public static byte[] Create(NewCertificate newCert)
{
SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder();
if (newCert.IpAddresses != null)
{
foreach (var IpAddr in newCert.IpAddresses)
{
sanBuilder.AddIpAddress(IPAddress.Parse(IpAddr));
}
}
foreach (var DnsName in newCert.DnsNames)
{
sanBuilder.AddDnsName(DnsName);
}
X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN={newCert.SubjectName}");
using (RSA rsa = RSA.Create(2048)) {
var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(
new X509KeyUsageExtension(
X509KeyUsageFlags.DataEncipherment |
X509KeyUsageFlags.KeyEncipherment |
X509KeyUsageFlags.DigitalSignature,
false));
request.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(
new OidCollection {
// TLS Server Authentication
new Oid("1.3.6.1.5.5.7.3.1"),
// TLS Client Authentication (just to test with IIS, NOT necessary for Identity Server)
new Oid("1.3.6.1.5.5.7.3.2"),
}
, false));
request.CertificateExtensions.Add(sanBuilder.Build());
var notBefore = new DateTimeOffset(DateTime.UtcNow.AddDays(-1));
var notAfter = new DateTimeOffset(DateTime.UtcNow.AddYears(newCert.ValidityYears));
var certificate = request.CreateSelfSigned(notBefore, notAfter);
certificate.FriendlyName = newCert.CertificateName;
return(certificate.Export(X509ContentType.Pfx, newCert.Password));
}
}
public IActionResult NewCertificate(NewCertificate cert)
{
var ssc = SelfSignedServerCertificate.Create(cert);
return(File(ssc, "application/octet-stream"));
}
