public static byte[] Create(NewCertificate newCert) { SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder(); if (newCert.IpAddresses != null) { foreach (var IpAddr in newCert.IpAddresses) { sanBuilder.AddIpAddress(IPAddress.Parse(IpAddr)); } } foreach (var DnsName in newCert.DnsNames) { sanBuilder.AddDnsName(DnsName); } X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN={newCert.SubjectName}"); using (RSA rsa = RSA.Create(2048)) { var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add( new X509KeyUsageExtension( X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false)); request.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension( new OidCollection { // TLS Server Authentication new Oid("1.3.6.1.5.5.7.3.1"), // TLS Client Authentication (just to test with IIS, NOT necessary for Identity Server) new Oid("1.3.6.1.5.5.7.3.2"), } , false)); request.CertificateExtensions.Add(sanBuilder.Build()); var notBefore = new DateTimeOffset(DateTime.UtcNow.AddDays(-1)); var notAfter = new DateTimeOffset(DateTime.UtcNow.AddYears(newCert.ValidityYears)); var certificate = request.CreateSelfSigned(notBefore, notAfter); certificate.FriendlyName = newCert.CertificateName; return(certificate.Export(X509ContentType.Pfx, newCert.Password)); } }
public IActionResult NewCertificate(NewCertificate cert) { var ssc = SelfSignedServerCertificate.Create(cert); return(File(ssc, "application/octet-stream")); }