Encryption and decryption using X.509 digital certificates Practice (a) - access and manage certificates

sponsored links
First, obtain a certificate
1, obtained from the CA
2, obtained from the Certificate Services windows2003
3, using makecert tool to obtain two certificates saved
1, stored in the certificate store
2, in order to save the file in the form
2.1 with the private key of the certificate
2.2 binary encoded certificate
2.3. Base64 encoded certificate
3, store the certificate with the certificate file conversion
3.1 Using the conversion tool
3.1.1 Import a certificate from the certificate store file
3.1.2 Export from the certificate store for the certificate file
3.2 Using the code conversion
3.2.1 Import a certificate from the certificate store file
3.2.2 Export from the certificate store for the certificate file transferred from http://blog.sina.com.cn/s/blog_6168ee920100jsqv.html

Digital certificates (also known as digital certificates) will be as bound to a pair can be used to encrypt and sign digital information, electronic keys. Digital certificates to verify a person's right to use the given key, which helps prevent the use of false keys impersonate other users. Digital certificates and encryption used together, can provide a more complete solution to ensure the identity of the parties to the transaction.

First, obtain a certificate
1, obtained from the CA if it is commercial application of the best from the CA certificate to obtain a certificate issuing authority such as VeriSign, such a large CA-signed certificate is already trusted by some of the default certificate for the issuing authority, the certificate is issued it trusted. But such certificates to be purchased.

If not a commercial application, where you can recommend a free application for a certificate of CA: www.cacert.org

2, obtained from the windows2003 Certificate Services to install a certificate server in windows2003, windows2003 server can be used as a small CA, can apply for certificates.

3, using makecert tools to get Microsoft to provide a framework SDK to generate X.509 digital certificates command-line tool Makecert.exe.

Makecert generated certificate is stored to the command specified in the certificate store.

For example use the following command to generate a certificate:

makecert-sr CurrentUser-ss My-n CN = MyTestCert-sky exchange-pe

Parameters:

-Sr CurrentUser - specified the theme of the certificate store location. Location can be currentuser (default) or localmachine

-Ss My - name of the specified subject certificate store, the output certificate that is stored there. My saved in that "personal"

-N CN = MyTestCert - Specify the certificate subject name. This name must conform to the X.500 standard. The easiest way is to specify the name of the double quotes and add the prefix CN =; for example, \ "CN = myName \".

-Sky exchange - Specifies the issuer's key type must be signature, exchange, or a program that provides the type of integer. By default, that can be passed in an exchange of keys, pass 2 the signature key.

-Pe - the generated private key marked as exportable. This will be included in the certificate private key.

This command generates a name for the MyTestCert certificate is saved to the current user's personal certificate store area.

Makecert
Second, save the certificate
1, stored in the certificate store
Makecert command generated certificate is stored in the certificate store. The system certificate store is a special area dedicated to the preservation X.509 digital certificates.

In the MMC Certificates snap-in to the certificate store to manage. Windows does not give us ready for the direct management of the certificate of entry. Add their own in the MMC, follow these steps:

l start à run à MMC, open an empty MMC console.

l On the Console menu, file à Add / Remove Snap-à Add button à Select "Certificate" à Add à select "My user account" à à determine Close

l On the Console menu, file à Add / Remove Snap-à Add button à Select "Certificate" à Add à choose "Computer account" à à determine Close

Upon completion, the MMC console with two MMC snap-in

First, obtain a certificate
Figure 1. Certificate Management

After you add the Certificates snap-in look at the MMC console can save the settings, to facilitate future re-use. On the File menu select "Save", such as can be saved as "certificate. Msc".

The two management modules are two types of storage location corresponding to the certificate:

Current users (CurrentUser) - the current user's X.509 certificate store.

Local computer (LocalMachine) - assigned to the local computer's X.509 certificate store.

Each storage location of the following credentials store directory, the default of the following stores:

AddressBook

Other users of the X.509 certificate store.
AuthRoot

Third-party certification authority (CA) of the X.509 certificate store.
CertificateAuthority

Intermediate certification authority (CA) of the X.509 certificate store.
Disallowed

X.509 certificate revoked certificate store.
My

Personal certificate X.509 certificate store.
Root

Trusted root certification authority (CA) of the X.509 certificate store.
TrustedPeople

Directly trusted people and resources of the X.509 certificate store.
TrustedPublisher

Directly trusted issuer X.509 certificate store.

2, the form of a document saved as a file exists in the form of certificates generally have these types of formats:

2.1 with the private key of the certificate by the Public Key Cryptography Standards # 12, PKCS # 12 standard definition, includes the public key and private key certificate in the form of binary format, as the certificate to pfx file extension.

2.2 binary encoded certificate in the certificate without the private key, DER encoded binary format of the certificate file to cer certificate file as an extension.

2.3. Base64-encoded certificate in the certificate without the private key, BASE64 encoded certificate files, but also to cer certificate file as an extension.

3, store the certificate with the certificate file conversion
3.1 Using the conversion tool
Windows provides a built-in tools to complete the form of a digital certificate from a file into the certificate store, exported from the certificate store for the certificate files.

3.1.1 Import a certificate from the certificate store files in Explorer, locate the file you want to import the certificate, right-click, or cer pfx format certificate (where the above certificate with makecert generated MyTestCert example), select "Install" , Certificate Import Wizard:

First, obtain a certificate
Figure 2. Certificate Import Wizard

Next, show the path to import the certificate file, confirm, and then the next step.

If it is to import pfx certificate contains a private key, you need a password:

First, obtain a certificate
Figure 3. Import pfx password is required when

pfx certificate contains a private key, the saved settings file for the certificate private key password to protect the security of private keys, so this step is needed to save the private key certificate settings.

If you select "identify this key as exportable", to import the certificate to the certificate store of the future can export a private key certificate, or the private key can only be exported without the certificate.

The next step, if it is cer certificate to import, the Import Wizard to start directly after this step.

First, obtain a certificate
Figure 4. Select the certificate store based on the type of certificate automatically placed to the right area, you can also choose the storage, personal storage area general election.

The import is complete. View Certificate Management Certificate has been imported:

First, obtain a certificate
Figure 5. View the certificate to import 1

Double-click the MyTestCert certificate:

First, obtain a certificate
Figure 6. See the imported certificate 2

This is a certificate of specific information, you can see the certificate contains a private key. If the import is cer certificate, the certificate does not contain the private key, then this will not show a corresponding private key.

3.1.2 Export from the certificate store to import the certificate file to the top of the certificate to the certificate store and then export the certificate file.

Right-click on the certificate in MyTestCert à à Import ... all of the tasks, the Certificate Export Wizard to run:

First, obtain a certificate
Figure 7. Certificate Export Wizard

This certificate is to export MyTestCert certificate containing the private key, the wizard was first asked to choose whether to export the certificate together with the private key to export. If you choose to export the private key, the next step:

First, obtain a certificate
Figure 8. Pfx format certificate with private key option

Choose to export the certificate with the private key to generate pfx format certificate. Here are some options to export pfx certificate.

If you choose not to export the private key, or choose to export the certificate itself does not contain the private key, then this step can only choose the certificate format without the private key (private key import option is dark):

First, obtain a certificate
Figure 9. Cer without the private key certificate format options

Here is the option to export the certificate without the private key, the general export cer certificate.

DER encoding is exported certificate is stored in binary format certificate.

Base64 encoding, binary encoding is to convert the certificate base64 encoding of the certificate after the store.

Next, if it is to export the certificate with private key, private key protection need to provide the password:

First, obtain a certificate
Figure 10. Export the private key of certificate with private key protection password required

Next, provide a certificate file path:

First, obtain a certificate
Figure 11. Specify the path to export the certificate

Export certificate to complete.

3.2 In addition to using the code conversion tools provided by the use of windows interoperability import or export certificate can also be used in the program code for a certificate of import and export operations to adapt to the application system needs to operate on the certificate.

Following completion of the above through the code using a tool to import the certificate file, then import the certificate to export the certificate file of the same functions.

3.2.1 Import a certificate from the certificate store file
l read the certificates into certificate objects

Framework2.0 in myX509Certificate2 class represents a certificate.

/ / Load the certificate from the certificate file, which contain the private key, you need to save the certificate to provide the password you set
X509Certificate2 myX509Certificate2 = new X509Certificate2 (
@ \ "C: \ \ Samples \ \ PartnerAEncryptMsg \ \ MyTestCert.pfx \", / / ​​certification path
\ "Password \", / / ​​the certificate private key protection password
X509KeyStorageFlags.Exportable / / indicates that the certificate's private key can later be exported
);

X509Certificate2
l Establish the appropriate object and save the certificate store

Framework2.0 in X509Store class that the certificate store, discussed earlier certificate store, the certificate store is actually a hierarchy, the first layer is the storage location storeLocation, the second level is the storage area storeName, X509Store actually represents a a storage location next to a storage area.

Create a new storage area and the above certificate X509Store object into which:

/ / New point to the current user, personal certificate storage area X509Store object
X509Store store = new X509Store (StoreName.My, StoreLocation.CurrentUser);
store.Open (OpenFlags.ReadWrite);
store.Add (myX509Certificate2);
store.Close ();

Thus, import the certificate to the current user's personal certificate store area.
3.2.2 from the certificate store and then export the certificate file into the current above the user's personal certificate store of the region's export the certificate as a certificate file:

/ / New point to the current user, personal certificate storage area X509Store object
X509Store store = new X509Store (StoreName.My, StoreLocation.CurrentUser);
store.Open (OpenFlags.ReadOnly);
/ / Polling store all certificates
foreach (X509Certificate2 myX509Certificate2 in store.Certificates)
{
/ / The name of the certificate with the certificate to export MyTestCert comparison, find the certificate to export
if (myX509Certificate2.Subject == \ "CN = MyTestCert \")
{
/ / Export the certificate to a byte [] in, password protection for the private key password
byte [] CertByte = myX509Certificate2.Export (X509ContentType.Pfx, \ "password \");
/ / Byte stream to write the certificate to the certificate file
FileStream fStream = new FileStream (
@ \ "C: \ \ Samples \ \ PartnerAEncryptMsg \ \ MyTestCert_Exp.pfx \",
FileMode.Create,
FileAccess.Write);
fStream.Write (CertByte, 0, CertByte.Length);
fStream.Close ();
}
}
store.Close ();

Note If you want to export the private key of the cer-free certificate for the first parameter using X509ContentType.Cert, said the export cer certificate without the private key, it does not require password

byte [] CertByte = myX509Certificate2.Export (X509ContentType.Cert);

X509Certificate2 class Export method, the first parameter X509ContentType.Pfx that want to export the private key of the pfx certificate to contain the form, the second parameter is the private key protection password.
Constructor X509KeyStorageFlags.Exportable parameters, the equivalent of interactive tools to import the certificate in the selection of the "identify this key as exportable", if the constructor does not add this parameter, the certificate's private key will not be exported.
After the matter to which this certificate is imported storage position, the default private key are saved to the CurrentUser, if you need to save the private key to LocalMachine, the third argument is this: X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.MachineKeySet command detailed description see the documentation tool Microsoft Makecert.exe: http://msdn.microsoft.com/library/chs/default.asp?url=/library/CHS/cptools/html/cpgrfcertificatecreationtoolmakecertexe.asp
  • del.icio.us
  • StumbleUpon
  • Digg
  • TwitThis
  • Mixx
  • Technorati
  • Facebook
  • NewsVine
  • Reddit
  • Google
  • LinkedIn
  • YahooMyWeb

Related Posts of Encryption and decryption using X.509 digital certificates Practice (a) - access and manage certificates

  • tomcat ssl

    The first step: for the server generates a certificate using the keytool generated certificate for Tomcat, assuming that the target machine's domain name is "localhost", keystore file stored in "E: \ tomcat.keystore", password is

  • Encryption and decryption

    import sun.misc.BASE64Decoder; import sun.misc.BASE64Encoder; public class EncryptDecryptUtils ( / ** * Will be converted into a binary string of 16 hexadecimal * * @ Param b * Binary byte array * @ Return String * / public static String byte2hex (by ...

  • Construction butt (2)

    For sending data encryption of data Need to send data encryption, MD5 encryption first, then encrypt the result will be converted in accordance with Appendix 1, see "China Construction Bank appendix (a)." The following is MD5Encoder.java pa ...

  • To achieve mutual authentication Tomcat

    Concept: SSL: Security Socket Layer Protocol The public key and private key: for OpenSSL, which also includes the private key public key information. So, do not need a separate public key is generated. Public key generation algorithm: The most popular and

  • JBoss EJB 3.0 Chapter X: Transfer of communication encryption

    JBoss EJB3.0 RC6-PFD http://www.jboss.org/jbossejb3/docs/reference/build/reference/en/html/index.html 10 transmission This explains how and EJB3 client communication between the container and how to set up to replace the transmission. Transmission ba ...

  • Comparative Analysis of JBoss.Geronimo and Tomcat

    In the open-source Java application server areas, such as JBoss, Tomcat and Apache's Geronimo, who is not only the leader in business and at the same time is a technology pioneer. Of course, all of the Java EE application server to achieve the same, b

  • jsp decrypt encrypted js

    I have been asked in recent js encryption decryption jsp, I access the relevant information, not found jsp directly js encryption decryption methods, but I have the code below to resolve this issue: / ** * Here is the address bar jsp and js Chinese e ...

  • JBoss.Geronimo and comparative analysis of Tomcat

    At open-source Java Apply Server Fields, such as JBoss, Tomcat and Apache's Geronimo, who is not only the field of commercial leader, at the same time are the pioneer of technical fields. Of course, all the Java EE Application Server Implementation of

  • "RUBY QUIZ - The Solitaire Cipher"

    This will begin a long process of translation, the initial translation, the translation is incorrect, please point out ... ... do not understand the look of the original look. RUBY QUIZ I will translate some testing, and RUBY language to explore and resea

  • js Simplified Traditional conversion code

    js Traditional Traditional Traditional Traditional javascript code conversion conversion code Reprint Address: http://www.cnblogs.com/genson/archive/2008/04/16/1004632.html js Simplified, Traditional conversion, IE7 through, Firefox does not pass, the pos

blog comments powered by Disqus
Recent
Recent Entries
Tag Cloud
Random Entries