常见的数字签名算法主要有RSA、DSA、ECDSA三种
对于SSL数字证书和代码签名证书以及其它非对称加密产品来说,RSA目前普及度最高,以SHA-256签名算法最广,对于更高级基于ECC签名算法是需要对证书请求文件CSR和根证书都有相应的要求。
目前密钥交换 + 签名有三种主流选择:
- RSA 密钥交换(无需签名);
- ECDHE 密钥交换、RSA 签名;
- ECDHE 密钥交换、ECDSA 签名;
serverOptions.Listen(IPAddress.IPv6Any, 9992,
listenOptions =>
{
listenOptions.UseHttps(Path.Combine(AppContext.BaseDirectory, $”{Entity.CommonConst.CERT_NAME}.pfx”),
Entity.CommonConst.CERT_PWD, adapterOptions =>
{
adapterOptions.SslProtocols = SslProtocols.Tls12;
});
});
public static void MakeCert(string subjectName,string password,string certName)
{
RSA rsa = RSA.Create();
//var ecdsa = ECDsa.Create(); // generate asymmetric key pair
var req = new CertificateRequest($”cn={subjectName}”, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
var cert = req.CreateSelfSigned(DateTimeOffset.Now, DateTimeOffset.Now.AddYears(10));
// Create PFX (PKCS #12) with private key
File.WriteAllBytes(Path.Combine(AppContext.BaseDirectory, $”{certName}.pfx”), cert.Export(X509ContentType.Pfx, password));
// Create Base 64 encoded CER (public key only)
File.WriteAllText(Path.Combine(AppContext.BaseDirectory, $”{certName}.cer”),
“—–BEGIN CERTIFICATE—–\r\n”
+ Convert.ToBase64String(cert.Export(X509ContentType.Cert), Base64FormattingOptions.InsertLineBreaks)
+ “\r\n—–END CERTIFICATE—–“);
}