"Win 10 app development" import. PFX certificate

This feature is not commonly used, the general development of less related to the certificate, but it is necessary to understand briefly.

First of all, the method of making the test certificate, here the old week to talk about two methods, you can generate a. pfx file for testing.

To produce a certificate, everyone knows there is a makecert tool. OK, let's start with this tool to generate a certificate and store it in the current user's certificate store. Open the developer command prompt for VS and enter:

" cn= Chinese Good man " from/to/2018 

-N represents the title name of the certificate in the system's Certificates snap-in window, which is displayed in the "Issued to" column, which is who the certificate is awarded to. In this case, the honorary certificate is mainly awarded to a good man in China.

The-PE parameter must be added, which indicates whether we can export the certificate's key (private key), because we will export the certificate to a. PFX later.

-SR Indicates whether the certificate is a user certificate or a certificate for this computer. The user certificate is CurrentUser and only the currently logged-on user is visible, and if you want all users to be visible, you can use LocalMachine, which is the computer-wide certificate.

-SS represents the certificate store directory, and my indicates that the certificate will be installed in the "personal" directory.

-B-E indicates the validity period of the certificate, this need not say much.

After the command has been executed. Open the User Certificate Management window, expand the Personal branch, and you will see the certificate you just created.

The next is good to do, directly export the certificate can be. On the second page of the Export Wizard, remember to select Export Private key.

Because a. pfx file can contain a private key. At this point, the personal information exchange is automatically selected when you go to the next step.

The following several options, you can decide according to the actual situation, and then next, on the Security Options page, check the password, and then enter the password yourself.

The password can be determined by itself, for example, I enter the mentally handicapped password 1234.

Then select the storage path for the. pfx file.

Then go the next step until you're done.

The above method is done through the Certificate Management window, and here we look at another method, which is done entirely by command. In addition to the necessary makecert tools, you need to use the two guys, CERT2SPC and pvk2pfx. From the name you can tell what they are, CERT2SPC is to convert the certificate file (. cer) into an SPC file, and pvk2pfx is the final output. pfx file, combined with the private key file and the SPC file.

The 1th step is to generate the certificate and private key file. Enter the following command:

" cn= Chinese Good girl " From/to-SVtestkey.pvk test.cer 

The previous parameters mentioned earlier,-SV represents the name of the key file, the suffix is usually. pvk, which is the private key, the last parameter is the file name of the certificate, and the suffix is. cer. This command is generated directly from the file, not in the certificate store.

After execution, first pops up an input box, lets you create the password for the pvk file, for example, I still use the mentally handicapped password 1234.

After the click OK, an input box will pop up again, this time to enter the password you just created, such as 1234.

Once determined, the certificate and the private key file have been generated, as shown in the absence of an accident.

After you have determined that these two files are successfully generated, proceed to the next step.

2nd step, convert the CER to SPC and enter the command:

CERT2SPC Test.cer TEST.SPC

The first parameter is the CER file (certificate) to be forwarded, and the second parameter is the output SPC file.

After the command executes, a TEST.SPC file is more.

3rd, using the SPC and PVK files generated above, generate the PFX file, enter the command:

1234 123456

-PVK is just created pvk file,-pi is the password for pvk file, just I set it to be 1234;

-SPC is the name of the SPC file that was just generated,-PFX is the output PFX file name,-po is the new PFX password, I changed to 123456.

After the command executes, you will see a more. pfx file.

You're done, now that the PFX file is there, then it's time to import the certificate in the UWP app.

Before we work, we need to know that the system creates a separate certificate store for each app that was created when the app was installed and deleted when the app was uninstalled. Therefore, each app's certificate can only be used on its own and cannot access certificates from other apps. If you want other apps to be able to use certificates, use shared user certificates, and the shared certificate is imported into the user certificate store of the current system, so that other apps can access it, and of course, to prevent the ulterior motives, apply only the import and read permissions, and the certificate cannot be written and deleted.

Under the Windows.Security.Cryptography.Certificates namespace, several classes related to certificate operations are exposed. After the old week test, not all the API can be used, some API will be abnormal, may not fully realize it, specifically to see this year's "Redstone" update, anyway win 10 is constantly cumulative update, this truth, 8,000 years ago our ancestors understood.

The Certificateenrollmentmanager class exposes the Importpfxdataasync method for the n version of overloading, which is to support importing certificates from a. pf file.

However, you have to note that if you call the method of the Certificateenrollmentmanager class directly, the imported certificate is stored in the application's isolated store and can only be used on its own.

If you call the Certificateenrollmentmanager.usercertificateenrollmentmanager method below, the certificate is imported into the user store and can be shared with other apps.

OK, here's a look at the code to import the certificate.

Fileopenpicker Picker =NewFileopenpicker (); Picker. Filetypefilter.add (". PFX"); StorageFile PFXFile=awaitPicker.            Picksinglefileasync (); if(PFXFile! =NULL)            {                //Convert Certificate contents to base64 stringIBuffer buffer =awaitFileio.readbufferasync (PFXFile); stringcerB64 =cryptographicbuffer.encodetobase64string (buffer); //Password                stringPassword =pwd.                Password; //Import Certificate                if(chkusercert.ischecked = =true)                {                    //Import to current user store                    awaitCertificateEnrollmentManager.UserCertificateEnrollmentManager.ImportPfxDataAsync (cerB64, password, Exportoption.exportable, Keyprotectionlevel.noconsent, installoptions.deleteexpired,"Goodboy"); }                Else                {                    //Import to current App Store                    awaitCertificateenrollmentmanager.importpfxdataasync (cerB64, password, exportoption.exportable, Keyprotectionlevel.consentonly, Installoptions.deleteexpired,"Goodboy"); }            }

Because the import method receives the Base64 string for the certificate, after you open the. pfx file, you turn it into a base64 string.

The first parameter of the Importpfxdataasync method is the Base64 string for the certificate file, the second parameter is the password, and the password that was set is 123456 when you just used the PVK2PFX command.

Exportoption.exportable means that the private key can be exported, keyprotectionlevel.noconsent means no need to protect the private key, and if other values are used, a dialog box will pop up when importing, allowing the user to set a password to protect the private key.

Installoptions.deleteexpired indicates that the certificate is deleted if it expires.

If you want to share a user certificate. Please open the manifest file, switch to the Features tab, and tick "shared user certificate". The XML is as follows

  <Capabilities> ...     <uap:capability name="sharedusercertificates" />  </Capabilities>

If the certificate is imported into the current user's certificate store, you can open the User Certificate Management window, expand the Personal branch, and you will see the imported certificate.

OK, today's f talk about here, the weather is quite geothermal, remember to drink plenty of water, drink less poisonous drinks.

Sample code

"Win 10 app development" import. PFX certificate