Encryption and decryption using X.509 digital certificates Practice (a) - access and manage certificates

First, obtain a certificate
1, obtained from the CA
2, obtained from the Certificate Services windows2003
3, using makecert tool to obtain two certificates saved
1, stored in the certificate store
2, in order to save the file in the form
2.1 with the private key of the certificate
2.2 binary encoded certificate
2.3. Base64 encoded certificate
3, store the certificate with the certificate file conversion
3.1 Using the conversion tool
3.1.1 Import a certificate from the certificate store file
3.1.2 Export from the certificate store for the certificate file
3.2 Using the code conversion
3.2.1 Import a certificate from the certificate store file
3.2.2 Export from the certificate store for the certificate file transferred from http://blog.sina.com.cn/s/blog_6168ee920100jsqv.html

Digital certificates (also known as digital certificates) will be as bound to a pair can be used to encrypt and sign digital information, electronic keys. Digital certificates to verify a person's right to use the given key, which helps prevent the use of false keys impersonate other users. Digital certificates and encryption used together, can provide a more complete solution to ensure the identity of the parties to the transaction.

First, obtain a certificate
1, obtained from the CA if it is commercial application of the best from the CA certificate to obtain a certificate issuing authority such as VeriSign, such a large CA-signed certificate is already trusted by some of the default certificate for the issuing authority, the certificate is issued it trusted. But such certificates to be purchased.

If not a commercial application, where you can recommend a free application for a certificate of CA: www.cacert.org

2, obtained from the windows2003 Certificate Services to install a certificate server in windows2003, windows2003 server can be used as a small CA, can apply for certificates.

3, using makecert tools to get Microsoft to provide a framework SDK to generate X.509 digital certificates command-line tool Makecert.exe.

Makecert generated certificate is stored to the command specified in the certificate store.

For example use the following command to generate a certificate:

makecert-sr CurrentUser-ss My-n CN = MyTestCert-sky exchange-pe

Parameters:

-Sr CurrentUser - specified the theme of the certificate store location. Location can be currentuser (default) or localmachine

-Ss My - name of the specified subject certificate store, the output certificate that is stored there. My saved in that "personal"

-N CN = MyTestCert - Specify the certificate subject name. This name must conform to the X.500 standard. The easiest way is to specify the name of the double quotes and add the prefix CN =; for example, \ "CN = myName \".

-Sky exchange - Specifies the issuer's key type must be signature, exchange, or a program that provides the type of integer. By default, that can be passed in an exchange of keys, pass 2 the signature key.

-Pe - the generated private key marked as exportable. This will be included in the certificate private key.

This command generates a name for the MyTestCert certificate is saved to the current user's personal certificate store area.

Makecert
Second, save the certificate
1, stored in the certificate store
Makecert command generated certificate is stored in the certificate store. The system certificate store is a special area dedicated to the preservation X.509 digital certificates.

In the MMC Certificates snap-in to the certificate store to manage. Windows does not give us ready for the direct management of the certificate of entry. Add their own in the MMC, follow these steps:

l start à run à MMC, open an empty MMC console.

l On the Console menu, file à Add / Remove Snap-à Add button à Select "Certificate" à Add à select "My user account" à à determine Close

l On the Console menu, file à Add / Remove Snap-à Add button à Select "Certificate" à Add à choose "Computer account" à à determine Close

Upon completion, the MMC console with two MMC snap-in

First, obtain a certificate
Figure 1. Certificate Management

After you add the Certificates snap-in look at the MMC console can save the settings, to facilitate future re-use. On the File menu select "Save", such as can be saved as "certificate. Msc".

The two management modules are two types of storage location corresponding to the certificate:

Current users (CurrentUser) - the current user's X.509 certificate store.

Local computer (LocalMachine) - assigned to the local computer's X.509 certificate store.

Each storage location of the following credentials store directory, the default of the following stores:

AddressBook

Other users of the X.509 certificate store.
AuthRoot

Third-party certification authority (CA) of the X.509 certificate store.
CertificateAuthority

Intermediate certification authority (CA) of the X.509 certificate store.
Disallowed

X.509 certificate revoked certificate store.
My

Personal certificate X.509 certificate store.
Root

Trusted root certification authority (CA) of the X.509 certificate store.
TrustedPeople

Directly trusted people and resources of the X.509 certificate store.
TrustedPublisher

Directly trusted issuer X.509 certificate store.

2, the form of a document saved as a file exists in the form of certificates generally have these types of formats:

2.1 with the private key of the certificate by the Public Key Cryptography Standards # 12, PKCS # 12 standard definition, includes the public key and private key certificate in the form of binary format, as the certificate to pfx file extension.

2.2 binary encoded certificate in the certificate without the private key, DER encoded binary format of the certificate file to cer certificate file as an extension.

2.3. Base64-encoded certificate in the certificate without the private key, BASE64 encoded certificate files, but also to cer certificate file as an extension.

3, store the certificate with the certificate file conversion
3.1 Using the conversion tool
Windows provides a built-in tools to complete the form of a digital certificate from a file into the certificate store, exported from the certificate store for the certificate files.

3.1.1 Import a certificate from the certificate store files in Explorer, locate the file you want to import the certificate, right-click, or cer pfx format certificate (where the above certificate with makecert generated MyTestCert example), select "Install" , Certificate Import Wizard:

First, obtain a certificate
Figure 2. Certificate Import Wizard

Next, show the path to import the certificate file, confirm, and then the next step.

If it is to import pfx certificate contains a private key, you need a password:

First, obtain a certificate
Figure 3. Import pfx password is required when

pfx certificate contains a private key, the saved settings file for the certificate private key password to protect the security of private keys, so this step is needed to save the private key certificate settings.

If you select "identify this key as exportable", to import the certificate to the certificate store of the future can export a private key certificate, or the private key can only be exported without the certificate.

The next step, if it is cer certificate to import, the Import Wizard to start directly after this step.

First, obtain a certificate
Figure 4. Select the certificate store based on the type of certificate automatically placed to the right area, you can also choose the storage, personal storage area general election.

The import is complete. View Certificate Management Certificate has been imported:

First, obtain a certificate
Figure 5. View the certificate to import 1

Double-click the MyTestCert certificate:

First, obtain a certificate
Figure 6. See the imported certificate 2

This is a certificate of specific information, you can see the certificate contains a private key. If the import is cer certificate, the certificate does not contain the private key, then this will not show a corresponding private key.

3.1.2 Export from the certificate store to import the certificate file to the top of the certificate to the certificate store and then export the certificate file.

Right-click on the certificate in MyTestCert à à Import ... all of the tasks, the Certificate Export Wizard to run:

First, obtain a certificate
Figure 7. Certificate Export Wizard

This certificate is to export MyTestCert certificate containing the private key, the wizard was first asked to choose whether to export the certificate together with the private key to export. If you choose to export the private key, the next step:

First, obtain a certificate
Figure 8. Pfx format certificate with private key option

Choose to export the certificate with the private key to generate pfx format certificate. Here are some options to export pfx certificate.

If you choose not to export the private key, or choose to export the certificate itself does not contain the private key, then this step can only choose the certificate format without the private key (private key import option is dark):

First, obtain a certificate
Figure 9. Cer without the private key certificate format options

Here is the option to export the certificate without the private key, the general export cer certificate.

DER encoding is exported certificate is stored in binary format certificate.

Base64 encoding, binary encoding is to convert the certificate base64 encoding of the certificate after the store.

Next, if it is to export the certificate with private key, private key protection need to provide the password:

First, obtain a certificate
Figure 10. Export the private key of certificate with private key protection password required

Next, provide a certificate file path:

First, obtain a certificate
Figure 11. Specify the path to export the certificate

Export certificate to complete.

3.2 In addition to using the code conversion tools provided by the use of windows interoperability import or export certificate can also be used in the program code for a certificate of import and export operations to adapt to the application system needs to operate on the certificate.

Following completion of the above through the code using a tool to import the certificate file, then import the certificate to export the certificate file of the same functions.

3.2.1 Import a certificate from the certificate store file
l read the certificates into certificate objects

Framework2.0 in myX509Certificate2 class represents a certificate.

/ / Load the certificate from the certificate file, which contain the private key, you need to save the certificate to provide the password you set
X509Certificate2 myX509Certificate2 = new X509Certificate2 (
@ \ "C: \ \ Samples \ \ PartnerAEncryptMsg \ \ MyTestCert.pfx \", / / ​​certification path
\ "Password \", / / ​​the certificate private key protection password
X509KeyStorageFlags.Exportable / / indicates that the certificate's private key can later be exported
);

X509Certificate2
l Establish the appropriate object and save the certificate store

Framework2.0 in X509Store class that the certificate store, discussed earlier certificate store, the certificate store is actually a hierarchy, the first layer is the storage location storeLocation, the second level is the storage area storeName, X509Store actually represents a a storage location next to a storage area.

Create a new storage area and the above certificate X509Store object into which:

/ / New point to the current user, personal certificate storage area X509Store object
X509Store store = new X509Store (StoreName.My, StoreLocation.CurrentUser);
store.Open (OpenFlags.ReadWrite);
store.Add (myX509Certificate2);
store.Close ();

Thus, import the certificate to the current user's personal certificate store area.
3.2.2 from the certificate store and then export the certificate file into the current above the user's personal certificate store of the region's export the certificate as a certificate file:

/ / New point to the current user, personal certificate storage area X509Store object
X509Store store = new X509Store (StoreName.My, StoreLocation.CurrentUser);
store.Open (OpenFlags.ReadOnly);
/ / Polling store all certificates
foreach (X509Certificate2 myX509Certificate2 in store.Certificates)
{
/ / The name of the certificate with the certificate to export MyTestCert comparison, find the certificate to export
if (myX509Certificate2.Subject == \ "CN = MyTestCert \")
{
/ / Export the certificate to a byte [] in, password protection for the private key password
byte [] CertByte = myX509Certificate2.Export (X509ContentType.Pfx, \ "password \");
/ / Byte stream to write the certificate to the certificate file
FileStream fStream = new FileStream (
@ \ "C: \ \ Samples \ \ PartnerAEncryptMsg \ \ MyTestCert_Exp.pfx \",
FileMode.Create,
FileAccess.Write);
fStream.Write (CertByte, 0, CertByte.Length);
fStream.Close ();
}
}
store.Close ();

Note If you want to export the private key of the cer-free certificate for the first parameter using X509ContentType.Cert, said the export cer certificate without the private key, it does not require password

byte [] CertByte = myX509Certificate2.Export (X509ContentType.Cert);

X509Certificate2 class Export method, the first parameter X509ContentType.Pfx that want to export the private key of the pfx certificate to contain the form, the second parameter is the private key protection password.
Constructor X509KeyStorageFlags.Exportable parameters, the equivalent of interactive tools to import the certificate in the selection of the "identify this key as exportable", if the constructor does not add this parameter, the certificate's private key will not be exported.
After the matter to which this certificate is imported storage position, the default private key are saved to the CurrentUser, if you need to save the private key to LocalMachine, the third argument is this: X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.MachineKeySet command detailed description see the documentation tool Microsoft Makecert.exe: http://msdn.microsoft.com/library/chs/default.asp?url=/library/CHS/cptools/html/cpgrfcertificatecreationtoolmakecertexe.asp

分类:Internet 时间:2011-08-25 人气:118
分享到:
blog comments powered by Disqus

相关文章

  • php class encryption and decryption (including the public key) 2010-06-08

    <? Php class Crypt ( protected $ key = ""; / / public key private function keyED ($ txt, $ encrypt_key) ( $ Encrypt_key = md5 ($ encrypt_key); $ Ctr = 0; $ Tmp = ""; for ($ i = 0; $ i <strlen ($ txt); $ i + +) ( if ($ ctr == strl

  • Encryption, decryption, authentication, digital signature, public key private key 2010-12-20

    Encryption, decryption, authentication, digital signature, public key private key articles Category: Industry Applications Bob, Alice and digital certificates Network security is probably the most well-known figure in Bob and Alice, because a lot of

  • OpenSSL key system using digital certificates 2010-10-13

    1, the method of generating RSA keys openssl genrsa -des3 -out privkey.pem 2048 This command generates a 2048-bit key , At the same time have a des3 method encrypted password , If you do not want to enter a password each time, can be changed to : ope

  • DES encryption and decryption and MD5 encryption and decryption algorithm 2010-11-12

    DES encryption and decryption import java.security.Key; import java.security.SecureRandom; import javax.crypto.Cipher; import javax.crypto.KeyGenerator; import sun.misc.BASE64Decoder; import sun.misc.BASE64Encoder; /** * * DES encryption and decrypti

  • Public key and private key 2010-06-10

    1, public key and private key pairs 2, open the key called the public key, called private key known only to themselves 3, only data with public key encryption private key can decrypt the corresponding 4, data encrypted with the private key correspond

  • On the public key. The private key of understanding 2010-07-26

    Abstract the following information from the network, organize study under The non-symmetric key security has two main purposes: 1. Encryption to prevent eavesdropping attack: the data sender to use the data sent to the recipient's public key to the p

  • On public-key. Private key of understanding 2010-07-26

    Abstract the following information from the network, organize study under The non-symmetric key security has two main purposes: 1. Encryption to prevent eavesdropping attack: the data sender to use the data sent to the recipient's public key to the p

  • Encryption and decryption using X.509 digital certificates Practice (II) - Using RSA certificates 2011-08-25

    Transfer http://blog.sina.com.cn/s/blog_6168ee920100jsqv.html First, using RSA certificate encryption and decryption of sensitive data X.509 certificate standard supports three types of asymmetric encryption algorithms: RSA, DSA, Diffie-Hellman algor

  • Private key encryption. Public key encryption. Digital Signature Resources 2010-06-24

    pem openssl generate a digital certificate: http://hi.baidu.com/chi99/blog/item/e2a769df338ce61a63279892.html OpenSSL system of digital certificates to use keys: http://zhoulifa.bokee.com/6079257.html OpenSSL SSL-using Keytool and generate and issue

iOS 开发

Android 开发

Python 开发

JAVA 开发

开发语言

PHP 开发

Ruby 开发

搜索

前端开发

数据库

开发工具

开放平台

Javascript 开发

.NET 开发

云计算

服务器

Copyright (C) codeweblog.com, All Rights Reserved.

CodeWeblog.com 版权所有 黔ICP备15002463号-1

processed in 0.529 (s). 15 q(s)