Beispiel #1
3
        public string CreateRequest(string cn, string ou, string o, string l, string s, string c, string oid, int keylength)
        {
            var objCSPs = new CCspInformations();
                objCSPs.AddAvailableCsps();

                var objPrivateKey = new CX509PrivateKey();
                objPrivateKey.Length = keylength;
                objPrivateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE;                                                             //http://msdn.microsoft.com/en-us/library/windows/desktop/aa379409(v=vs.85).aspx
                objPrivateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES;                                    //http://msdn.microsoft.com/en-us/library/windows/desktop/aa379417(v=vs.85).aspx
                objPrivateKey.MachineContext = false;                                                                             //http://msdn.microsoft.com/en-us/library/windows/desktop/aa379024(v=vs.85).aspx
                objPrivateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG;                              //http://msdn.microsoft.com/en-us/library/windows/desktop/aa379412(v=vs.85).aspx
                objPrivateKey.CspInformations = objCSPs;
                objPrivateKey.Create();

                var objPkcs10 = new CX509CertificateRequestPkcs10();
                objPkcs10.InitializeFromPrivateKey(
                    X509CertificateEnrollmentContext.ContextUser,                                                                 //http://msdn.microsoft.com/en-us/library/windows/desktop/aa379399(v=vs.85).aspx
                    objPrivateKey,
                    string.Empty);

                var objExtensionKeyUsage = new CX509ExtensionKeyUsage();
                objExtensionKeyUsage.InitializeEncode(
                    CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE |                                        // http://msdn.microsoft.com/en-us/library/windows/desktop/aa379410(v=vs.85).aspx
                    CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE |                                            // http://msdn.microsoft.com/en-us/library/windows/desktop/aa379410(v=vs.85).aspx
                    CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE |                                        // http://msdn.microsoft.com/en-us/library/windows/desktop/aa379410(v=vs.85).aspx
                    CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE);                                       // http://msdn.microsoft.com/en-us/library/windows/desktop/aa379410(v=vs.85).aspx
            objPkcs10.X509Extensions.Add((CX509Extension)objExtensionKeyUsage);

                var objObjectId = new CObjectId();
                var objObjectIds = new CObjectIds();
                var objX509ExtensionEnhancedKeyUsage = new CX509ExtensionEnhancedKeyUsage();
                //objObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.1");
                objObjectId.InitializeFromValue(oid);                                                                           //Some info about OIDS: http://www.alvestrand.no/objectid/1.3.6.1.5.5.7.3.html
                objObjectIds.Add(objObjectId);
                objX509ExtensionEnhancedKeyUsage.InitializeEncode(objObjectIds);
                objPkcs10.X509Extensions.Add((CX509Extension)objX509ExtensionEnhancedKeyUsage);

                // TODO: Create CERTS with SAN: http://msdn.microsoft.com/en-us/library/windows/desktop/aa378081(v=vs.85).aspx

            /*
                var test3 = new CX509ExtensionAlternativeNames();
                var test4 = new CAlternativeName();
            var test2 = new CAlternativeNames();

                test4.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME,"CRAP.no");
                test2.Add(test4);
                 test3.InitializeEncode(test2);
                */

                //objPkcs10.X509Extensions.Add((CX509Extension));

                var objDN = new CX500DistinguishedName();
                var subjectName = "CN = " + cn + ",OU = " + ou + ",O = " + o + ",L = " + l + ",S = " + s + ",C = " + c;

                objDN.Encode(subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);                                                //http://msdn.microsoft.com/en-us/library/windows/desktop/aa379394(v=vs.85).aspx
                objPkcs10.Subject = objDN;

                var objEnroll = new CX509Enrollment();
                objEnroll.InitializeFromRequest(objPkcs10);
                var strRequest = objEnroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64);                                 //http://msdn.microsoft.com/en-us/library/windows/desktop/aa374936(v=vs.85).aspx

                return strRequest;
        }
        private void AddKeyUsage(CX509CertificateRequestCertificate cert)
        {
            // Add key usage
            var ku = new CX509ExtensionKeyUsage();

            ku.InitializeEncode(CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE);

            ku.Critical = false;

            cert.X509Extensions.Add((CX509Extension)ku);
        }
        private CX509Extension GetKeyUsage()
        {
            CX509ExtensionKeyUsage keyUsage = new CX509ExtensionKeyUsage();

            keyUsage.InitializeEncode(
                CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE |
                CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE |
                CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE |
                CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE
                );
            return((CX509Extension)keyUsage);
        }
Beispiel #4
0
        private void SetKeyUsages()
        {
            var ku = new CX509ExtensionKeyUsage
            {
                Critical = false
            };

            ku.InitializeEncode(
                CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE |
                CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE);
            ExtensionsToAdd.Add((CX509Extension)ku);
        }
Beispiel #5
0
        public override void Initialize()
        {
            base.Initialize();

            var request =
                (IX509CertificateRequestPkcs10)Request;

            request.PrivateKey.Length = 2048;

            {
                request.PrivateKey.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE;

                request.PrivateKey.ProviderName = "Microsoft RSA Schannel Cryptographic Provider";
            }

            var keyUsage =
                new CX509ExtensionKeyUsage();

            //Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment

            //keyUsage.InitializeEncode((CERTENROLLLib.X509KeyUsageFlags) 0xF0);

            //Digital Signature, Non-Repudiation, Key Encipherment, non Data Encipherment
            keyUsage.InitializeEncode((CERTENROLLLib.X509KeyUsageFlags) 0xE0);

            var objectId =
                new CObjectId();

            //Server Authentication (1.3.6.1.5.5.7.3.1)

            objectId.InitializeFromName(CERTENROLL_OBJECTID.XCN_OID_PKIX_KP_SERVER_AUTH);

            var enhancedKeyUsage =
                new CX509ExtensionEnhancedKeyUsage();

            enhancedKeyUsage.InitializeEncode(new CObjectIds {
                objectId
            });

            var extensions =
                new CX509Extensions
            {
                (CX509Extension)keyUsage,

                (CX509Extension)enhancedKeyUsage,
            };



            request.X509Extensions.AddRange(extensions);
        }
Beispiel #6
0
        protected static string GenerateCSR()
        {
            var objPrivateKey = new CX509PrivateKey();

            objPrivateKey.MachineContext  = false;
            objPrivateKey.Length          = 2048;
            objPrivateKey.ProviderType    = X509ProviderType.XCN_PROV_RSA_AES;
            objPrivateKey.KeySpec         = X509KeySpec.XCN_AT_KEYEXCHANGE;
            objPrivateKey.KeyUsage        = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES;
            objPrivateKey.CspInformations = new CCspInformations();
            objPrivateKey.CspInformations.AddAvailableCsps();
            objPrivateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG;
            objPrivateKey.Create();

            var cert = new CX509CertificateRequestPkcs10();

            cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextUser, objPrivateKey, string.Empty);

            var objExtensionKeyUsage = new CX509ExtensionKeyUsage();

            objExtensionKeyUsage.InitializeEncode((X509KeyUsageFlags)X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE |
                                                  X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE |
                                                  X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE |
                                                  X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE
                                                  );
            cert.X509Extensions.Add((CX509Extension)objExtensionKeyUsage);

            var cobjectId = new CObjectId();

            cobjectId.InitializeFromName(CERTENROLL_OBJECTID.XCN_OID_PKIX_KP_CLIENT_AUTH);

            var cobjectIds = new CObjectIds();

            cobjectIds.Add(cobjectId);

            var pValue = cobjectIds;
            var cx509ExtensionEnhancedKeyUsage = new CX509ExtensionEnhancedKeyUsage();

            cx509ExtensionEnhancedKeyUsage.InitializeEncode(pValue);
            cert.X509Extensions.Add((CX509Extension)cx509ExtensionEnhancedKeyUsage);

            var cx509Enrollment = new CX509Enrollment();

            cx509Enrollment.InitializeFromRequest(cert);
            var output = cx509Enrollment.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64);

            return(output);
        }
Beispiel #7
0
        // create the certifcate request
        public string CreateCertifcate(string hostName)
        {
            //  Create all the objects that will be required
            CX509CertificateRequestPkcs10 objPkcs10 = new CX509CertificateRequestPkcs10();
            CX509PrivateKey        objPrivateKey    = new CX509PrivateKey();
            CCspInformation        objCSP           = new CCspInformation();
            CCspInformations       objCSPs          = new CCspInformations();
            CX500DistinguishedName objDN            = new CX500DistinguishedName();
            CX509Enrollment        objEnroll        = new CX509Enrollment();
            CObjectIds             objObjectIds     = new CObjectIds();
            CObjectId objObjectId = new CObjectId();
            CX509ExtensionKeyUsage         objExtensionKeyUsage             = new CX509ExtensionKeyUsage();
            CX509ExtensionEnhancedKeyUsage objX509ExtensionEnhancedKeyUsage = new CX509ExtensionEnhancedKeyUsage();
            string CertifcateStr;

            try
            {
                Database db = new Database();
                /*Check if there is allready request for the hostname so we dont need to create new one*/

                if (db.CheckIfCertificateExists(hostName) == 1)
                {
                    return("Exsits");
                }

                if (db.CheckIfCertificateExists(hostName) == 2)
                {
                    return("Issued");
                }

                //create the private key (CX509CertificateRequestPkcs10 will initilizae from the private key)
                objCSP.InitializeFromName("Microsoft Enhanced Cryptographic Provider v1.0");
                objCSPs.Add(objCSP);
                objPrivateKey.Length          = 1024;
                objPrivateKey.KeySpec         = X509KeySpec.XCN_AT_SIGNATURE;
                objPrivateKey.KeyUsage        = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES;
                objPrivateKey.MachineContext  = false;
                objPrivateKey.CspInformations = objCSPs;
                objPrivateKey.Create();


                //create  pkc10 object from the privaet key
                objPkcs10.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextUser, objPrivateKey, "");
                objExtensionKeyUsage.InitializeEncode(CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE |
                                                      CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE);

                // objPkcs10.X509Extensions.Add((CX509Extension)objExtensionKeyUsage);
                // objObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.2");
                // objObjectIds.Add(objObjectId);

                //  objX509ExtensionEnhancedKeyUsage.InitializeEncode(objObjectIds);
                // objPkcs10.X509Extensions.Add((CX509Extension)objX509ExtensionEnhancedKeyUsage);

                objDN.Encode("CN=" + hostName, X500NameFlags.XCN_CERT_NAME_STR_NONE);          //create DistinguishedName
                objPkcs10.Subject = objDN;                                                     //initial the  DistinguishedName
                objEnroll.InitializeFromRequest(objPkcs10);                                    //init enrollement request
                CertifcateStr = objEnroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64); //Certifcate  Request
                return(CertifcateStr);
            }
            catch (Exception ex)
            {
                Database db = new Database();
                db.InsertToErrorMessageTable(hostName, 0, ex.Message, "CreateCertifcate");//insert Error Message into The Error Table Log In The DataBase
                return("Error" + ex.Message);
            }
        }
Beispiel #8
0
        public void GenerateCsr(SSLCertificate cert)
        {
            //  Create all the objects that will be required
            CX509CertificateRequestPkcs10 pkcs10 = Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX509CertificateRequestPkcs10", true)) as CX509CertificateRequestPkcs10;
            CX509PrivateKey        privateKey    = Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX509PrivateKey", true)) as CX509PrivateKey;
            CCspInformation        csp           = Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CCspInformation", true)) as CCspInformation;
            CCspInformations       csPs          = Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CCspInformations", true)) as CCspInformations;
            CX500DistinguishedName dn            = Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX500DistinguishedName", true)) as CX500DistinguishedName;
            CX509Enrollment        enroll        = Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX509Enrollment", true)) as CX509Enrollment;
            CObjectIds             objectIds     = Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CObjectIds", true)) as CObjectIds;
            CObjectId objectId = Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CObjectId", true)) as CObjectId;
            CX509ExtensionKeyUsage         extensionKeyUsage             = Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX509ExtensionKeyUsage", true)) as CX509ExtensionKeyUsage;
            CX509ExtensionEnhancedKeyUsage x509ExtensionEnhancedKeyUsage = Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX509ExtensionEnhancedKeyUsage", true)) as CX509ExtensionEnhancedKeyUsage;

            try
            {
                //  Initialize the csp object using the desired Cryptograhic Service Provider (CSP)
                csp.InitializeFromName("Microsoft RSA SChannel Cryptographic Provider");
                //  Add this CSP object to the CSP collection object
                csPs.Add(csp);

                //  Provide key container name, key length and key spec to the private key object
                privateKey.Length       = cert.CSRLength;
                privateKey.KeySpec      = X509KeySpec.XCN_AT_KEYEXCHANGE;
                privateKey.KeyUsage     = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES;
                privateKey.ExportPolicy =
                    X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG
                    | X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_ARCHIVING_FLAG
                    | X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_ARCHIVING_FLAG
                    | X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG;
                privateKey.MachineContext = true;

                //  Provide the CSP collection object (in this case containing only 1 CSP object)
                //  to the private key object
                privateKey.CspInformations = csPs;

                //  Create the actual key pair
                privateKey.Create();

                //  Initialize the PKCS#10 certificate request object based on the private key.
                //  Using the context, indicate that this is a user certificate request and don't
                //  provide a template name
                pkcs10.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, "");

                cert.PrivateKey = privateKey.ToString();
                // Key Usage Extension
                extensionKeyUsage.InitializeEncode(
                    CertEnrollInterop.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE |
                    CertEnrollInterop.X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE |
                    CertEnrollInterop.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE |
                    CertEnrollInterop.X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE
                    );

                pkcs10.X509Extensions.Add((CX509Extension)extensionKeyUsage);

                // Enhanced Key Usage Extension

                objectId.InitializeFromName(CertEnrollInterop.CERTENROLL_OBJECTID.XCN_OID_PKIX_KP_SERVER_AUTH);
                objectIds.Add(objectId);
                x509ExtensionEnhancedKeyUsage.InitializeEncode(objectIds);
                pkcs10.X509Extensions.Add((CX509Extension)x509ExtensionEnhancedKeyUsage);

                //  Encode the name in using the Distinguished Name object
                string request = String.Format(@"CN={0}, O={1}, OU={2}, L={3}, S={4}, C={5}", cert.Hostname, cert.Organisation, cert.OrganisationUnit, cert.City, cert.State, cert.Country);
                dn.Encode(request, X500NameFlags.XCN_CERT_NAME_STR_NONE);

                // enable SMIME capabilities
                pkcs10.SmimeCapabilities = true;

                //  Assing the subject name by using the Distinguished Name object initialized above
                pkcs10.Subject = dn;

                // Create enrollment request
                enroll.InitializeFromRequest(pkcs10);

                enroll.CertificateFriendlyName = cert.FriendlyName;

                cert.CSR = enroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64REQUESTHEADER);
            }
            catch (Exception ex)
            {
                Log.WriteError("Error creating CSR", ex);
            }
        }
Beispiel #9
0
        public static X509Certificate2 CreateCertificate(Certificate crt)
        {
            bool isCA = !crt.SignByCertificateAuthority;

            // create DN for subject and issuer
            var dn = new CX500DistinguishedName();

            dn.Encode(GetEncodedDistinguishedName(crt), X500NameFlags.XCN_CERT_NAME_STR_NONE);

            // create a new private key for the certificate
            CX509PrivateKey privateKey = new CX509PrivateKey
            {
                ProviderName   = "Microsoft Base Cryptographic Provider v1.0",
                MachineContext = crt.MachineContext,
                Length         = crt.KeyLength,
                KeySpec        = X509KeySpec.XCN_AT_SIGNATURE, // use is not limited
                ExportPolicy   = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG
            };

            privateKey.Create();

            var hashobj = new CObjectId();

            hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
                                                ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY,
                                                AlgorithmFlags.AlgorithmFlagsNone, crt.DigestAlgorithm);

            CERTENROLLLib.X509KeyUsageFlags x509KeyUsageFlags;
            CX509ExtensionBasicConstraints  bc = new CX509ExtensionBasicConstraints();

            if (isCA)
            {
                x509KeyUsageFlags =
                    CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE |
                    CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_CERT_SIGN_KEY_USAGE |
                    CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_CRL_SIGN_KEY_USAGE |
                    CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_OFFLINE_CRL_SIGN_KEY_USAGE;

                bc.InitializeEncode(true, -1);
                bc.Critical = true;
            }
            else
            {
                x509KeyUsageFlags =
                    CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE |
                    CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE;

                if (crt.CertificateType == CertificateType.ClientCertificate)
                {
                    x509KeyUsageFlags |= CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE;
                }
                if (crt.CertificateType == CertificateType.ServerCertificate)
                {
                    x509KeyUsageFlags |= CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE;
                }

                bc.InitializeEncode(false, -1);
                bc.Critical = false;
            }

            CX509ExtensionKeyUsage keyUsage = new CX509ExtensionKeyUsage();

            keyUsage.InitializeEncode(x509KeyUsageFlags);
            keyUsage.Critical = false;

            // SAN
            var canList = new List <CAlternativeName>();

            foreach (var sanItem in crt.SANList)
            {
                if (!string.IsNullOrWhiteSpace(sanItem.Value))
                {
                    var can = new CAlternativeName();
                    switch (sanItem.Type)
                    {
                    case Certificate.SANType.DNS:
                        can.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME, sanItem.Value);
                        break;

                    case Certificate.SANType.IP:
                        can.InitializeFromRawData(AlternativeNameType.XCN_CERT_ALT_NAME_IP_ADDRESS, EncodingType.XCN_CRYPT_STRING_BASE64,
                                                  Convert.ToBase64String(IPAddress.Parse(sanItem.Value).GetAddressBytes()));
                        break;

                    case Certificate.SANType.URI:
                        can.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_URL, sanItem.Value);
                        break;

                    case Certificate.SANType.email:
                        can.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_RFC822_NAME, sanItem.Value);
                        break;
                    }
                    canList.Add(can);
                }
            }

            CX509ExtensionAlternativeNames san = null;

            if (canList.Any())
            {
                san = new CX509ExtensionAlternativeNames();
                var cans = new CAlternativeNames();
                foreach (var item in canList)
                {
                    cans.Add(item);
                }
                san.InitializeEncode(cans);
            }

            CX509ExtensionEnhancedKeyUsage eku = null;

            if (crt.CertificateType != CertificateType.None)
            {
                const string XCN_OID_PKIX_KP_SERVER_AUTH = "1.3.6.1.5.5.7.3.1";
                const string XCN_OID_PKIX_KP_CLIENT_AUTH = "1.3.6.1.5.5.7.3.2";

                var oid = new CObjectId();
                if (crt.CertificateType == CertificateType.ServerCertificate)
                {
                    oid.InitializeFromValue(XCN_OID_PKIX_KP_SERVER_AUTH);
                }
                if (crt.CertificateType == CertificateType.ClientCertificate)
                {
                    oid.InitializeFromValue(XCN_OID_PKIX_KP_CLIENT_AUTH);
                }

                var oidlist = new CObjectIds();
                oidlist.Add(oid);
                eku = new CX509ExtensionEnhancedKeyUsage();
                eku.InitializeEncode(oidlist);
            }

            // Create the self signing request
            var cereq = new CX509CertificateRequestCertificate();

            cereq.InitializeFromPrivateKey(crt.MachineContext ? X509CertificateEnrollmentContext.ContextMachine : X509CertificateEnrollmentContext.ContextUser, privateKey, "");

            cereq.Subject   = dn;
            cereq.Issuer    = dn;
            cereq.NotBefore = DateTime.UtcNow.AddDays(-1);
            cereq.NotAfter  = DateTime.UtcNow.AddDays(crt.Lifetime.Value);

            if (crt.SignByCertificateAuthority)
            {
                var issuer = MyCurrentUserX509Store.Certificates
                             .Find(X509FindType.FindByThumbprint, crt.CertificateAuthority, false)
                             .OfType <X509Certificate2>()
                             .Where(c => c.HasPrivateKey).FirstOrDefault() ?? throw new Exception("Issuer not found: " + crt.CertificateAuthority);

                cereq.SignerCertificate = new CSignerCertificate();
                cereq.SignerCertificate.Initialize(false, X509PrivateKeyVerify.VerifyNone, EncodingType.XCN_CRYPT_STRING_HEX, issuer.GetRawCertDataString());

                cereq.Issuer = new CX500DistinguishedName();
                cereq.Issuer.Encode(issuer.Subject, X500NameFlags.XCN_CERT_NAME_STR_NONE);
            }

            cereq.X509Extensions.Add((CX509Extension)keyUsage);
            if (eku != null)
            {
                cereq.X509Extensions.Add((CX509Extension)eku);               // EnhancedKeyUsage
            }
            if (bc != null)
            {
                cereq.X509Extensions.Add((CX509Extension)bc);                // ExtensionBasicConstraints
            }
            if (san != null)
            {
                cereq.X509Extensions.Add((CX509Extension)san); // SAN
            }
            cereq.HashAlgorithm = hashobj;                     // Specify the hashing algorithm
            cereq.Encode();                                    // encode the certificate

            // Do the final enrollment process
            var enroll = new CX509Enrollment();

            enroll.InitializeFromRequest(cereq); // load the certificate
            //enroll.CertificateFriendlyName = subjectName; // Optional: add a friendly name
            string csr = enroll.CreateRequest(); // Output the request in base64

            // and install it back as the response

            enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password

            // output a base64 encoded PKCS#12 so we can import it back to the .Net security classes
            var base64encoded = enroll.CreatePFX("", // no password, this is for internal consumption
                                                 PFXExportOptions.PFXExportChainWithRoot);

            // instantiate the target class with the PKCS#12 data (and the empty password)
            var x509Certificate2 = new X509Certificate2(
                Convert.FromBase64String(base64encoded), "",
                X509KeyStorageFlags.Exportable); // mark the private key as exportable (this is usually what you want to do)

            if (isCA)
            {
                X509Store rootStore = null;
                try
                {
                    rootStore = new X509Store(StoreName.Root, crt.MachineContext ? StoreLocation.LocalMachine : StoreLocation.CurrentUser);
                    rootStore.Open(OpenFlags.ReadWrite);
                    // install to CA store
                    var crtPub = new X509Certificate2(x509Certificate2)
                    {
                        PrivateKey = null
                    };
                    rootStore.Add(crtPub);
                    crtPub.Reset();
                }
                catch
                {
                    // ignore when adding to trust root failed
                }
                finally
                {
                    rootStore?.Close();
                }
            }

            crt.Value = x509Certificate2;

            return(x509Certificate2);
        }
Beispiel #10
0
        // https://github.com/asafga-gsr-it/CertIntegration/blob/master/CertificateAdmin/CertificateAdmin/obj/Release/Package/PackageTmp/Certificate.cs
        // https://www.sysadmins.lv/blog-en/introducing-to-certificate-enrollment-apis-part-2-creating-offline-requests.aspx

        /*
         * public static X509Certificate2 CreateSelfSignedCA(string subjectName, DateTime notAfterUtc, bool machineContext)
         * {
         *  // create DN for subject and issuer
         *  var dn = new CX500DistinguishedName();
         *  dn.Encode("CN=" + EscapeDNComponent(subjectName), X500NameFlags.XCN_CERT_NAME_STR_NONE);
         *
         *  // create a new private key for the certificate
         *  CX509PrivateKey privateKey = new CX509PrivateKey();
         *  privateKey.ProviderName = "Microsoft Base Cryptographic Provider v1.0";
         *  privateKey.MachineContext = machineContext;
         *  privateKey.Length = 2048;
         *  privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; // use is not limited
         *  privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
         *  privateKey.Create();
         *
         *  var hashobj = new CObjectId();
         *  hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
         *      ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY,
         *      AlgorithmFlags.AlgorithmFlagsNone, "SHA256"); // https://docs.microsoft.com/en-us/windows/win32/seccng/cng-algorithm-identifiers
         *
         *  CX509ExtensionKeyUsage keyUsage = new CX509ExtensionKeyUsage();
         *  keyUsage.InitializeEncode(
         *      CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE |
         *      CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_CERT_SIGN_KEY_USAGE |
         *      CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_CRL_SIGN_KEY_USAGE |
         *      CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_OFFLINE_CRL_SIGN_KEY_USAGE);
         *
         *  CX509ExtensionBasicConstraints bc = new CX509ExtensionBasicConstraints();
         *  bc.InitializeEncode(true, -1); // None
         *  bc.Critical = true;
         *
         *  // add extended key usage if you want - look at MSDN for a list of possible OIDs
         *  var oid = new CObjectId();
         *  oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // Server Authentication
         *  var oidlist = new CObjectIds();
         *  oidlist.Add(oid);
         *  var eku = new CX509ExtensionEnhancedKeyUsage();
         *  eku.InitializeEncode(oidlist);
         *
         *  // Create the self signing request
         *  var cert = new CX509CertificateRequestCertificate();
         *
         *  cert.InitializeFromPrivateKey(machineContext ? X509CertificateEnrollmentContext.ContextMachine: X509CertificateEnrollmentContext.ContextUser, privateKey, "");
         *  cert.Subject = cert.Issuer = dn; // the issuer and the subject are the same
         *  cert.NotBefore = DateTime.UtcNow.AddDays(-1);
         *  cert.NotAfter = notAfterUtc;
         *  cert.X509Extensions.Add((CX509Extension)keyUsage);
         *  cert.X509Extensions.Add((CX509Extension)eku); // add the EKU
         *  cert.X509Extensions.Add((CX509Extension)bc);
         *  cert.HashAlgorithm = hashobj; // Specify the hashing algorithm
         *  cert.Encode(); // encode the certificate
         *
         *  // Do the final enrollment process
         *  var enroll = new CX509Enrollment();
         *  enroll.InitializeFromRequest(cert); // load the certificate
         *  enroll.CertificateFriendlyName = subjectName; // Optional: add a friendly name
         *  string csr = enroll.CreateRequest(); // Output the request in base64
         *
         *  // install to MY store
         *  enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password
         *
         *  // output a base64 encoded PKCS#12 so we can import it back to the .Net security classes
         *  var base64encoded = enroll.CreatePFX("", // no password, this is for internal consumption
         *      PFXExportOptions.PFXExportChainWithRoot);
         *
         *  // instantiate the target class with the PKCS#12 data (and the empty password)
         *  var x509Certificate2 = new X509Certificate2(
         *      System.Convert.FromBase64String(base64encoded), "",
         *      // mark the private key as exportable (this is usually what you want to do)
         *      X509KeyStorageFlags.Exportable
         *  );
         *
         *  X509Store rootStore = null;
         *  try
         *  {
         *      rootStore = new X509Store(StoreName.Root, machineContext ? StoreLocation.LocalMachine : StoreLocation.CurrentUser);
         *      rootStore.Open(OpenFlags.ReadWrite);
         *      // install to CA store
         *      var crtPub = new X509Certificate2(x509Certificate2) { PrivateKey = null };
         *      rootStore.Add(crtPub);
         *      crtPub.Reset();
         *  }
         *  catch
         *  {
         *      // ignore when adding to trust root failed
         *  }
         *  finally
         *  {
         *      rootStore?.Close();
         *  }
         *
         *  return x509Certificate2;
         * }
         */

        public static X509Certificate2 CreateCertificate(string subjectName, string hostname, DateTime notAfterUtc, X509Certificate issuer, bool machineContext)
        {
            CSignerCertificate signerCertificate = new CSignerCertificate();

            signerCertificate.Initialize(false, X509PrivateKeyVerify.VerifyNone, EncodingType.XCN_CRYPT_STRING_HEX, issuer.GetRawCertDataString());

            // create DN for subject and issuer
            var dn = new CX500DistinguishedName();

            dn.Encode("CN=" + EscapeDNComponent(subjectName), X500NameFlags.XCN_CERT_NAME_STR_NONE);

            // create a new private key for the certificate
            CX509PrivateKey privateKey = new CX509PrivateKey();

            privateKey.ProviderName   = "Microsoft Base Cryptographic Provider v1.0";
            privateKey.MachineContext = machineContext;
            privateKey.Length         = 2048;
            privateKey.KeySpec        = X509KeySpec.XCN_AT_SIGNATURE; // use is not limited
            privateKey.ExportPolicy   = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
            privateKey.Create();

            var hashobj = new CObjectId();

            hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
                                                ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY,
                                                AlgorithmFlags.AlgorithmFlagsNone, "SHA256");

            CX509ExtensionKeyUsage keyUsage = new CX509ExtensionKeyUsage();

            keyUsage.InitializeEncode(
                CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE |
                CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE |
                CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE);

            CX509ExtensionBasicConstraints bc = new CX509ExtensionBasicConstraints();

            bc.InitializeEncode(false, 0);
            bc.Critical = false;

            // SAN
            CX509ExtensionAlternativeNames san = null;

            if (!string.IsNullOrEmpty(hostname))
            {
                CAlternativeNames ians;
                if (IPAddress.TryParse(hostname, out var ip))
                {
                    var ian = new CAlternativeName();
                    ian.InitializeFromRawData(AlternativeNameType.XCN_CERT_ALT_NAME_IP_ADDRESS, EncodingType.XCN_CRYPT_STRING_BASE64, Convert.ToBase64String(ip.GetAddressBytes()));
                    ians = new CAlternativeNames {
                        ian
                    };
                }
                else
                {
                    var ian = new CAlternativeName();
                    ian.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME, hostname);
                    var ianStar = new CAlternativeName();
                    ianStar.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME, "*." + hostname); // wildcard
                    ians = new CAlternativeNames {
                        ian, ianStar
                    };
                }
                san = new CX509ExtensionAlternativeNames();
                san.InitializeEncode(ians);
            }

            // add extended key usage if you want - look at MSDN for a list of possible OIDs
            var oid = new CObjectId();

            oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // SSL server
            var oidlist = new CObjectIds();

            oidlist.Add(oid);
            var eku = new CX509ExtensionEnhancedKeyUsage();

            eku.InitializeEncode(oidlist);

            var dnIssuer = new CX500DistinguishedName();

            dnIssuer.Encode(issuer.Subject, X500NameFlags.XCN_CERT_NAME_STR_NONE);

            // Create the self signing request
            var cert = new CX509CertificateRequestCertificate();

            cert.InitializeFromPrivateKey(machineContext ? X509CertificateEnrollmentContext.ContextMachine : X509CertificateEnrollmentContext.ContextUser, privateKey, "");
            cert.Subject           = dn;
            cert.Issuer            = dnIssuer;
            cert.SignerCertificate = signerCertificate;
            cert.NotBefore         = DateTime.UtcNow.AddDays(-1);

            cert.NotAfter = notAfterUtc;
            cert.X509Extensions.Add((CX509Extension)keyUsage);
            cert.X509Extensions.Add((CX509Extension)eku);  // EnhancedKeyUsage
            cert.X509Extensions.Add((CX509Extension)bc);   // ExtensionBasicConstraints
            if (san != null)
            {
                cert.X509Extensions.Add((CX509Extension)san); // SAN
            }
            cert.HashAlgorithm = hashobj;                     // Specify the hashing algorithm
            cert.Encode();                                    // encode the certificate

            // Do the final enrollment process
            var enroll = new CX509Enrollment();

            enroll.InitializeFromRequest(cert);  // load the certificate
            //enroll.CertificateFriendlyName = subjectName; // Optional: add a friendly name
            string csr = enroll.CreateRequest(); // Output the request in base64

            // and install it back as the response

            enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password

            // output a base64 encoded PKCS#12 so we can import it back to the .Net security classes
            var base64encoded = enroll.CreatePFX("", // no password, this is for internal consumption
                                                 PFXExportOptions.PFXExportChainWithRoot);

            // instantiate the target class with the PKCS#12 data (and the empty password)
            var x509Certificate2 = new X509Certificate2(
                Convert.FromBase64String(base64encoded), "",
                X509KeyStorageFlags.Exportable); // mark the private key as exportable (this is usually what you want to do)

            return(x509Certificate2);
        }
Beispiel #11
0
        public X509Certificate2 CreateSelfSignedCertificate(string FriendlyName, string SubjectName)
        {
            try
            {
                // Create DN for Subject
                CX500DistinguishedName dnSubject = new CX500DistinguishedName();
                dnSubject.Encode(String.Format(@"CN={0}", SubjectName), X500NameFlags.XCN_CERT_NAME_STR_NONE);

                // Create DN for Issuer
                CX500DistinguishedName dnIssuer = new CX500DistinguishedName();
                dnIssuer.Encode(String.Format(@"CN={0}", IssuerName), X500NameFlags.XCN_CERT_NAME_STR_NONE);

                // Use the stronger SHA512 hashing algorithm
                CObjectId HashAlgorithm = new CObjectId();

                HashAlgorithm.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
                                                          ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, strAlgorithmName);

                // add extended key usage if you want - look at MSDN for a list of possible OIDs
                CObjectId oid1 = new CObjectId();
                oid1.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // SSL Server

                CObjectId oid2 = new CObjectId();
                oid2.InitializeFromValue("1.3.6.1.5.5.7.3.2"); // SSL Client

                CObjectIds oidlist = new CObjectIds();
                oidlist.Add(oid1);
                oidlist.Add(oid2);

                CX509ExtensionEnhancedKeyUsage eku = new CX509ExtensionEnhancedKeyUsage();
                eku.InitializeEncode(oidlist);

                CX509ExtensionAlternativeNames objExtensionAlternativeNames = new CX509ExtensionAlternativeNames();
                {
                    CAlternativeNames altNames = new CAlternativeNames();

                    CAlternativeName dnsLocalHost = new CAlternativeName();
                    dnsLocalHost.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME, "LOCALHOST");
                    altNames.Add(dnsLocalHost);

                    CAlternativeName dnsHostname = new CAlternativeName();
                    dnsHostname.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME, Environment.MachineName);
                    altNames.Add(dnsHostname);

                    foreach (var ipAddress in Dns.GetHostAddresses(Dns.GetHostName()))
                    {
                        if ((ipAddress.AddressFamily == AddressFamily.InterNetwork) && !IPAddress.IsLoopback(ipAddress))
                        {
                            CAlternativeName dns = new CAlternativeName();
                            dns.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME, ipAddress.ToString());
                            altNames.Add(dns);
                        }
                    }

                    objExtensionAlternativeNames.InitializeEncode(altNames);
                }

                //CX509ExtensionSmimeCapabilities smimeCapabilities = new CX509ExtensionSmimeCapabilities();
                //smimeCapabilities.SmimeCapabilities.AddAvailableSmimeCapabilities(false);

                CX509ExtensionBasicConstraints basicConst = new CX509ExtensionBasicConstraints();
                basicConst.InitializeEncode(dnSubject.Name == dnIssuer.Name ? true : false, 1);

                // Key Usage Extension
                CX509ExtensionKeyUsage objExtensionKeyUsage = new CX509ExtensionKeyUsage();
                objExtensionKeyUsage.InitializeEncode(
                    CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE |
                    CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE |
                    CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE |
                    CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE |
                    CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_CERT_SIGN_KEY_USAGE
                    );

                // Create the self signing request
                CX509CertificateRequestCertificate cert = new CX509CertificateRequestCertificate();
                cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, PrivateKey, "");
                cert.Subject   = dnSubject;
                cert.Issuer    = dnIssuer;
                cert.NotBefore = DateTime.Today.AddDays(-1);
                cert.NotAfter  = DateTime.Today.AddYears(ExpirationLengthInYear);

                cert.X509Extensions.Add((CX509Extension)eku); // add the EKU
                cert.X509Extensions.Add((CX509Extension)objExtensionAlternativeNames);
                cert.X509Extensions.Add((CX509Extension)objExtensionKeyUsage);
                cert.X509Extensions.Add((CX509Extension)basicConst);
                //cert.X509Extensions.Add((CX509Extension)smimeCapabilities);
                cert.HashAlgorithm = HashAlgorithm; // Specify the hashing algorithm
                cert.Encode();                      // encode the certificate

                // Do the final enrollment process
                CX509Enrollment enroll = new CX509Enrollment();
                enroll.InitializeFromRequest(cert);            // load the certificate
                enroll.CertificateFriendlyName = FriendlyName; // Optional: add a friendly name

                string csr = enroll.CreateRequest();           // Output the request in base64 and install it back as the response

                // no password output a base64 encoded PKCS#12 so we can import it back to the .Net security classes
                enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, "");

                // no password, this is for internal consumption
                var base64encoded = enroll.CreatePFX("", PFXExportOptions.PFXExportChainWithRoot);

                // instantiate the target class with the PKCS#12 data (and the empty password)
                // mark the private key as exportable (this is usually what you want to do)

                return(new X509Certificate2(Convert.FromBase64String(base64encoded), "", X509KeyStorageFlags.Exportable));
            }
            catch (Exception ex)
            {
                throw new Exception(ex.Message);
            }
        }
        public string CreateRequest()
        {
            // Create all the objects that will be required
            var    objPkcs10         = new CX509CertificateRequestPkcs10();
            var    objPrivKey        = new CX509PrivateKey();
            var    objCSP            = new CCspInformation();
            var    objCSPs           = new CCspInformations();
            var    objDN             = new CX500DistinguishedName();
            var    objEnroll         = new CX509Enrollment();
            var    objObjIds         = new CObjectIds();
            var    objObjId          = new CObjectId();
            var    objExtKeyUsage    = new CX509ExtensionKeyUsage();
            var    objExtEnhKeyUsage = new CX509ExtensionEnhancedKeyUsage();
            string strRequest;

            //objCSP.InitializeFromName(provName);
            //objCSPs.Add(objCSP);

            //objPrivKey.Length = 2048;
            //objPrivKey.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE;
            //objPrivKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES;
            //objPrivKey.MachineContext = true;

            //objPrivKey.CspInformations = objCSPs;
            //objPrivKey.Create();

            var strTemplateName = "1.3.6.1.4.1.311.21.8.12017375.10856495.934812.8687423.15807460.10.5731641.6795722"; // RDP All Names

            objPkcs10.InitializeFromTemplateName(X509CertificateEnrollmentContext.ContextMachine, strTemplateName);

            // Encode the name in using the DN object
            objDN.Encode("CN=" + Environment.GetEnvironmentVariable("COMPUTERNAME"),
                         X500NameFlags.XCN_CERT_NAME_STR_NONE);

            // Adding the subject name by using the DN object initialized above
            objPkcs10.Subject = objDN;

            var dnsDom            = Environment.GetEnvironmentVariable("USERDNSDOMAIN").ToLower();
            var altName           = new CAlternativeName();
            var objAlternateNames = new CAlternativeNames();
            var objExtAltNames    = new CX509ExtensionAlternativeNames();

            altName.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME,
                                         Environment.GetEnvironmentVariable("COMPUTERNAME") + "." + dnsDom);
            var altName2 = new CAlternativeName();

            altName2.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME,
                                          Environment.GetEnvironmentVariable("COMPUTERNAME"));


            objAlternateNames.Add(altName2);
            objAlternateNames.Add(altName);
            objExtAltNames.InitializeEncode(objAlternateNames);
            objPkcs10.X509Extensions.Add((CX509Extension)objExtAltNames);

            // Create the enrollment request
            objEnroll.InitializeFromRequest(objPkcs10);
            strRequest = objEnroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64);

            return(strRequest);
        }
Beispiel #13
0
        public static X509Certificate2 CreateCertificate(string subjectName, int days, X509Certificate2 issuer)
        {
            CSignerCertificate signerCertificate = new CSignerCertificate();

            signerCertificate.Initialize(true, X509PrivateKeyVerify.VerifyNone, EncodingType.XCN_CRYPT_STRING_HEX, issuer.GetRawCertDataString());

            // create DN for subject and issuer
            var dn = new CX500DistinguishedName();

            dn.Encode("CN=" + subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);

            // create a new private key for the certificate
            CX509PrivateKey privateKey = new CX509PrivateKey();

            privateKey.ProviderName   = "Microsoft Base Cryptographic Provider v1.0";
            privateKey.MachineContext = true;
            privateKey.Length         = 2048;
            privateKey.KeySpec        = X509KeySpec.XCN_AT_SIGNATURE; // use is not limited
            privateKey.ExportPolicy   = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
            privateKey.Create();

            var hashobj = new CObjectId();

            hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
                                                ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY,
                                                AlgorithmFlags.AlgorithmFlagsNone, "SHA256");

            CX509ExtensionKeyUsage keyUsage = new CX509ExtensionKeyUsage();

            keyUsage.InitializeEncode(CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE);

            CX509ExtensionBasicConstraints bc = new CX509ExtensionBasicConstraints();

            bc.InitializeEncode(false, 0);
            bc.Critical = false;

            // add extended key usage if you want - look at MSDN for a list of possible OIDs
            var oid = new CObjectId();

            oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // SSL server
            var oidlist = new CObjectIds();

            oidlist.Add(oid);
            var eku = new CX509ExtensionEnhancedKeyUsage();

            eku.InitializeEncode(oidlist);

            var dnIssuer = new CX500DistinguishedName();

            dnIssuer.Encode(issuer.Subject, X500NameFlags.XCN_CERT_NAME_STR_NONE);

            // Create the self signing request
            var cert = new CX509CertificateRequestCertificate();

            cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, "");
            cert.Subject           = dn;
            cert.Issuer            = dnIssuer;
            cert.SignerCertificate = signerCertificate;
            cert.NotBefore         = DateTime.UtcNow.Date.AddDays(-1);

            cert.NotAfter = DateTime.UtcNow.Date.AddDays(days);
            cert.X509Extensions.Add((CX509Extension)keyUsage);
            cert.X509Extensions.Add((CX509Extension)eku); // add the EKU
            cert.X509Extensions.Add((CX509Extension)bc);

            /*
             * var ski = new CX509ExtensionAuthorityKeyIdentifier();
             * ski.InitializeEncode(EncodingType.XCN_CRYPT_STRING_BINARY, cert.PublicKey.ComputeKeyIdentifier(KeyIdentifierHashAlgorithm.SKIHashSha1, EncodingType.XCN_CRYPT_STRING_BINARY));
             * cert.X509Extensions.Add((CX509Extension)ski);
             */

            cert.HashAlgorithm = hashobj; // Specify the hashing algorithm
            cert.Encode();                // encode the certificate

            // Do the final enrollment process
            var enroll = new CX509Enrollment();

            enroll.InitializeFromRequest(cert);           // load the certificate
            enroll.CertificateFriendlyName = subjectName; // Optional: add a friendly name
            string csr = enroll.CreateRequest();          // Output the request in base64

            // and install it back as the response

            enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password

            // output a base64 encoded PKCS#12 so we can import it back to the .Net security classes
            var base64encoded = enroll.CreatePFX("", // no password, this is for internal consumption
                                                 PFXExportOptions.PFXExportChainWithRoot);

            // instantiate the target class with the PKCS#12 data (and the empty password)
            var x509Certificate2 = new System.Security.Cryptography.X509Certificates.X509Certificate2(
                System.Convert.FromBase64String(base64encoded), "",
                // mark the private key as exportable (this is usually what you want to do)
                System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.Exportable);

            return(x509Certificate2);
        }
Beispiel #14
0
        public static X509Certificate2 CreateCodeSigningCertificate(string subjectName, string oid, byte[] data)
        {
            var dn = new CX500DistinguishedName();

            dn.Encode(subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);

            // create a new private key for the certificate
            CX509PrivateKey privateKey = new CX509PrivateKey();

            // http://blogs.technet.com/b/pki/archive/2009/08/05/how-to-create-a-web-server-ssl-certificate-manually.aspx
            privateKey.ProviderName   = "Microsoft RSA SChannel Cryptographic Provider";
            privateKey.Length         = 2048;
            privateKey.KeySpec        = X509KeySpec.XCN_AT_KEYEXCHANGE;
            privateKey.MachineContext = false;
            privateKey.ExportPolicy   = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
            privateKey.Create();

            // Use the stronger SHA512 hashing algorithm
            var hashobj = new CObjectId();

            hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
                                                ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY,
                                                AlgorithmFlags.AlgorithmFlagsNone, "SHA512");

            // add code signing EKUs
            var oidCodeSigning = new CObjectId();

            oidCodeSigning.InitializeFromValue("1.3.6.1.5.5.7.3.3");
            var oidLifetimeSigning = new CObjectId();

            oidLifetimeSigning.InitializeFromValue("1.3.6.1.4.1.311.10.3.13");
            var oidlist = new CObjectIds();

            oidlist.Add(oidCodeSigning);
            oidlist.Add(oidLifetimeSigning);
            var eku = new CX509ExtensionEnhancedKeyUsage();

            eku.InitializeEncode(oidlist);

            var keyUsage = new CX509ExtensionKeyUsage();

            keyUsage.InitializeEncode(
                // Digital Signature, Key Encipherment (a0)
                X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE |
                X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE);

            // add CA Restriction (not a CA)
            var caRestriction = new CX509ExtensionBasicConstraints();

            caRestriction.InitializeEncode(false, -1);

            // add the arbitrary data
            var ourExtensionOid = new CObjectId();

            ourExtensionOid.InitializeFromValue(oid);
            var ourExtension = new CX509Extension();

            ourExtension.Initialize(ourExtensionOid, EncodingType.XCN_CRYPT_STRING_BASE64, Convert.ToBase64String(data));

            // Create the self signing request
            var cert = new CX509CertificateRequestCertificate();

            cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextUser, privateKey, "");
            cert.Subject   = dn;
            cert.Issuer    = dn;
            cert.NotBefore = DateTime.Now.AddDays(-1);
            cert.NotAfter  = DateTime.Now.AddYears(30);
            cert.X509Extensions.Add((CX509Extension)eku);
            cert.X509Extensions.Add((CX509Extension)caRestriction);
            cert.X509Extensions.Add((CX509Extension)keyUsage);
            cert.X509Extensions.Add((CX509Extension)ourExtension);
            cert.HashAlgorithm = hashobj;
            cert.Encode();

            var enroll = new CX509Enrollment();

            enroll.InitializeFromRequest(cert);
            var csr = enroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64);

            enroll.InstallResponse(
                InstallResponseRestrictionFlags.AllowUntrustedCertificate,
                csr, EncodingType.XCN_CRYPT_STRING_BASE64, "");
            return(new X509Certificate2(Convert.FromBase64String(enroll.Certificate[EncodingType.XCN_CRYPT_STRING_BASE64])));
        }
        public void GenerateCsr(SSLCertificate cert)
        {
            //  Create all the objects that will be required
            CX509CertificateRequestPkcs10 pkcs10                         = new CX509CertificateRequestPkcs10();
            CX509PrivateKey        privateKey                            = new CX509PrivateKey();
            CCspInformation        csp                                   = new CCspInformation();
            CCspInformations       csPs                                  = new CCspInformations();
            CX500DistinguishedName dn                                    = new CX500DistinguishedName();
            CX509Enrollment        enroll                                = new CX509Enrollment();
            CObjectIds             objectIds                             = new CObjectIds();
            CObjectId clientObjectId                                     = new CObjectId();
            CObjectId serverObjectId                                     = new CObjectId();
            CX509ExtensionKeyUsage         extensionKeyUsage             = new CX509ExtensionKeyUsage();
            CX509ExtensionEnhancedKeyUsage x509ExtensionEnhancedKeyUsage = new CX509ExtensionEnhancedKeyUsage();

            try
            {
                //  Initialize the csp object using the desired Cryptograhic Service Provider (CSP)
                csp.InitializeFromName("Microsoft RSA SChannel Cryptographic Provider");
                //  Add this CSP object to the CSP collection object
                csPs.Add(csp);

                //  Provide key container name, key length and key spec to the private key object
                //objPrivateKey.ContainerName = "AlejaCMa";
                privateKey.Length         = cert.CSRLength;
                privateKey.KeySpec        = X509KeySpec.XCN_AT_SIGNATURE;
                privateKey.KeyUsage       = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES;
                privateKey.ExportPolicy   = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG | X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG;
                privateKey.MachineContext = true;

                //  Provide the CSP collection object (in this case containing only 1 CSP object)
                //  to the private key object
                privateKey.CspInformations = csPs;

                //  Create the actual key pair
                privateKey.Create();

                //  Initialize the PKCS#10 certificate request object based on the private key.
                //  Using the context, indicate that this is a user certificate request and don't
                //  provide a template name
                pkcs10.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, "");

                cert.PrivateKey = privateKey.ToString();
                // Key Usage Extension
                extensionKeyUsage.InitializeEncode(
                    CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE |
                    CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE |
                    CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE |
                    CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE
                    );

                pkcs10.X509Extensions.Add((CX509Extension)extensionKeyUsage);

                // Enhanced Key Usage Extension
                clientObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.2");
                objectIds.Add(clientObjectId);
                serverObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.1");
                objectIds.Add(serverObjectId);
                x509ExtensionEnhancedKeyUsage.InitializeEncode(objectIds);
                pkcs10.X509Extensions.Add((CX509Extension)x509ExtensionEnhancedKeyUsage);

                //  Encode the name in using the Distinguished Name object
                string request = String.Format(@"CN={0}, O={1}, OU={2}, L={3}, S={4}, C={5}", cert.Hostname, cert.Organisation, cert.OrganisationUnit, cert.City, cert.State, cert.Country);
                dn.Encode(request, X500NameFlags.XCN_CERT_NAME_STR_NONE);

                //  Assing the subject name by using the Distinguished Name object initialized above
                pkcs10.Subject = dn;

                // Create enrollment request
                enroll.InitializeFromRequest(pkcs10);

                enroll.CertificateFriendlyName = cert.FriendlyName;

                cert.CSR = enroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64REQUESTHEADER);
            }
            catch (Exception ex)
            {
                Log.WriteError("Error creating CSR", ex);
            }
        }
Beispiel #16
0
        /// <summary>
        /// Creates a self-signed cert.
        /// </summary>
        /// <param name="subject"></param>
        /// <param name="notAfter"></param>
        /// <param name="pwd"></param>
        /// <returns></returns>
        /// <remarks>
        /// https://blogs.msdn.microsoft.com/alejacma/2008/09/05/how-to-create-a-certificate-request-with-certenroll-and-net-c/
        /// http://stackoverflow.com/questions/13806299/how-to-create-a-self-signed-certificate-using-c
        /// https://technet.microsoft.com/es-es/aa379410
        /// </remarks>
        public static X509Certificate2 CreateSelfSignedCert(DistinguishedName subject, DateTime notAfter, String pwd)
        {
            var cn = new CX500DistinguishedName();

            cn.Encode(subject.ToString(), X500NameFlags.XCN_CERT_NAME_STR_SEMICOLON_FLAG);

            var privateKey = new CX509PrivateKey
            {
                ContainerNamePrefix = "nf-",
                ProviderName        = MS_CRYPTO_PROV_NAME,
                MachineContext      = false,
                Length       = 2048,
                KeySpec      = X509KeySpec.XCN_AT_KEYEXCHANGE,
                ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG
            };

            privateKey.Create();

            var hashobj = new CObjectId();

            hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
                                                ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone,
                                                RSAPKCS1SHA512SigDesc.SHA_512);

            var keyUsage = new CX509ExtensionKeyUsage();

            keyUsage.InitializeEncode(X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE |
                                      X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE);

            //add extended key usage
            var serverAuth = new CObjectId();

            serverAuth.InitializeFromValue("1.3.6.1.5.5.7.3.1");

            var clientAuth = new CObjectId();

            clientAuth.InitializeFromValue("1.3.6.1.5.5.7.3.2");

            var fileCrypt = new CObjectId();

            fileCrypt.InitializeFromValue("1.3.6.1.4.1.311.10.3.4");

            var docSign = new CObjectId();

            docSign.InitializeFromValue("1.3.6.1.4.1.311.10.3.12");

            var oidList = new CObjectIds {
                serverAuth, fileCrypt, docSign
            };
            var eku = new CX509ExtensionEnhancedKeyUsage();

            eku.InitializeEncode(oidList);

            var cert = new CX509CertificateRequestCertificate();

            cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextUser, privateKey, "");
            cert.Subject   = cn;
            cert.Issuer    = cn;
            cert.NotBefore = DateTime.Now;
            cert.NotAfter  = notAfter;
            cert.X509Extensions.Add((CX509Extension)keyUsage);
            cert.X509Extensions.Add((CX509Extension)eku);
            cert.HashAlgorithm = hashobj;
            cert.Encode();

            var enroll = new CX509Enrollment();

            enroll.InitializeFromRequest(cert);
            enroll.CertificateFriendlyName = subject.CommonName;

            var csr = enroll.CreateRequest();

            enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedRoot, csr,
                                   EncodingType.XCN_CRYPT_STRING_BASE64, pwd);

            var b64Encode = enroll.CreatePFX(pwd, PFXExportOptions.PFXExportEEOnly);

            var managedX509Cert = new X509Certificate2(Convert.FromBase64String(b64Encode), pwd,
                                                       X509KeyStorageFlags.Exportable);

            return(managedX509Cert);
        }
Beispiel #17
0
        /// <summary>
        /// Create a certificate signing request.
        /// </summary>
        /// <param name="subjectName">The subject name of the certificate.</param>
        /// <param name="keyLength">Size of the key in bits.</param>
        /// <param name="durationYears">Duration of the certificate, specified in years.</param>
        /// <param name="oids">Collection of OIDs identifying certificate usage.</param>
        public static CX509CertificateRequestCertificate CreateCertificateSigningRequest(string subjectName, int keyLength, int durationYears, List <string> oids)
        {
            // Prepend the subject name with CN= if it doesn't begin with CN=, E=, etc..
            if (subjectName.IndexOf("=") < 0)
            {
                subjectName = "CN=" + subjectName;
            }

            // Generate a distinguished name.
            CX500DistinguishedName distinguishedName = new CX500DistinguishedName();

            distinguishedName.Encode(subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);

            // Generate a private key.
            CX509PrivateKey privateKey = new CX509PrivateKey();

            privateKey.ExportPolicy   = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
            privateKey.KeySpec        = X509KeySpec.XCN_AT_SIGNATURE;
            privateKey.Length         = keyLength;
            privateKey.MachineContext = true;
            privateKey.ProviderName   = "Microsoft Enhanced Cryptographic Provider v1.0";
            privateKey.Create();

            // Use the SHA-512 hashing algorithm.
            CObjectId hashAlgorithm = new CObjectId();

            hashAlgorithm.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, "SHA512");

            // Load the OIDs passed in and specify enhanced key usages.
            CObjectIds oidCollection = new CObjectIds();

            foreach (string oidID in oids)
            {
                CObjectId oid = new CObjectId();
                oid.InitializeFromValue(oidID);
                oidCollection.Add(oid);
            }

            CX509ExtensionKeyUsage keyUsage = new CX509ExtensionKeyUsage();

            keyUsage.InitializeEncode(CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE);

            CX509ExtensionEnhancedKeyUsage enhancedKeyUsages = new CX509ExtensionEnhancedKeyUsage();

            enhancedKeyUsages.InitializeEncode(oidCollection);

            string sanSubjectName = subjectName.Substring(subjectName.IndexOf("=") + 1);

            CAlternativeName sanAlternateName = new CAlternativeName();

            sanAlternateName.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_RFC822_NAME, sanSubjectName);

            CAlternativeNames sanAlternativeNames = new CAlternativeNames();

            sanAlternativeNames.Add(sanAlternateName);

            CX509ExtensionAlternativeNames alternativeNamesExtension = new CX509ExtensionAlternativeNames();

            alternativeNamesExtension.InitializeEncode(sanAlternativeNames);

            CX509ExtensionSmimeCapabilities smimeCapabilities = new CX509ExtensionSmimeCapabilities();

            smimeCapabilities.SmimeCapabilities.AddAvailableSmimeCapabilities(false);

            // Create the self-signing request.
            CX509CertificateRequestCertificate cert = new CX509CertificateRequestCertificate();

            cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, "");
            cert.Subject   = distinguishedName;
            cert.Issuer    = distinguishedName;
            cert.NotBefore = DateTime.Now;
            cert.NotAfter  = DateTime.Now.AddYears(1);
            cert.X509Extensions.Add((CX509Extension)keyUsage);
            cert.X509Extensions.Add((CX509Extension)enhancedKeyUsages);
            cert.X509Extensions.Add((CX509Extension)alternativeNamesExtension);
            cert.X509Extensions.Add((CX509Extension)smimeCapabilities);
            cert.HashAlgorithm = hashAlgorithm;
            cert.Encode();

            return(cert);
        }
Beispiel #18
0
        /// <summary>
        /// Create a certificate signing request.
        /// </summary>
        /// <param name="subjectName">The subject name of the certificate.</param>
        /// <param name="keyLength">Size of the key in bits.</param>
        /// <param name="durationYears">Duration of the certificate, specified in years.</param>
        /// <param name="oids">Collection of OIDs identifying certificate usage.</param>
        public static CX509CertificateRequestCertificate CreateCertificateSigningRequest(string subjectName, int keyLength, int durationYears, List<string> oids)
        {
            // Prepend the subject name with CN= if it doesn't begin with CN=, E=, etc..
            if (subjectName.IndexOf("=") < 0)
                subjectName = "CN=" + subjectName;

            // Generate a distinguished name.
            CX500DistinguishedName distinguishedName = new CX500DistinguishedName();
            distinguishedName.Encode(subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);

            // Generate a private key.
            CX509PrivateKey privateKey = new CX509PrivateKey();
            privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
            privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE;
            privateKey.Length = keyLength;
            privateKey.MachineContext = true;
            privateKey.ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0";
            privateKey.Create();

            // Use the SHA-512 hashing algorithm.
            CObjectId hashAlgorithm = new CObjectId();
            hashAlgorithm.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, "SHA512");

            // Load the OIDs passed in and specify enhanced key usages.
            CObjectIds oidCollection = new CObjectIds();
            foreach (string oidID in oids)
            {
                CObjectId oid = new CObjectId();
                oid.InitializeFromValue(oidID);
                oidCollection.Add(oid);
            }

            CX509ExtensionKeyUsage keyUsage = new CX509ExtensionKeyUsage();
            keyUsage.InitializeEncode(CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE);

            CX509ExtensionEnhancedKeyUsage enhancedKeyUsages = new CX509ExtensionEnhancedKeyUsage();
            enhancedKeyUsages.InitializeEncode(oidCollection);

            string sanSubjectName = subjectName.Substring(subjectName.IndexOf("=") + 1);

            CAlternativeName sanAlternateName = new CAlternativeName();
            sanAlternateName.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_RFC822_NAME, sanSubjectName);

            CAlternativeNames sanAlternativeNames = new CAlternativeNames();
            sanAlternativeNames.Add(sanAlternateName);

            CX509ExtensionAlternativeNames alternativeNamesExtension = new CX509ExtensionAlternativeNames();
            alternativeNamesExtension.InitializeEncode(sanAlternativeNames);

            CX509ExtensionSmimeCapabilities smimeCapabilities = new CX509ExtensionSmimeCapabilities();
            smimeCapabilities.SmimeCapabilities.AddAvailableSmimeCapabilities(false);

            // Create the self-signing request.
            CX509CertificateRequestCertificate cert = new CX509CertificateRequestCertificate();
            cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, "");
            cert.Subject = distinguishedName;
            cert.Issuer = distinguishedName;
            cert.NotBefore = DateTime.Now;
            cert.NotAfter = DateTime.Now.AddYears(1);
            cert.X509Extensions.Add((CX509Extension)keyUsage);
            cert.X509Extensions.Add((CX509Extension)enhancedKeyUsages);
            cert.X509Extensions.Add((CX509Extension)alternativeNamesExtension);
            cert.X509Extensions.Add((CX509Extension)smimeCapabilities);
            cert.HashAlgorithm = hashAlgorithm;
            cert.Encode();

            return cert;
        }
Beispiel #19
0
            /// <summary>
            /// Function used to create a certificate signing request using the OS.
            /// Note that this function will place a certificate in the "Certificate Enrollment Requests" folder
            /// of the certificate store specified in loc. You can view this by running either
            /// certmgr or mmc from the command line.
            /// </summary>
            /// <param name="loc">Location to put certificate</param>
            /// <param name="subject_line">The subject line of the certificate, fields should be ; seperated, i.e.: "C=US; ST=Minnesota; L=Eden Prairie; O=Forward Pay Systems, Inc.; OU=Forward Pay; CN=fps.com"</param>
            /// <returns>The certificate signing request, if successful in PEM format</returns>
            public string GenerateRequest()
            {
                //code originally came from: http://blogs.msdn.com/b/alejacma/archive/2008/09/05/how-to-create-a-certificate-request-with-certenroll-and-net-c.aspx
                //modified version of it is here: http://stackoverflow.com/questions/16755634/issue-generating-a-csr-in-windows-vista-cx509certificaterequestpkcs10
                //here is the standard for certificates: http://www.ietf.org/rfc/rfc3280.txt


                //the PKCS#10 certificate request (http://msdn.microsoft.com/en-us/library/windows/desktop/aa377505.aspx)
                CX509CertificateRequestPkcs10 objPkcs10 = new CX509CertificateRequestPkcs10();

                //assymetric private key that can be used for encryption (http://msdn.microsoft.com/en-us/library/windows/desktop/aa378921.aspx)
                CX509PrivateKey objPrivateKey = new CX509PrivateKey();

                //access to the general information about a cryptographic provider (http://msdn.microsoft.com/en-us/library/windows/desktop/aa375967.aspx)
                CCspInformation objCSP = new CCspInformation();

                //collection on cryptographic providers available: http://msdn.microsoft.com/en-us/library/windows/desktop/aa375967(v=vs.85).aspx
                CCspInformations objCSPs = new CCspInformations();

                CX500DistinguishedName objDN = new CX500DistinguishedName();

                //top level object that enables installing a certificate response http://msdn.microsoft.com/en-us/library/windows/desktop/aa377809.aspx
                CX509Enrollment                objEnroll                        = new CX509Enrollment();
                CObjectIds                     objObjectIds                     = new CObjectIds();
                CObjectId                      objObjectId                      = new CObjectId();
                CObjectId                      objObjectId2                     = new CObjectId();
                CX509ExtensionKeyUsage         objExtensionKeyUsage             = new CX509ExtensionKeyUsage();
                CX509ExtensionEnhancedKeyUsage objX509ExtensionEnhancedKeyUsage = new CX509ExtensionEnhancedKeyUsage();

                string csr_pem = null;

                //  Initialize the csp object using the desired Cryptograhic Service Provider (CSP)

                objCSPs.AddAvailableCsps();

                //Provide key container name, key length and key spec to the private key object
                objPrivateKey.ProviderName = providerName;
                objPrivateKey.Length       = KeyLength;
                objPrivateKey.KeySpec      = X509KeySpec.XCN_AT_KEYEXCHANGE; //Must flag as XCN_AT_KEYEXCHANGE to use this certificate for exchanging symmetric keys (needed for most SSL cipher suites)
                objPrivateKey.KeyUsage     = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES;
                if (Location == StoreLocation.LocalMachine)
                {
                    objPrivateKey.MachineContext = true;
                }
                else
                {
                    objPrivateKey.MachineContext = false;                                               //must set this to true if installing to the local machine certificate store
                }
                objPrivateKey.ExportPolicy    = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG; //must set this if we want to be able to export it later. (for WinSIP maybe we don't want to be able to ever export the key??)
                objPrivateKey.CspInformations = objCSPs;

                //  Create the actual key pair
                objPrivateKey.Create();

                //  Initialize the PKCS#10 certificate request object based on the private key.
                //  Using the context, indicate that this is a user certificate request and don't
                //  provide a template name
                if (Location == StoreLocation.LocalMachine)
                {
                    objPkcs10.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, objPrivateKey, "");
                }
                else
                {
                    objPkcs10.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextUser, objPrivateKey, "");
                }

                //Set has to sha256
                CObjectId hashobj = new CObjectId();

                hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, "SHA256");
                objPkcs10.HashAlgorithm = hashobj;

                // Key Usage Extension -- we only need digital signature and key encipherment for TLS:
                //  NOTE: in openSSL, I didn't used to request any specific extensions. Instead, I let the CA add them
                objExtensionKeyUsage.InitializeEncode(
                    CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE |
                    CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE
                    );
                objPkcs10.X509Extensions.Add((CX509Extension)objExtensionKeyUsage);

                // Enhanced Key Usage Extension
                objObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.1");  // OID for Server Authentication usage (see this: http://stackoverflow.com/questions/17477279/client-authentication-1-3-6-1-5-5-7-3-2-oid-in-server-certificates)
                objObjectId2.InitializeFromValue("1.3.6.1.5.5.7.3.2"); // OID for Client Authentication usage (see this: http://stackoverflow.com/questions/17477279/client-authentication-1-3-6-1-5-5-7-3-2-oid-in-server-certificates)
                objObjectIds.Add(objObjectId);
                objObjectIds.Add(objObjectId2);
                objX509ExtensionEnhancedKeyUsage.InitializeEncode(objObjectIds);
                objPkcs10.X509Extensions.Add((CX509Extension)objX509ExtensionEnhancedKeyUsage);

                //  Encode the name in using the Distinguished Name object
                // see here: http://msdn.microsoft.com/en-us/library/windows/desktop/aa379394(v=vs.85).aspx

                /*objDN.Encode(
                 *  "C=US, ST=Minnesota, L=Eden Prairie, O=Forward Pay Systems; Inc., OU=Forward Pay, CN=ERIC_CN",
                 *  X500NameFlags.XCN_CERT_NAME_STR_NONE
                 * );*/
                objDN.Encode(
                    Subject,
                    X500NameFlags.XCN_CERT_NAME_STR_SEMICOLON_FLAG
                    ); //"C=US; ST=Minnesota; L=Eden Prairie; O=Forward Pay Systems, Inc.; OU=Forward Pay; CN=ERIC_CN"

                //  Assing the subject name by using the Distinguished Name object initialized above
                objPkcs10.Subject = objDN;

                //suppress extra attributes:
                objPkcs10.SuppressDefaults = true;

                // Create enrollment request
                objEnroll.InitializeFromRequest(objPkcs10);
                csr_pem = objEnroll.CreateRequest(
                    EncodingType.XCN_CRYPT_STRING_BASE64
                    );
                csr_pem = "-----BEGIN CERTIFICATE REQUEST-----\r\n" + csr_pem + "-----END CERTIFICATE REQUEST-----";

                return(csr_pem);
            }
		public void GenerateCsr(SSLCertificate cert)
		{
			//  Create all the objects that will be required
			CX509CertificateRequestPkcs10 pkcs10 = new CX509CertificateRequestPkcs10();
			CX509PrivateKey privateKey = new CX509PrivateKey();
			CCspInformation csp = new CCspInformation();
			CCspInformations csPs = new CCspInformations();
			CX500DistinguishedName dn = new CX500DistinguishedName();
			CX509Enrollment enroll = new CX509Enrollment();
			CObjectIds objectIds = new CObjectIds();
			CObjectId clientObjectId = new CObjectId();
			CObjectId serverObjectId = new CObjectId();
			CX509ExtensionKeyUsage extensionKeyUsage = new CX509ExtensionKeyUsage();
			CX509ExtensionEnhancedKeyUsage x509ExtensionEnhancedKeyUsage = new CX509ExtensionEnhancedKeyUsage();

			try
			{
				//  Initialize the csp object using the desired Cryptograhic Service Provider (CSP)
				csp.InitializeFromName("Microsoft RSA SChannel Cryptographic Provider");
				//  Add this CSP object to the CSP collection object
				csPs.Add(csp);

				//  Provide key container name, key length and key spec to the private key object
				//objPrivateKey.ContainerName = "AlejaCMa";
				privateKey.Length = cert.CSRLength;
				privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE;
				privateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES;
				privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG | X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG;
				privateKey.MachineContext = true;

				//  Provide the CSP collection object (in this case containing only 1 CSP object)
				//  to the private key object
				privateKey.CspInformations = csPs;

				//  Create the actual key pair
				privateKey.Create();

				//  Initialize the PKCS#10 certificate request object based on the private key.
				//  Using the context, indicate that this is a user certificate request and don't
				//  provide a template name
				pkcs10.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, "");

				cert.PrivateKey = privateKey.ToString();
				// Key Usage Extension 
				extensionKeyUsage.InitializeEncode(
					CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE |
					CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE |
					CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE |
					CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE
				);

				pkcs10.X509Extensions.Add((CX509Extension)extensionKeyUsage);

				// Enhanced Key Usage Extension
				clientObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.2");
				objectIds.Add(clientObjectId);
				serverObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.1");
				objectIds.Add(serverObjectId);
				x509ExtensionEnhancedKeyUsage.InitializeEncode(objectIds);
				pkcs10.X509Extensions.Add((CX509Extension)x509ExtensionEnhancedKeyUsage);

				//  Encode the name in using the Distinguished Name object
				string request = String.Format(@"CN={0}, O={1}, OU={2}, L={3}, S={4}, C={5}", cert.Hostname, cert.Organisation, cert.OrganisationUnit, cert.City, cert.State, cert.Country);
				dn.Encode(request, X500NameFlags.XCN_CERT_NAME_STR_NONE);

				//  Assing the subject name by using the Distinguished Name object initialized above
				pkcs10.Subject = dn;

				// Create enrollment request
				enroll.InitializeFromRequest(pkcs10);

				enroll.CertificateFriendlyName = cert.FriendlyName;

				cert.CSR = enroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64REQUESTHEADER);

			}
			catch (Exception ex)
			{
				Log.WriteError("Error creating CSR", ex);
			}
		}