generateSelfSignedCertificate in windows certificate invalid

Ephenodrom / Dart-Basic-Utils

A dart package for many helper methods fitting common situations

MIT License

364 stars 77 forks source link

generateSelfSignedCertificate in windows certificate invalid #94

Closed wanghongenpin closed 1 year ago

wanghongenpin commented 1 year ago

The self signed certificate generated in the windows prompts the browser that the certificate is invalid. I have trusted the Root certificate. The same code is OK on the Mac, and the same Root certificate is OK on the windows

 static String generate(PublicKey serverPubKey, RSAPrivateKey caPriKey, String host) {
    Map<String, String> x509Subject = {
      'C': 'CN',
      'ST': 'BJ',
      'L': 'BJ',
      'O': 'network',
      'OU': 'Proxy',
    };
    x509Subject['CN'] = host;
    var csr = X509Utils1.generateRsaCsrPem(x509Subject, caPriKey, serverPubKey as RSAPublicKey,san: [host]);

    Map<String, String> issuer = Map.from(_caCert.tbsCertificate!.subject);
    var csrPem = X509Utils1.generateSelfSignedCertificate(caPriKey, csr, 365, sans: [host], serialNumber: '1',issuer: issuer);
    return csrPem;
  }

insinfo commented 1 year ago

@wanghongenpin Were you able to create a certificate? I need to create a certificate for digital signature of a PDF document, do you know how to create a specific x509 certificate for digital signature similar to Adobe Acrobat?

Ephenodrom commented 1 year ago

@wanghongenpin Can you please clarify what you mean with "window" ? I assume you mean "windows". The self signed should be accepted on all devices. Therefore I suggest to try the following :

Use a different private key for generting the CSR. The privatekey from the CA Cert should not be used for generating the CSR.
Check if the CA Cert is trusted on windows or is added to the windows trust store.

Ephenodrom commented 1 year ago

@insinfo The self signed certificate and the corresponding private key should work for digital signing, due to the fact that technically it only needs the keys to create and verify signatures. But i would check if some other things are required, like certain extensions in the certificate.

wanghongenpin commented 1 year ago

I compared Java and found that the use of Issuers and Subject tags is different. should have used ASN1UTF8String. I have rewritten this part of the code, and now Windows will not prompt for invalid certificates.

@wanghongenpin Can you please clarify what you mean with "window" ? I assume you mean "windows". The self signed should be accepted on all devices. Therefore I suggest to try the following :

Use a different private key for generting the CSR. The privatekey from the CA Cert should not be used for generating the CSR.

Check if the CA Cert is trusted on windows or is added to the windows trust store.

insinfo commented 1 year ago

@Ephenodrom How can I create a PFX file from pem/crt file?

Ephenodrom commented 1 year ago

@insinfo You can use the PKCS12Utils class and the following method :

Uint8List generatePkcs12();

It will return the bytes that you can directly save in a file with the file extension you need. Take a look at the code documentation, cause it is well documented.

I will close the issue, as for me it is resolved.