![]() ![]() $cspParams = New-Object -Property ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider" Ke圜ontainerName = "pspki-" + :: NewGuid ( ). The key association code looks like this: Name format doesn’t really matter, so to maintains a name uniqueness, you are allowed to use GUIDs. This is just a container name within CSP, so CryptoAPI can locate the right key among thousands which can be stored within CSP. We can use any, but I would suggest to use Microsoft Enhanced RSA and AES Cryptographic Provider as it supports a wide range of keys and key sizes. What information we need to provide in the CspParameters object? At a minimum, we must specify: So, we need to prepare crypto provider information and use this info during key import. So, if we look at constructors, we can find a suitable one: RSACryptoServiceProvider(CspParameters). It accepts binary PRIVATEKEYBLOB as a parameter! However, the key must be stored in some crypto provider and must have a container name within provider. RSACryptoServiceProvider class contains a ImportCspBlob(Byte) method which does the trick. As per documentation, the property accepts either an RSACryptoServiceProvider or a DSACryptoServiceProvider objects. Recently I figured that X509Certificate2.PrivateKey property has setter accessor. I didn’t know how to do the last step natively by using PowerShell/.NET and used certutil –mergePFX command to associate PRIVATEKYEBLOB with public certificate. ![]() In the first version of such converter I successfully done first three steps. Associate PRIVATEKYEBLOB with an X509Certificate2 instance.Convert PKCS#1/PKCS#9 private key to CryptoAPI PRIVATEKEYBLOB.Read the certificate information from PEM file and instantiate a X509Certificate2 object.Just to recall what we generally do when converting PEM to X509Certificate2/PFX: In this post I want to show some code that eliminates certutil from the script. I received several feedback comments about avoiding certutil in favor of native PowerShell/.NET managed code. The script involves some non-PowerShell commands (certutil) which associates private key with a certificate instance. Some time ago I wrote a script that converts PEM file to CryptoAPI compatible format: How to convert PEM file to a CryptoAPI compatible format. Update : fixed number conversion in "_composePRIVATEKEYBLOB" function
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |