protected BaseCertificateTask(TOptions opts, IConfiguration configuration, LogFactory logFactory)
{
Options = opts;
Configuration = configuration;
Logger = logFactory.GetLogger(GetType().Name);
MenuInterupts = new MenuInterupts();
}
private int InternalRun()
{
bool isRoot = string.IsNullOrEmpty(Options.IssuerName);
var builder = new CertificateBuilder(Options.KeyStrength, Options.SignatureAlgorithm, Logger);
X509Certificate bcCertificate;
// Key pair of the issuing certificate.
AsymmetricCipherKeyPair issuingKeyPair = null;
// Key pair for the generated certificate.
AsymmetricCipherKeyPair generatedKeyPair = null;
X509Certificate2 storeCertificate = null;
// Root self signed certificate.
if (isRoot)
{
// Builder path for Root CA
bcCertificate = builder
.AddSKID()
.AddSerialNumber()
.AddValidityTime()
.AddExtendedKeyUsages()
.AddSubjectCommonName(Options.CommonName)
.AddIssuerCommonName(Options.CommonName) // Self Signed
.MakeCA()
.GenerateRootWithPrivateKey(out issuingKeyPair);
}
else
{
storeCertificate = LoadCACertificate(Options.IssuerName);
builder = new CertificateBuilder(Options.KeyStrength, Options.SignatureAlgorithm, Logger);
if (!ValidateIssuer(storeCertificate))
{
throw new CertificateException(
"Provided certificate is not a valid CA and therefore cannot issue other certificates.");
}
issuingKeyPair = DotNetUtilities.GetKeyPair(storeCertificate.PrivateKey);
string[] dpUrls = Options.DistributionPoints.Count() > 0 ? Options.DistributionPoints.ToArray(): MenuInterupts.GetCrlDistributionPoints();
bcCertificate = builder
.AddSKID()
.AddSerialNumber()
.AddValidityTime()
.AddExtendedKeyUsages()
.AddSubjectCommonName(Options.CommonName)
.AddIssuerCommonName(Options.IssuerName) // Generate from CA.
.AddAKID(issuingKeyPair.Public)
.AddCRLDistributionPoints(dpUrls)
.MakeCA()
.Generate(issuingKeyPair.Private, out generatedKeyPair);
}
var convertedCertificate = GetWindowsCertFromGenerated(bcCertificate,
Options.CommonName, isRoot ? issuingKeyPair.Private : generatedKeyPair.Private, builder.SecureRandom);
if (Options.Debug)
{
DisplayCertificateDebugInfo(convertedCertificate);
}
if (!string.IsNullOrEmpty(Options.ExportLocation))
{
// Export the certificate to the
var exportPath =
Path.Combine($"{Options.ExportLocation}", $"{Helper.StringToCNString(Options.CommonName)}.pfx");
File.WriteAllBytes(exportPath, convertedCertificate.Export(X509ContentType.Pkcs12));
}
else
{
// Add CA certificate to Root store
var machineStore = new X509Store(isRoot ? StoreName.Root : StoreName.CertificateAuthority, StoreLocation.LocalMachine);
machineStore.Open(OpenFlags.ReadWrite);
machineStore.Add(convertedCertificate);
machineStore.Close();
}
// Get our crl choice for this certificate authority.
bool generateCrl = Options.GenerateCRL ? Options.GenerateCRL : MenuInterupts.GetCrlChoice();
if (generateCrl)
{
var crlKeyPair = isRoot ? issuingKeyPair : generatedKeyPair;
var crlBuilder = new CrlBuilder();
var crl = crlBuilder
.AddIssuerName(Options.CommonName)
.AddUpdatePeriod()
.AddAKID(crlKeyPair.Public)
.Generate(crlKeyPair.Private);
var crlPostFix = Configuration["certificateSettings:crlPostFix"];
var exportPath = Path.Join(Configuration["certificateSettings:crlExportPath"],
$"{Options.CommonName}{crlPostFix}.crl");
File.WriteAllBytes(exportPath, crl.GetEncoded());
Logger.Info($"CRL Generated at {exportPath}");
}
return(SUCCESS);
}
private int RunInternal(string subjectName, string issuerName)
{
// Builder path for normal certificate.
var storeCertificate = LoadCACertificate(Options.IssuerName);
var builder = new CertificateBuilder(Options.KeyStrength, Options.SignatureAlgorithm, Logger);
if (!ValidateIssuer(storeCertificate))
{
Logger.Error("Provided issuer is not a valid CA and therefore cannot issue other certificates.");
throw new CertificateException(
"Provided issuer is not a valid CA and therefore cannot issue other certificates.");
}
var issuingKeyPair = DotNetUtilities.GetKeyPair(storeCertificate.PrivateKey);
string[] dpUrls = Options.DistributionPoints.Count() > 0 ? Options.DistributionPoints.ToArray() : MenuInterupts.GetCrlDistributionPoints();
var bcCertificate = builder
.AddSKID()
.AddSerialNumber()
.AddValidityTime()
.AddExtendedKeyUsages()
.AddSubjectCommonName(Options.CommonName)
.AddIssuerCommonName(Options.IssuerName) // Generate from CA.
.AddBasicConstraints()
.AddAKID(issuingKeyPair.Public)
.AddCRLDistributionPoints(dpUrls)
.Generate(issuingKeyPair.Private, out AsymmetricCipherKeyPair generatedKeyPair);
var convertedCertificate = GetWindowsCertFromGenerated(bcCertificate, Options.CommonName, generatedKeyPair.Private, builder.SecureRandom);
if (Options.Debug)
{
DisplayCertificateDebugInfo(convertedCertificate);
}
X509Chain chain = new X509Chain();
chain.Build(convertedCertificate);
if (!string.IsNullOrEmpty(Options.ExportLocation))
{
File.WriteAllBytes(Path.Combine(Options.ExportLocation, $"{Options.CommonName}.pfx"),
convertedCertificate.Export(X509ContentType.Pkcs12));
}
else
{
// Add CA certificate to Root store
var machineStore = new X509Store(StoreName.My, StoreLocation.LocalMachine);
machineStore.Open(OpenFlags.ReadWrite);
machineStore.Add(convertedCertificate);
machineStore.Close();
}
return(SUCCESS);
}
