序列号是X509证书的唯一密钥吗?
证书序列号是X509证书的唯一密钥吗? 用户选择证书,程序将序列号存储在首选项中。 以下代码会返回所选证书吗?
public static X509Certificate2 GetCertificateBySerialNumber(string serialNumber)
{
X509Certificate2 selectedCertificate = null;
X509Store store = null;
try
{
// get certificate from the store "My", "CurrentUser"
store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
X509Certificate2Collection allCertificates = (X509Certificate2Collection)store.Certificates;
X509Certificate2Collection foundCertificates = (X509Certificate2Collection)allCertificates.Find(X509FindType.FindBySerialNumber, serialNumber, false);
// select the first certificate in collection
foreach (X509Certificate2 certificate in foundCertificates)
{
selectedCertificate = certificate;
break;
}
}
finally
{
if (store != null)
{
store.Close();
}
}
return selectedCertificate;
}
更新:按照 jglouie 的建议,我最终使用了证书指纹。
Is certificate serial number a unique key for X509 certificate?
User selects a certificate, and program stores serial number in preferences.
Will the following code return the selected certificate?
public static X509Certificate2 GetCertificateBySerialNumber(string serialNumber)
{
X509Certificate2 selectedCertificate = null;
X509Store store = null;
try
{
// get certificate from the store "My", "CurrentUser"
store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
X509Certificate2Collection allCertificates = (X509Certificate2Collection)store.Certificates;
X509Certificate2Collection foundCertificates = (X509Certificate2Collection)allCertificates.Find(X509FindType.FindBySerialNumber, serialNumber, false);
// select the first certificate in collection
foreach (X509Certificate2 certificate in foundCertificates)
{
selectedCertificate = certificate;
break;
}
}
finally
{
if (store != null)
{
store.Close();
}
}
return selectedCertificate;
}
UPDATE: I ended up using certificate thumbprint, as suggested by jglouie.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
不需要。例如,OpenSSL 允许用户在创建证书时设置序列号。
请参阅:https://www.openssl.org/docs/manmaster/ man1/openssl-x509.html
No. For example, OpenSSL allows the user to set the serial number when creating certificates.
See: https://www.openssl.org/docs/manmaster/man1/openssl-x509.html
TL;DR:您必须使用颁发者名称 + 序列号的复合密钥。如果您需要简单的密钥,请使用证书的指纹。
引用来自 security.stackexchange 的@ThomasPornin:
来自:https://security.stackexchange.com/questions/35691/what-is-the-difference- Between-serial-号码和指纹
TL;DR: You must use a composite key of issuer name + serial number. If you need a simple key, use certificate's thumbprint.
Quoting @ThomasPornin from security.stackexchange:
From: https://security.stackexchange.com/questions/35691/what-is-the-difference-between-serial-number-and-thumbprint
正如另一个答案中提到的,序列号在 CA 内必须是唯一的。因此序列号不能单独用作证书的唯一ID——来自不同CA的证书可以具有相同的序列号。您需要存储 Issuer 和 SerialNumber 属性的组合。另外,对于自签名证书和自制的CA软件编号很可能会发生冲突,因为很多人会从0开始编号。
As mentioned in another answer, the serial number must be unique within the CA. So serial number alone can't be used as a unique ID of the certificate -- certificates from different CAs can have the same serial number. You need to store combination of Issuer and SerialNumber properties. Also, for self-signed certificates and home-made CA software numbers will most likely collide as many people will start numbering from 0.
是的,根据 X.509 规范,序列号对于特定 CA 是唯一的:
Yes, according to X.509 specification serial number is unique for specific CA: