protected async Task <byte[]> GenerateCertificateAsync(CertificateInfo certificateInfo, IOrderContext orderCtx)
{
//Создаем CSR-builder и добавляем туда все домены и CN
var csrBuilder = new CertificationRequestBuilder();
csrBuilder.AddName("CN", certificateInfo.CommonName);
foreach (var domain in certificateInfo.Domains)
{
csrBuilder.SubjectAlternativeNames.Add(domain);
}
//Отправляем запрос на завершение Order'а (генерацию сертификата)
var order = await orderCtx.Finalize(csrBuilder.Generate());
if (order.Status != OrderStatus.Valid)
{
throw new InvalidOperationException("Order finalization error!");
}
//Получаем цепочку сертификатов и возвращаем ее виде PFX-файла
var certChain = await orderCtx.Download();
LogNewCertificateInfo(certChain);
return(certChain.ToPfx(csrBuilder.Key).Build(certificateInfo.CommonName, certificateInfo.PfxPassword));
}
/// <summary>
/// Finalizes and download the certifcate for the order.
/// </summary>
/// <param name="context">The order context.</param>
/// <param name="csr">The CSR.</param>
/// <param name="key">The private key for the certificate.</param>
/// <param name="retryCount">Number of retries when the Order is in 'processing' state. (default = 1)</param>
/// <param name="preferredChain">The preferred Root Certificate.</param>
/// <returns>
/// The certificate generated.
/// </returns>
public static async Task <CertificateChain> Generate(this IOrderContext context, CsrInfo csr, IKey key, string preferredChain = null, int retryCount = 1)
{
var order = await context.Resource();
if (order.Status != OrderStatus.Ready && // draft-11
order.Status != OrderStatus.Pending) // pre draft-11
{
throw new AcmeException(string.Format(Strings.ErrorInvalidOrderStatusForFinalize, order.Status));
}
order = await context.Finalize(csr, key);
while (order.Status == OrderStatus.Processing && retryCount-- > 0)
{
await Task.Delay(TimeSpan.FromSeconds(Math.Max(context.RetryAfter, 1)));
order = await context.Resource();
}
if (order.Status != OrderStatus.Valid)
{
throw new AcmeException(Strings.ErrorFinalizeFailed);
}
return(await context.Download(preferredChain));
}
/// <summary>
/// Retrieves the certificate from the ACME service. This method also generates the key and the CSR.
/// </summary>
/// <param name="commonName">the CN of the certificate to be requested</param>
/// <param name="pathForPfx">Path where the resulting PFX/PKCS#12 file will be generated</param>
/// <param name="pfxFriendlyName">Friendly name for the resulting PFX/PKCS#12</param>
/// <returns>The name of the generated PFX/PKCS#12 file, or null in case of error</returns>
public async Task <AuthenticatedPFX> RetrieveCertificate(IList <string> domains, string pathForPfx, string pfxFriendlyName)
{
try
{
if (_orderCtx == null)
{
throw new Exception("Do not call RetrieveCertificate before RegisterNewOrderAndVerify");
}
if (!System.IO.Directory.Exists(pathForPfx))
{
throw new Exception("Directory for PFX writing do not exists");
}
InitCertes();
// Let's generate a new key (RSA is good enough IMHO)
IKey certKey = KeyFactory.FromPem(Utils.GenerateRSAKeyAsPEM(_keySize));
// Then let's generate the CSR
var csr = await _orderCtx.CreateCsr(certKey);
csr.AddName("CN", domains[0]);
csr.SubjectAlternativeNames = domains;
// and finalize the ACME order
var finalOrder = await _orderCtx.Finalize(csr.Generate());
// Now we can fetch the certificate
CertificateChain cert = await _orderCtx.Download();
// We build the PFX/PKCS#12 and the cert/key as PEM
var pfx = cert.ToPfx(certKey);
var cer = cert.ToPem();
var key = certKey.ToPem();
pfx.AddIssuers(GetCACertChainFromStore());
var pfxBytes = pfx.Build(pfxFriendlyName, PfxPassword);
var fileName = pathForPfx + "\\" + Guid.NewGuid().ToString();
var pfxName = fileName + ".pfx";
var cerPath = fileName + ".cer";
var keyPath = fileName + ".key";
// We write the PFX/PKCS#12 to file
System.IO.File.WriteAllBytes(pfxName, pfxBytes);
logger.Info($"Retrieved certificate from the CA. The certificate is in {pfxName}");
// We write the PEMs to corresponding files
System.IO.File.WriteAllText(cerPath, cer);
System.IO.File.WriteAllText(keyPath, key);
AuthenticatedPFX authPFX = new AuthenticatedPFX(pfxName, PfxPassword, cerPath, keyPath);
return(authPFX);
}
catch (Exception exp)
{
logger.Error($"Failed to retrieve certificate from CA: {ProcessCertesException(exp)}");
return(null);
}
}
/// <summary>
/// Finalizes the certificate order.
/// </summary>
/// <param name="context">The order context.</param>
/// <param name="csr">The CSR.</param>
/// <param name="key">The private key for the certificate.</param>
/// <returns>
/// The order finalized.
/// </returns>
public static async Task <Order> Finalize(this IOrderContext context, CsrInfo csr, IKey key)
{
var builder = await context.CreateCsr(key);
foreach (var(name, value) in csr.Fields)
{
builder.AddName(name, value);
}
if (string.IsNullOrWhiteSpace(csr.CommonName))
{
builder.AddName("CN", builder.SubjectAlternativeNames[0]);
}
return(await context.Finalize(builder.Generate()));
}
/// <summary>
/// Finalizes and download the certifcate for the order.
/// </summary>
/// <param name="context">The order context.</param>
/// <param name="csr">The CSR.</param>
/// <param name="key">The private key for the certificate.</param>
/// <returns>
/// The certificate generated.
/// </returns>
public static async Task <CertificateChain> Generate(this IOrderContext context, CsrInfo csr, IKey key)
{
var order = await context.Resource();
if (order.Status != OrderStatus.Pending)
{
throw new Exception($"Can not finalize order with status {order.Status}.");
}
order = await context.Finalize(csr, key);
if (order.Status != OrderStatus.Valid)
{
throw new Exception("Failto finalize order.");
}
return(await context.Download());
}
/// <summary>
/// Finalizes and download the certifcate for the order.
/// </summary>
/// <param name="context">The order context.</param>
/// <param name="csr">The CSR.</param>
/// <param name="key">The private key for the certificate.</param>
/// <returns>
/// The certificate generated.
/// </returns>
public static async Task <CertificateChain> Generate(this IOrderContext context, CsrInfo csr, IKey key)
{
var order = await context.Resource();
if (order.Status != OrderStatus.Ready && // draft-11
order.Status != OrderStatus.Pending) // pre draft-11
{
throw new AcmeException(string.Format(Strings.ErrorInvalidOrderStatusForFinalize, order.Status));
}
order = await context.Finalize(csr, key);
if (order.Status != OrderStatus.Valid)
{
throw new AcmeException(Strings.ErrorFinalizeFailed);
}
return(await context.Download());
}
/// <summary>
/// Retrieves the certificate from the ACME service. This method also generates the key and the CSR.
/// </summary>
/// <param name="commonName">the CN of the certificate to be requested</param>
/// <param name="pathForPfx">Path where the resulting PFX/PKCS#12 file will be generated</param>
/// <param name="pfxFriendlyName">Friendly name for the resulting PFX/PKCS#12</param>
/// <returns>The name of the generated PFX/PKCS#12 file, or null in case of error</returns>
public async Task <string> RetrieveCertificate(IList <string> domains, string pathForPfx, string pfxFriendlyName)
{
try {
if (_orderCtx == null)
{
throw new Exception("Do not call RetrieveCertificate before RegisterNewOrderAndVerify");
}
if (!System.IO.Directory.Exists(pathForPfx))
{
throw new Exception("Directory for PFX writing do not exists");
}
InitCertes();
// Let's generate a new key (RSA is good enough IMHO)
IKey certKey = KeyFactory.NewKey(KeyAlgorithm.RS256);
// Then let's generate the CSR
var csr = await _orderCtx.CreateCsr(certKey);
csr.AddName("CN", domains[0]);
csr.SubjectAlternativeNames = domains;
// and finalize the ACME order
var finalOrder = await _orderCtx.Finalize(csr.Generate());
// Now we can fetch the certificate
CertificateChain cert = await _orderCtx.Download();
// We build the PFX/PKCS#12
var pfx = cert.ToPfx(certKey);
pfx.AddIssuers(GetCACertChainFromStore());
var pfxBytes = pfx.Build(pfxFriendlyName, PfxPassword);
var pfxName = Guid.NewGuid().ToString() + ".pfx";
// We write the PFX/PKCS#12 to file
System.IO.File.WriteAllBytes(pathForPfx + "\\" + pfxName, pfxBytes);
logger.Info($"Retrieved certificate from the CA. The certificate is in {pfxName}");
return(pfxName);
} catch (Exception exp) {
logger.Error($"Failed to retrieve certificate from CA: {ProcessCertesException(exp)}");
return(null);
}
}
public async Task <(byte[] pfxBytes, string password)> BuildCertificateAsync(
IOrderContext order,
CertificateRenewalOptions cfg,
CancellationToken cancellationToken)
{
var key = KeyFactory.NewKey(KeyAlgorithm.RS256);
await order.Finalize(new CsrInfo(), key);
var certChain = await order.Download();
var builder = certChain.ToPfx(key);
builder.FullChain = true;
var bytes = new byte[32];
_randomGenerator.GetNonZeroBytes(bytes);
var password = Convert.ToBase64String(bytes);
var pfxBytes = builder.Build(string.Join(";", cfg.HostNames), password);
return(pfxBytes, password);
}
