static byte[] GenerateCSR(CertificateProvider provider, string hostName, List <string> alternativeNames, out PrivateKey privateKey)
{
var csrDetails = new CsrDetails
{
CommonName = hostName
};
if (alternativeNames.Count > 0)
{
csrDetails.AlternativeNames = alternativeNames;
}
privateKey = provider.GeneratePrivateKey(new RsaPrivateKeyParams()
{
NumBits = Program.GlobalConfiguration.RSAKeyBits
});
var csr = provider.GenerateCsr(new CsrParams {
Details = csrDetails,
}, privateKey, Crt.MessageDigest.SHA256);
byte[] derRaw;
using (var bs = new MemoryStream())
{
provider.ExportCsr(csr, EncodingFormat.DER, bs);
bs.Seek(0, SeekOrigin.Begin);
derRaw = bs.ToArray();
}
return(derRaw);
}
/// <summary>
/// Get the certificate signing request
/// </summary>
/// <param name="cp"></param>
/// <param name="target"></param>
/// <param name="identifiers"></param>
/// <param name="rsaPk"></param>
/// <returns></returns>
private Csr GetCsr(CertificateProvider cp, List <string> identifiers, PrivateKey rsaPk)
{
var csr = cp.GenerateCsr(new CsrParams
{
Details = new CsrDetails()
{
CommonName = identifiers.FirstOrDefault(),
AlternativeNames = identifiers
}
}, rsaPk, Crt.MessageDigest.SHA256);
return(csr);
}
/// <summary>
/// Get the certificate signing request
/// </summary>
/// <param name="cp"></param>
/// <param name="target"></param>
/// <param name="identifiers"></param>
/// <param name="rsaPk"></param>
/// <returns></returns>
private Csr GetCsr(CertificateProvider cp, List<string> identifiers, PrivateKey rsaPk, string commonName = null)
{
if (commonName != null && !identifiers.Contains(commonName, StringComparer.InvariantCultureIgnoreCase))
{
_log.Warning($"{nameof(commonName)} '{commonName}' provided for CSR generation is invalid. It has to be part of the {nameof(identifiers)}.");
commonName = null;
}
var csr = cp.GenerateCsr(new CsrParams
{
Details = new CsrDetails()
{
CommonName = commonName ?? identifiers.FirstOrDefault(),
AlternativeNames = identifiers
}
}, rsaPk, Crt.MessageDigest.SHA256);
return csr;
}
public override Csr GenerateCsr(CsrParams csrParams, PrivateKey pk, Crt.MessageDigest md)
{
return(_cp.GenerateCsr(csrParams, pk, md));
}
private void GetCertificate()
{
Log.Information("Requesting Certificate");
using (CertificateProvider cp = CertificateProvider.GetProvider())
{
RsaPrivateKeyParams rsaPkp = new RsaPrivateKeyParams();
PrivateKey rsaKeys = cp.GeneratePrivateKey(rsaPkp);
CsrParams csrParams = new CsrParams
{
Details = new CsrDetails
{
CommonName = _options.HostName,
},
};
Csr csr = cp.GenerateCsr(csrParams, rsaKeys, Crt.MessageDigest.SHA256);
byte[] derRaw;
using (MemoryStream bs = new MemoryStream())
{
cp.ExportCsr(csr, EncodingFormat.DER, bs);
derRaw = bs.ToArray();
}
string derB64U = JwsHelper.Base64UrlEncode(derRaw);
CertificateRequest certReq = _acmeClient.RequestCertificate(derB64U);
if (certReq.StatusCode != HttpStatusCode.Created)
{
throw new Exception($"Request status = {certReq.StatusCode}");
}
using (FileStream fs = new FileStream(_options.WellKnownFilePaths[WellKnownFile.KeyGen], FileMode.Create))
cp.SavePrivateKey(rsaKeys, fs);
using (FileStream fs = new FileStream(_options.WellKnownFilePaths[WellKnownFile.KeyPem], FileMode.Create))
cp.ExportPrivateKey(rsaKeys, EncodingFormat.PEM, fs);
using (FileStream fs = new FileStream(_options.WellKnownFilePaths[WellKnownFile.CsrGen], FileMode.Create))
cp.SaveCsr(csr, fs);
using (FileStream fs = new FileStream(_options.WellKnownFilePaths[WellKnownFile.CsrPem], FileMode.Create))
cp.ExportCsr(csr, EncodingFormat.PEM, fs);
Log.Information($"Saving Certificate to {_options.WellKnownFilePaths[WellKnownFile.CrtDer]}");
using (FileStream file = File.Create(_options.WellKnownFilePaths[WellKnownFile.CrtDer]))
certReq.SaveCertificate(file);
Crt crt;
using (FileStream source = new FileStream(_options.WellKnownFilePaths[WellKnownFile.CrtDer], FileMode.Open),
target = new FileStream(_options.WellKnownFilePaths[WellKnownFile.CrtPem], FileMode.Create))
{
crt = cp.ImportCertificate(EncodingFormat.DER, source);
cp.ExportCertificate(crt, EncodingFormat.PEM, target);
}
// To generate a PKCS#12 (.PFX) file, we need the issuer's public certificate
string isuPemFile = GetIssuerCertificate(certReq, cp);
using (FileStream intermediate = new FileStream(isuPemFile, FileMode.Open),
certificate = new FileStream(_options.WellKnownFilePaths[WellKnownFile.CrtPem], FileMode.Open),
chain = new FileStream(_options.WellKnownFilePaths[WellKnownFile.ChainPem], FileMode.Create))
{
certificate.CopyTo(chain);
intermediate.CopyTo(chain);
}
Log.Information($"Saving Certificate to {_options.WellKnownFilePaths[WellKnownFile.CrtPfx]}");
using (FileStream source = new FileStream(isuPemFile, FileMode.Open),
target = new FileStream(_options.WellKnownFilePaths[WellKnownFile.CrtPfx], FileMode.Create))
{
Crt isuCrt = cp.ImportCertificate(EncodingFormat.PEM, source);
cp.ExportArchive(rsaKeys, new[] { crt, isuCrt }, ArchiveFormat.PKCS12, target, _options.PfxPassword);
}
}
}