

需要保护客户端与服务器之间的通信.我被发现好方法在.Net Core中生成X509证书(自签名).但是,实际上缺少任何有关如何使用.Net Framework中的证书吊销列表的信息.对于这些问题的答案将不胜感激:

Need to protect client-server communication. I was found a nice approach in .Net Core to generate X509 Certificates ( Self-Signed). But it's really lack of any information how to work with Certificate Revocation List in .Net Framework. Will be appreciate for answers to those questions :

  • 如何使用.Net(没有BouncyCastle)创建CRL文件?可以将其创建为任何文本文件并在其后签名吗?如果是,列的格式是什么?

  • How to create CRL file with .Net ( Without BouncyCastle ) ? Can it be created as any text file and signed after? If yes, what is the format of columns?


Is I'm right understanding that CRL file could be added to Certificate? As far as I know, a change of certificate brokes it.


How to add Certificate to Certificate Revocation List?


您不能,.NET迄今为止根本不提供任何API来处理X.509 CRL文件.您必须使用第三方库.

you can't, .NET natevely don't ship any API to deal with X.509 CRL files. You have to use 3rd party libraries.


X.509 CRL使用抽象语法表示法一(ASN.1)进行内部表示,并且在 RFC 5280附录A.1(第118页).不幸的是,.NET没有提供用于处理原始ASN.1数据的工具(仅适用于知名且受支持的高级类型).

X.509 CRL uses Abstract Syntax Notation One (ASN.1) for internal representation and ASN.1 module is defined in RFC 5280 Appendix A.1 (page 118). Unfortunately, .NET doesn't provide tools to work with raw ASN.1 data (only for well-known and supported high-level types).

如果您不能使用第三方库,则必须了解ASN.1(并非易事),编写自己的二进制解析器,并根据ASN.1模块定义创建X.509 CRL解码器.这是二进制ASN.1解析器的示例: Asn1Reader.cs,因此您可以想象编写自己的可靠解析器的复杂性.还有X.509 CRL解码器的示例: X509CRL2.cs .我建议让某些东西已经起作用并使用它.

If you can't use 3rd party libraries, you will have to learn about ASN.1 (not easy stuff), write your own binary parser and create X.509 CRL decoder according to ASN.1 module definition. Here is an example of binary ASN.1 parser: Asn1Reader.cs, so you can imagine the complexity in writing your own reliable parser. And an example of X.509 CRL decoder: X509CRL2.cs. I would suggest to get something already working and use it.

您将必须使用ASN.1编码器创建X.509 CRL构建器/生成器.CRL条目类型定义如下:

You will have to create X.509 CRL builder/generator by using ASN.1 encoder. CRL entry type is defined as follows:

 revokedCertificates     SEQUENCE OF SEQUENCE  {
      userCertificate         CertificateSerialNumber,
      revocationDate          Time,
      crlEntryExtensions      Extensions OPTIONAL
                               -- if present, version MUST be v2
                           }  OPTIONAL,

如果您不熟悉ASN.1,这几乎没有任何意义,但会揭示一些有用的内容.例如,一个CRL条目由证书序列号(整数)和吊销日期( UTCTime GeneralizedTime )组成.(可选)可能会有CRL条目扩展名,例如吊销原因( ENUMERATED ).

This barely makes any sense if you are not familiar with ASN.1, but reveals some useful things. For example, a CRL entry consist of certificate serial number (integer) and revocation date (UTCTime or GeneralizedTime). Optionally, there might be CRL entry extensions, like revocation reason (ENUMERATED).


07-14 17:29