags.readwrite);

Store. ADD (MYX509CERTIFICATE2);

Store. Close ();

In this way, the certificate is imported into the current user's personal certificate store.

3.2.2 Export from the certificate store as a certificate file

Then export the certificate that is imported into the current user's personal certificate store as a certificate file:

Creates a new X509store object that points to the current user, the personal certificate storage area

X509store store = new X509store (storename.my, Storelocation.currentuser);

Store. Open (openflags.readonly);

Poll all certificates in the store

foreach (X509Certificate2 myx509certificate2 in store. Certificates)

{

Compare the name of the certificate with the certificate you want to export mytestcert, and locate the certificate you want to export

if (Myx509certificate2.subject = = "Cn=mytestcert")

{

Certificate export to byte[], password protect password for private key

byte[] Certbyte = Myx509certificate2.export (x509contenttype.pfx, "password");

Write the certificate's byte stream to the certificate file

FileStream fstream = new FileStream (

@ "C:/samples/partneraencryptmsg/mytestcert_exp.pfx",

FileMode.Create,

FileAccess.Write);

Fstream.write (certbyte, 0, certbyte.length);

Fstream.close ();

}

}

Store. Close ();

Attention

If you are exporting to a CER certificate that does not contain a private key, the first parameter uses X509contenttype.cert, which means that the certificate is exported as a CER with no private key, and no password is required.

byte[] Certbyte = Myx509certificate2.export (X509contenttype.cert);

The export method of the X509Certificate2 class, the first parameter x509contenttype.pfx represents the form of a PFX certificate to be exported as containing the private key, and the second parameter is the private key protection password. The x509keystorageflags.exportable parameter in the constructor is equivalent to "identify this key as exportable" when the tool interactively imports the certificate, and if this argument is not added to the constructor, the certificate's private key will not be exportable.
Regardless of which storage bit the certificate is imported into, the default private key is saved to CurrentUser, and if you need to save the private key to LocalMachine, the third parameter should be: x509keystorageflags.exportable| X509keystorageflags.persistkeyset | For a detailed description of the X509keystorageflags.machinekeyset command, see the documentation for the Microsoft Makecert.exe Tool: http://msdn.microsoft.com/library/chs/ Default.asp?url=/library/chs/cptools/html/cpgrfcertificatecreationtoolmakecertexe.asp

Encryption and decryption practice using the digital certificate of the first degree (i)--Certificate acquisition and management

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.