要为IIS开启https访问,需要先生成一个证书,找了找用openssl.net最省事,代码如下:
- //先用大整数来生成一个1024bit的密钥对
- RSA rsa = new RSA();
- BigNumber number = OpenSSL.Core.Random.Next(10, 10, 1);
- rsa.GenerateKeys(1024, number, null, null);
- CryptoKey key = new CryptoKey(rsa);
- //创建X509证书,Subject和Issuer相同
- X509Certificate x509 = new X509Certificate();
- x509.SerialNumber = (int)DateTime.Now.Ticks;
- x509.Subject = new X509Name("CN=DOMAIN"); //DOMAIN为站点域名
- x509.Issuer = new X509Name("CN=DOMAIN");
- x509.PublicKey = key; //指定公钥
- x509.NotBefore = Convert.ToDateTime("2011-1-1"); //起始时间
- x509.NotAfter = Convert.ToDateTime("2050-1-1"); //失效时间
- x509.Version = 2;
- //用私钥签一下名
- x509.Sign(key, MessageDigest.MD5);
- //输出到crt文件中
- BIO x509bio = BIO.File("C:\\CA.crt", "w");
- x509.Write(x509bio);
- //生成pfx文件,注意证书链必须是空的
- var certs = new OpenSSL.Core.Stack<X509Certificate>();
- PKCS12 p12 = new PKCS12("PASSWORD", key, x509, certs); //PASSWORD为保护密钥
- BIO p12Bio = BIO.File("C:\\CA.pfx", "w");
- p12.Write(p12Bio);
- //清理
- rsa.Dispose();
- x509.Dispose();
- x509bio.Dispose();
- p12.Dispose();
- p12Bio.Dispose();
注意生成pfx时,证书链必须是空的,不能把自己加进去,否则证书看起来虽然没问题,但是绑定到iis时会出错。
本文转自 BoyTNT 51CTO博客,原文链接:http://blog.51cto.com/boytnt/774885,如需转载请自行联系原作者