Kompakte Beispiele für Zertifikatsverwaltung. → Details: Verwaltung-Szenarien
var caCert = new X509Certificate2("intermediate-ca.pfx", "passwort"); var oldCert = new X509Certificate2("server.pfx", "passwort"); var privateKey = oldCert.GetECDsaPrivateKey(); var request = new CertificateRequest( oldCert.SubjectName, (ECDsa)privateKey, HashAlgorithmName.SHA384); // Extensions übernehmen (außer SKI) foreach (var ext in oldCert.Extensions) if (ext.Oid?.Value != "2.5.29.14") request.CertificateExtensions.Add(ext); // Neue Seriennummer var serial = new byte[20]; RandomNumberGenerator.Fill(serial); serial[0] &= 0x7F; var renewedCert = request.Create(caCert, DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddYears(1), serial);
→ Details: Renewal
var oldCert = new X509Certificate2("server.crt"); using var newKey = ECDsa.Create(ECCurve.NamedCurves.nistP384); var request = new CertificateRequest( oldCert.SubjectName, newKey, HashAlgorithmName.SHA384); // SANs und EKU übernehmen if (oldCert.Extensions["2.5.29.17"] is { } san) request.CertificateExtensions.Add(san); if (oldCert.Extensions["2.5.29.37"] is { } eku) request.CertificateExtensions.Add(eku); // Neues Zertifikat erstellen, altes widerrufen!
→ Details: Re-Key
var caCert = new X509Certificate2("intermediate-ca.pfx", "passwort"); var crlBuilder = new CertificateRevocationListBuilder(); crlBuilder.AddEntry( serialNumber: new byte[] { 0x01, 0x23, 0x45 }, revocationTime: DateTimeOffset.UtcNow, reason: X509RevocationReason.KeyCompromise); var crl = crlBuilder.Build(caCert, crlNumber: BitConverter.GetBytes(1L), nextUpdate: DateTimeOffset.UtcNow.AddDays(7), HashAlgorithmName.SHA384); File.WriteAllBytes("intermediate.crl", crl);
→ Details: CRL erstellen
Vor Ablauf (30 Tage):
Bei Kompromittierung:
« ← Kurzreferenz | → Verwaltung-Szenarien (Details) »
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional