public override void ExportArchive(PrivateKey pk, IEnumerable <Crt> certs, ArchiveFormat fmt, Stream target, string password)
{
var rsaPk = pk as RsaPrivateKey;
if (rsaPk == null)
{
throw new NotSupportedException("unsupported private key type");
}
if (fmt == ArchiveFormat.PKCS12)
{
var bcCerts = certs.Select(x =>
new X509CertificateEntry(FromCertPem(x.Pem))).ToArray();
var bcPk = FromPrivatePem(rsaPk.Pem);
var pfx = new Pkcs12Store();
pfx.SetCertificateEntry(bcCerts[0].Certificate.ToString(), bcCerts[0]);
pfx.SetKeyEntry(bcCerts[0].Certificate.ToString(),
new AsymmetricKeyEntry(bcPk.Private), new[] { bcCerts[0] });
for (int i = 1; i < bcCerts.Length; ++i)
{
pfx.SetCertificateEntry(bcCerts[i].Certificate.SubjectDN.ToString(),
bcCerts[i]);
}
pfx.Save(target, password?.ToCharArray(), new SecureRandom());
}
else
{
throw new NotSupportedException("unsupported archive format");
}
}
public static void ExportArchive(CertPrivateKey pk, IEnumerable <BcCertificate> certs,
ArchiveFormat fmt, Stream target, string password = null)
{
if (fmt == ArchiveFormat.PKCS12)
{
var bcCerts = certs.Select(x =>
new X509CertificateEntry(x)).ToArray();
var pfx = new Pkcs12Store();
pfx.SetCertificateEntry(bcCerts[0].Certificate.SubjectDN.ToString(), bcCerts[0]);
pfx.SetKeyEntry(bcCerts[0].Certificate.SubjectDN.ToString(),
new AsymmetricKeyEntry(pk.KeyPair.Private), new[] { bcCerts[0] });
for (int i = 1; i < bcCerts.Length; ++i)
{
//pfx.SetCertificateEntry(bcCerts[i].Certificate.SubjectDN.ToString(),
pfx.SetCertificateEntry(i.ToString(), bcCerts[i]);
}
// It used to be pretty straight forward to export this...
pfx.Save(target, password?.ToCharArray(), new SecureRandom());
}
else
{
throw new NotSupportedException("unsupported archive format");
}
}
public override void ExportArchive(PrivateKey pk, IEnumerable <Crt> certs, ArchiveFormat fmt, Stream target, string password)
{
var rsaPk = pk as RsaPrivateKey;
if (rsaPk == null)
{
throw new NotSupportedException("unsupported private key type");
}
if (fmt == ArchiveFormat.PKCS12)
{
var bcCerts = certs.Select(x =>
new X509CertificateEntry(FromCertPem(x.Pem))).ToArray();
var bcPk = FromPrivatePem(rsaPk.Pem);
var pfx = new Pkcs12Store();
//pfx.SetCertificateEntry(bcCerts[0].Certificate.ToString(), bcCerts[0]);
//pfx.SetKeyEntry(bcCerts[0].Certificate.ToString(),
pfx.SetCertificateEntry(string.Empty, bcCerts[0]);
pfx.SetKeyEntry(string.Empty,
new AsymmetricKeyEntry(bcPk.Private), new[] { bcCerts[0] });
for (int i = 1; i < bcCerts.Length; ++i)
{
//pfx.SetCertificateEntry(bcCerts[i].Certificate.SubjectDN.ToString(),
pfx.SetCertificateEntry(i.ToString(), bcCerts[i]);
}
// It used to be pretty straight forward to export this...
//pfx.Save(target, password?.ToCharArray(), new SecureRandom());
// ...unfortunately, BC won't let us export the Pkcs12 archive
// without assigning a FriendlyName, so we have to export and
// then re-import it, clear the FriendlyName, then return that
// YUCK!
using (var tmp = new MemoryStream())
{
pfx.Save(tmp, null, new SecureRandom());
var c = new System.Security.Cryptography.X509Certificates.X509Certificate2();
c.Import(tmp.ToArray(), string.Empty,
System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.PersistKeySet |
System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.Exportable);
// Clear the FriendlyName
c.FriendlyName = null;
var bytes = c.Export(System.Security.Cryptography.X509Certificates.X509ContentType.Pkcs12, password);
target.Write(bytes, 0, bytes.Length);
}
}
else
{
throw new NotSupportedException("unsupported archive format");
}
}
/// <summary>
/// Gets the .NET certificate from the bouncy castle certificate.
/// </summary>
/// <param name="cert">The certificate.</param>
/// <param name="friendlyName">The friendly name.</param>
/// <param name="keyPair">The key pair.</param>
/// <param name="random">A random number generator.</param>
/// <returns></returns>
protected X509Certificate2 GetWindowsCertFromGenerated(Org.BouncyCastle.X509.X509Certificate cert,
string friendlyName, AsymmetricKeyParameter privateKey, SecureRandom random)
{
// Create a PKS store.
var store = new Pkcs12Store();
// Generate a cert entry
var certificateEntry = new X509CertificateEntry(cert);
// Add it into the in-memory store.
store.SetCertificateEntry(friendlyName, certificateEntry);
// Add the key.
store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(privateKey), new[] { certificateEntry });
var stream = new MemoryStream();
// Save the store to a stream..
store.Save(stream, STOREPASSWORD.ToCharArray(), random);
// Now load that same certificate.
var convertedCertificate =
new X509Certificate2(
stream.ToArray(), STOREPASSWORD,
X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);
return(convertedCertificate);
}
public static X509Certificate2 ConvertCertificate(Org.BouncyCastle.X509.X509Certificate certificate,
AsymmetricCipherKeyPair subjectKeyPair,
SecureRandom random)
{
// Now to convert the Bouncy Castle certificate to a .NET certificate.
// See http://web.archive.org/web/20100504192226/http://www.fkollmann.de/v2/post/Creating-certificates-using-BouncyCastle.aspx
// ...but, basically, we create a PKCS12 store (a .PFX file) in memory, and add the public and private key to that.
var store = new Pkcs12Store();
// What Bouncy Castle calls "alias" is the same as what Windows terms the "friendly name".
string friendlyName = certificate.SubjectDN.ToString();
// Add the certificate.
var certificateEntry = new X509CertificateEntry(certificate);
store.SetCertificateEntry(friendlyName, certificateEntry);
// Add the private key.
store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(subjectKeyPair.Private), new[] { certificateEntry });
// Convert it to an X509Certificate2 object by saving/loading it from a MemoryStream.
// It needs a password. Since we'll remove this later, it doesn't particularly matter what we use.
const string password = "******";
var stream = new MemoryStream();
store.Save(stream, password.ToCharArray(), random);
var convertedCertificate =
new X509Certificate2(stream.ToArray(),
password,
X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);
return(convertedCertificate);
}
/// <remarks>Plagarised from https://github.com/CryptLink/CertBuilder/blob/master/CertBuilder.cs.
/// NOTE: netstandard2.1+ and netcoreapp3.1+ have x509.CopyWithPrivateKey which will avoid the need to
/// use the serialize/deserialize from pfx to get from bouncy castle to .NET Core X509 certificates.</remarks>
public static X509Certificate2 ConvertBouncyCert(Org.BouncyCastle.X509.X509Certificate bouncyCert, AsymmetricCipherKeyPair keyPair)
{
var pkcs12Store = new Pkcs12Store();
var certEntry = new X509CertificateEntry(bouncyCert);
pkcs12Store.SetCertificateEntry(bouncyCert.SerialNumber.ToString(), certEntry);
pkcs12Store.SetKeyEntry(bouncyCert.SerialNumber.ToString(),
new AsymmetricKeyEntry(keyPair.Private), new[] { certEntry });
X509Certificate2 keyedCert;
using (MemoryStream pfxStream = new MemoryStream())
{
pkcs12Store.Save(pfxStream, new char[] { }, new SecureRandom());
pfxStream.Seek(0, SeekOrigin.Begin);
keyedCert = new X509Certificate2(pfxStream.ToArray(), string.Empty, X509KeyStorageFlags.Exportable);
}
return(keyedCert);
//var info = Org.BouncyCastle.Pkcs.PrivateKeyInfoFactory.CreatePrivateKeyInfo(keyPair.Private);
//// merge into X509Certificate2
//var x509 = new X509Certificate2(bouncyCert.GetEncoded());
//var seq = (Asn1Sequence)Asn1Object.FromByteArray(info.ParsePrivateKey().GetDerEncoded());
//if (seq.Count != 9)
//{
// throw new Org.BouncyCastle.OpenSsl.PemException("malformed sequence in RSA private key");
//}
//var rsa = RsaPrivateKeyStructure.GetInstance(seq); //new RsaPrivateKeyStructure(seq);
//var rsaparams = new RsaPrivateCrtKeyParameters(
// rsa.Modulus, rsa.PublicExponent, rsa.PrivateExponent, rsa.Prime1, rsa.Prime2, rsa.Exponent1, rsa.Exponent2, rsa.Coefficient);
//return x509.CopyWithPrivateKey(ToRSA(rsaparams));
//X509Certificate2 x509 = null;
//using (MemoryStream ms = new MemoryStream())
//{
// using (StreamWriter tw = new StreamWriter(ms))
// {
// PemWriter pw = new PemWriter(tw);
// //PemObject po = new PemObject("CERTIFICATE", bouncyCert.GetEncoded());
// PemObject po = new PemObject("CERTIFICATE", bouncyCert.GetEncoded());
// pw.WriteObject(po);
// logger.LogDebug(Encoding.UTF8.GetString(ms.GetBuffer()));
// StreamWriter sw2 = new StreamWriter("test.cer");
// sw2.Write(ms.GetBuffer());
// sw2.Close();
// x509 = new X509Certificate2(bouncyCert.GetEncoded());
// }
//}
//return x509;
}
public void Export(Container container, Stream output)
{
var rawCert = container.GetRawCertificate();
var privateKey = container.GetPrivateKey();
var cert = new X509CertificateParser().ReadCertificate(rawCert);
var certEntry = new X509CertificateEntry(cert);
string friendlyName = "alias";
var store = new Pkcs12Store();
store.SetCertificateEntry(friendlyName, certEntry);
store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(privateKey), new[] { certEntry });
var password = _password.ToCharArray();
using (var ms = new MemoryStream()) {
store.Save(ms, password, new SecureRandom());
// Save дописывает в конец какой-то мусор
ms.Position = 0;
var asn1 = new Asn1InputStream(ms);
var result = asn1.ReadObject();
byte[] buf = Pkcs12Utilities.ConvertToDefiniteLength(result.GetEncoded(), password);
output.Write(buf, 0, buf.Length);
}
}
private async Task AddToWinCertStore()
{
Pkcs12Store store = new Pkcs12Store();
string friendlyName = "Limelight-Client";
var certEntry = new X509CertificateEntry(cert);
store.SetCertificateEntry(friendlyName, certEntry);
var keyEntry = new AsymmetricKeyEntry(keyPair.Private);
store.SetKeyEntry(friendlyName, keyEntry, new[] { certEntry });
// Copy the Pkcs12Store to a stream using an arbitrary password
const string password = "******";
var stream = new MemoryStream();
store.Save(stream, password.ToCharArray(), new SecureRandom());
// Write to .PFX string
byte[] arr = stream.ToArray();
IBuffer buf = arr.AsBuffer();
string pfx = CryptographicBuffer.EncodeToBase64String(buf);
await CertificateEnrollmentManager.ImportPfxDataAsync(pfx, password, ExportOption.NotExportable, KeyProtectionLevel.NoConsent, InstallOptions.None, friendlyName);
}
private static X509Certificate2 ConvertCertificate(Org.BouncyCastle.X509.X509Certificate certificate, AsymmetricCipherKeyPair subjectKeyPair, SecureRandom random)
{
// Now to convert the Bouncy Castle certificate to a .NET certificate. Basically, we create a PKCS12 store (a .PFX file) in memory,
// and add the public and private key to that.
var store = new Pkcs12Store();
// What Bouncy Castle calls "alias" is the same as what Windows terms the "friendly name".
string friendlyName = certificate.SubjectDN.ToString();
// Add the certificate.
var certificateEntry = new X509CertificateEntry(certificate);
store.SetCertificateEntry(friendlyName, certificateEntry);
// Add the private key.
var keyEntry = new AsymmetricKeyEntry(subjectKeyPair.Private);
store.SetKeyEntry(friendlyName, keyEntry, new[] { certificateEntry });
// Convert it to an X509Certificate2 object by saving/loading it from a MemoryStream.
// It needs a password. Since we'll remove this when the certificate is loaded as a X509Certificate2,
// it doesn't particularly matter what we use.
var stream = new MemoryStream();
var passwordString = "temp";
var passwordChars = passwordString.ToCharArray();
store.Save(stream, passwordChars, random);
var convertedCertificate = new X509Certificate2(stream.ToArray(), passwordString, X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet);
return(convertedCertificate);
}
public static X509Certificate2 AddPrivateKey(this Org.BouncyCastle.X509.X509Certificate cert, AsymmetricKeyParameter privateKey)
{
var keyInfo = PrivateKeyInfoFactory.CreatePrivateKeyInfo(privateKey);
var seq = Asn1Object.FromByteArray(keyInfo.ParsePrivateKey().GetDerEncoded()) as Asn1Sequence;
if (seq.Count != 9)
{
throw new PemException("malformed sequence in RSA private key");
}
var rsa = RsaPrivateKeyStructure.GetInstance(seq);
var rsaParams = new RsaPrivateKeyStructure(
rsa.Modulus,
rsa.PublicExponent,
rsa.PrivateExponent,
rsa.Prime1,
rsa.Prime2,
rsa.Exponent1,
rsa.Exponent2,
rsa.Coefficient);
var store = new Pkcs12Store();
var certEntry = new X509CertificateEntry(cert);
store.SetCertificateEntry(cert.SubjectDN.ToString(), certEntry);
store.SetKeyEntry(cert.SubjectDN.ToString(), new AsymmetricKeyEntry(privateKey), new[] { certEntry });
using (var stream = new MemoryStream())
{
store.Save(stream, privateKeyPassword.ToCharArray(), new SecureRandom(new CryptoApiRandomGenerator()));
return(new X509Certificate2(stream.ToArray(), privateKeyPassword, X509KeyStorageFlags.Exportable));
}
}
/// <summary>
/// Windows TLS needs the Alias public + private key in a PFX file
/// </summary>
/// <param name="certFile"></param>
/// <param name="keyFile"></param>
internal static void MakePFXFile(string certFile, string keyFile, string outputPfxFile, string password)
{
CryptoApiRandomGenerator rg = new CryptoApiRandomGenerator();
var rng = new SecureRandom(rg);
// get the cert
var parser = new X509CertificateParser();
var cert = parser.ReadCertificate(File.ReadAllBytes(certFile));
// get the key
Org.BouncyCastle.OpenSsl.PemReader pemReader =
new Org.BouncyCastle.OpenSsl.PemReader(new StringReader(File.ReadAllText(keyFile)));
AsymmetricCipherKeyPair kp = pemReader.ReadObject() as AsymmetricCipherKeyPair;
// Put the key and cert in an PKCS12 store so that the WIndows TLS stack can use it
var store = new Pkcs12Store();
string friendlyName = cert.SubjectDN.ToString();
var certificateEntry = new X509CertificateEntry(cert);
store.SetCertificateEntry(friendlyName, certificateEntry);
store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(kp.Private), new[] { certificateEntry });
var stream = new MemoryStream();
var pwd = password == null ? null : password.ToCharArray();
store.Save(stream, pwd, rng);
File.WriteAllBytes(outputPfxFile, stream.ToArray());
return;
}
public static X509Certificate2 ToCertificateWithPrivateKey(
Guid ownIdentity,
Org.BouncyCastle.X509.X509Certificate certificate,
AsymmetricCipherKeyPair keyPair,
string password,
SecureRandom random)
{
var ownCertificateStore = new FileInfo(GetStorePath(ownIdentity));
var newStore = new Pkcs12Store();
var certEntry = new X509CertificateEntry(certificate);
newStore.SetCertificateEntry(
ownIdentity.ToString(),
certEntry);
newStore.SetKeyEntry(
ownIdentity.ToString(),
new AsymmetricKeyEntry(keyPair.Private),
new[] { certEntry });
if (ownCertificateStore.Exists)
{
ownCertificateStore.Delete();
}
using (var file = ownCertificateStore.OpenWrite())
{
newStore.Save(
file,
password.ToCharArray(),
random);
}
return(new X509Certificate2(ownCertificateStore.FullName, password));
}
public static X509Certificate2 ToX509Certificate2(
Org.BouncyCastle.X509.X509Certificate BouncyCert,
SecureRandom RandomProvider,
AsymmetricCipherKeyPair KeyPair)
{
var store = new Pkcs12Store();
var certificateEntry = new X509CertificateEntry(BouncyCert);
string friendlyName = BouncyCert.SubjectDN.ToString();
store.SetCertificateEntry(friendlyName, certificateEntry);
store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(KeyPair.Private), new[] { certificateEntry });
var stream = new MemoryStream();
var password = KeyPair.Private.GetHashCode().ToString();
store.Save(stream, password.ToCharArray(), RandomProvider);
//convert from stream
var convertedCertificate =
new X509Certificate2(
stream.ToArray(), password,
X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);
return(convertedCertificate);
}
public static X509Certificate2 GenerateSelfSignedCert()
{
var randomGenerator = new CryptoApiRandomGenerator();
var random = new SecureRandom(randomGenerator);
var certificateGenerator = new X509V3CertificateGenerator();
var serialNumber =
BigIntegers.CreateRandomInRange(
BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
certificateGenerator.SetSerialNumber(serialNumber);
const string signatureAlgorithm = "SHA1WithRSA";
certificateGenerator.SetSignatureAlgorithm(signatureAlgorithm);
var subjectDN = new X509Name("CN=simpletorrent");
var issuerDN = subjectDN;
certificateGenerator.SetIssuerDN(issuerDN);
certificateGenerator.SetSubjectDN(subjectDN);
var notBefore = DateTime.UtcNow.Date.AddHours(-24);
var notAfter = notBefore.AddYears(1000);
certificateGenerator.SetNotBefore(notBefore);
certificateGenerator.SetNotAfter(notAfter);
const int strength = 4096;
var keyGenerationParameters = new KeyGenerationParameters(random, strength);
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
var subjectKeyPair = keyPairGenerator.GenerateKeyPair();
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
var issuerKeyPair = subjectKeyPair;
var certificate = certificateGenerator.Generate(issuerKeyPair.Private, random);
var store = new Pkcs12Store();
string friendlyName = certificate.SubjectDN.ToString();
var certificateEntry = new X509CertificateEntry(certificate);
store.SetCertificateEntry(friendlyName, certificateEntry);
store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(subjectKeyPair.Private), new[] { certificateEntry });
string password = "******";
var stream = new MemoryStream();
store.Save(stream, password.ToCharArray(), random);
//mono bug #1660 fix -> convert to definite-length encoding
byte[] pfx = Pkcs12Utilities.ConvertToDefiniteLength(stream.ToArray(), password.ToCharArray());
var convertedCertificate =
new X509Certificate2(
pfx, password,
X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);
return(convertedCertificate);
}
public static X509Certificates.X509Certificate2 ToX509Certificate2(
this X509Certificate certificate,
AsymmetricCipherKeyPair subjectKeyPair,
SecureRandom random)
{
var store = new Pkcs12Store();
var friendlyName = certificate.SubjectDN.ToString();
// Add the certificate.
var certificateEntry = new X509CertificateEntry(certificate);
store.SetCertificateEntry(friendlyName, certificateEntry);
// Add the private key.
store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(subjectKeyPair.Private), new[] { certificateEntry });
// Convert it to an X509Certificate2 object by saving/loading it from a MemoryStream.
// It needs a password. Since we'll remove this later, it doesn't particularly matter what we use.
const string password = "******";
X509Certificates.X509Certificate2 convertedCertificate;
using (var stream = new MemoryStream())
{
store.Save(stream, password.ToCharArray(), random);
convertedCertificate = new X509Certificates.X509Certificate2(stream.ToArray(),
password,
// X509Certificates.X509KeyStorageFlags.DefaultKeySet);
X509Certificates.X509KeyStorageFlags.MachineKeySet | X509Certificates.X509KeyStorageFlags.PersistKeySet | X509Certificates.X509KeyStorageFlags.Exportable);
}
return(convertedCertificate);
}
private static X509Certificate2 ConvertCertificate(
X509Certificate certificate,
AsymmetricCipherKeyPair subjectKeyPair,
SecureRandom random)
{
var store = new Pkcs12Store();
string friendlyName = certificate.SubjectDN.ToString();
var certificateEntry = new X509CertificateEntry(certificate);
store.SetCertificateEntry(friendlyName, certificateEntry);
store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(subjectKeyPair.Private), new[] { certificateEntry });
const string password = "******";
var stream = new MemoryStream();
store.Save(stream, password.ToCharArray(), random);
return(new X509Certificate2(
stream.ToArray(),
password,
X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable));
}
internal static CertContainer IssueSignerCertificate(X509Name dnName, int keySize = DefaultKeySize)
{
CertContainer issuerCert = IntermediateCa;
RsaKeyPairGenerator keyPairGen = new RsaKeyPairGenerator();
keyPairGen.Init(new KeyGenerationParameters(_secureRandom, keySize));
AsymmetricCipherKeyPair keyPair = keyPairGen.GenerateKeyPair();
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
certGen.SetSerialNumber(BigInteger.One);
certGen.SetIssuerDN(issuerCert.Certificate.SubjectDN);
certGen.SetNotBefore(DateTime.Now);
certGen.SetNotAfter(DateTime.Now.AddYears(1));
certGen.SetSubjectDN(dnName);
certGen.SetPublicKey(keyPair.Public);
certGen.SetSignatureAlgorithm("SHA256withRSA");
certGen.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(issuerCert.Certificate.GetPublicKey()));
certGen.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false));
certGen.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(X509KeyUsage.NonRepudiation | X509KeyUsage.DigitalSignature));
certGen.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(keyPair.Public));
certGen.AddExtension(X509Extensions.ExtendedKeyUsage, false, new ExtendedKeyUsage(KeyPurposeID.IdKPClientAuth));
// Add CRL endpoint
Uri currentBaseUri = new Uri("https://localhost/");
Uri crlUri = new Uri(currentBaseUri, IntermediateCrlPath);
GeneralName generalName = new GeneralName(GeneralName.UniformResourceIdentifier, crlUri.ToString());
GeneralNames generalNames = new GeneralNames(generalName);
DistributionPointName distPointName = new DistributionPointName(generalNames);
DistributionPoint distPoint = new DistributionPoint(distPointName, null, null);
certGen.AddExtension(X509Extensions.CrlDistributionPoints, false, new CrlDistPoint(new DistributionPoint[] { distPoint }));
// Add OCSP endpoint
Uri ocspUri = new Uri(currentBaseUri, OcspPath);
AccessDescription ocsp = new AccessDescription(AccessDescription.IdADOcsp,
new GeneralName(GeneralName.UniformResourceIdentifier, ocspUri.ToString()));
Asn1EncodableVector aiaASN = new Asn1EncodableVector();
aiaASN.Add(ocsp);
certGen.AddExtension(X509Extensions.AuthorityInfoAccess, false, new DerSequence(aiaASN));
X509Certificate generatedCert = certGen.Generate(issuerCert.PrivateKey);
Pkcs12StoreBuilder pfxBuilder = new Pkcs12StoreBuilder();
Pkcs12Store pfxStore = pfxBuilder.Build();
X509CertificateEntry certEntry = new X509CertificateEntry(generatedCert);
pfxStore.SetCertificateEntry(generatedCert.SubjectDN.ToString(), certEntry);
pfxStore.SetKeyEntry(generatedCert.SubjectDN + "_key", new AsymmetricKeyEntry(keyPair.Private), new X509CertificateEntry[] { certEntry });
return(new CertContainer(pfxStore, issuerCert.GetIssuerChain(true)));
}
/// <summary>
/// Create a self signed certificate in the specified file.
/// </summary>
/// <param name="subjectName">The subject of the certificate to create.</param>
/// <param name="fileName">The file name to write the certificate to.</param>
/// <param name="signatureAlgorithm">The signature algorithm to use</param>
/// <param name="password">True if there is a password, false otherwise. Note that if there is a password, PFX format is assumed.</param>
public static void CreateSelfSignedInFile(string subjectName, string fileName, string signatureAlgorithm, string password = "")
{
byte[] serialNumber = GenerateSerialNumber();
string subject = string.Format("CN={0}", subjectName);
var subjectDN = new X509Name(subject);
var issuerDN = subjectDN;
const int keyStrength = 2048;
var randomGenerator = new CryptoApiRandomGenerator();
var random = new SecureRandom(randomGenerator);
var keyGenerationParameters = new KeyGenerationParameters(random, keyStrength);
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
var subjectKeyPair = keyPairGenerator.GenerateKeyPair();
var issuerKeyPair = subjectKeyPair;
ISignatureFactory signatureFactory = new Asn1SignatureFactory(signatureAlgorithm, issuerKeyPair.Private, random);
var certificateGenerator = new X509V3CertificateGenerator();
certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage.Id, true, new ExtendedKeyUsage(KeyPurposeID.IdKPServerAuth));
certificateGenerator.SetSerialNumber(new BigInteger(serialNumber.Concat(new Byte[] { 0 }).ToArray()));
certificateGenerator.SetIssuerDN(issuerDN);
certificateGenerator.SetSubjectDN(subjectDN);
certificateGenerator.SetNotBefore(DateTime.Now);
certificateGenerator.SetNotAfter(DateTime.Now);
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
var certificate = certificateGenerator.Generate(signatureFactory);
var store = new Pkcs12Store();
string friendlyName = certificate.SubjectDN.ToString();
var certificateEntry = new X509CertificateEntry(certificate);
store.SetCertificateEntry(friendlyName, certificateEntry);
store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(subjectKeyPair.Private), new[] { certificateEntry });
var stream = new MemoryStream();
store.Save(stream, password.ToCharArray(), random);
var convertedCertificate = new X509Certificate2(stream.ToArray(), password, X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);
//If password is not empty, generate a PKCS#12 formatted file
if (!string.IsNullOrEmpty(password))
{
File.WriteAllBytes(fileName, stream.ToArray());
}
//If password is empty generate a DER formatted file
else
{
File.WriteAllBytes(fileName, convertedCertificate.RawData);
}
}
/// <summary>
/// Creates X509 v3 certificate in PKCS12 file format.
/// </summary>
/// <param name="cn">Common name "CN" value.</param>
/// <param name="password">Private key password.</param>
/// <returns>Returns new X509 v3 certificate in PKCS12 file(.p12 or .pfx) format.</returns>
/// <exception cref="ArgumentNullException">Is raised when <b>cn</b> or <b>password</b> is null reference.</exception>
public static byte[] CreateCertificate(string cn, string password)
{
if (cn == null)
{
throw new ArgumentNullException("cn");
}
if (password == null)
{
throw new ArgumentNullException("password");
}
RsaKeyPairGenerator kpgen = new RsaKeyPairGenerator();
kpgen.Init(new KeyGenerationParameters(new SecureRandom(new CryptoApiRandomGenerator()), 1024));
AsymmetricCipherKeyPair kp = kpgen.GenerateKeyPair();
BigInteger serial = BigInteger.ProbablePrime(120, new Random());
X509Name certName = new X509Name("CN=" + cn);
X509V3CertificateGenerator gen = new X509V3CertificateGenerator();
gen.SetSerialNumber(serial);
gen.SetSubjectDN(certName);
gen.SetIssuerDN(certName);
gen.SetNotBefore(DateTime.UtcNow.AddDays(-2));
gen.SetNotAfter(DateTime.UtcNow.AddYears(5));
gen.SetSignatureAlgorithm("MD5WithRSAEncryption");
gen.SetPublicKey(kp.Public);
/*
* gen.AddExtension(
* X509Extensions.AuthorityKeyIdentifier.Id,
* false,
* new AuthorityKeyIdentifier(
* SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(kp.Public),
* new GeneralNames(new GeneralName(certName)),
* serial
* ));*/
gen.AddExtension(X509Extensions.ExtendedKeyUsage, false, new ExtendedKeyUsage(KeyPurposeID.IdKPServerAuth, KeyPurposeID.AnyExtendedKeyUsage));
X509Certificate cert = gen.Generate(kp.Private);
X509CertificateEntry certEntry = new X509CertificateEntry(cert);
Pkcs12Store newStore = new Pkcs12Store();
newStore.SetCertificateEntry(cn, certEntry);
newStore.SetKeyEntry(cn, new AsymmetricKeyEntry(kp.Private), new[] { new X509CertificateEntry(cert) });
MemoryStream retVal = new MemoryStream();
newStore.Save(retVal, password.ToCharArray(), new SecureRandom(new CryptoApiRandomGenerator()));
return(retVal.ToArray());
}
public static Pkcs12Store ToPkcs12(X509Certificate certificate, AsymmetricKeyParameter privateKey)
{
var pkcs12Store = new Pkcs12Store();
var certificateEntry = new X509CertificateEntry(certificate);
var certificateAlias = certificate.SubjectDN.ToString();
pkcs12Store.SetCertificateEntry(certificateAlias, certificateEntry);
pkcs12Store.SetKeyEntry(certificate.SubjectDN.ToString(), new AsymmetricKeyEntry(privateKey),
new[] { certificateEntry });
return(pkcs12Store);
}
//TODO change to functors
public static X509Certificate CreateX509Certificate2(AsymmetricCipherKeyPair kp, string issuer, DateTime notBefore, DateTime notAfter, KeyType keyUsage, string filename, string password)
{
var random = new SecureRandom();
var sf = new Asn1SignatureFactory(HashAlg.SHA256withRSA.ToString(), kp.Private, random);
var gen = new X509V3CertificateGenerator();
var serial = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
gen.SetSerialNumber(serial);
var subject = new X509Name(issuer);
gen.SetIssuerDN(subject);
gen.SetSubjectDN(subject);
gen.SetNotBefore(notBefore);
gen.SetNotAfter(notAfter);
gen.SetPublicKey(kp.Public);
gen.AddExtension(X509Extensions.BasicConstraints, false, new BasicConstraints(true));
var subjectKeyIdentifier = new SubjectKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(kp.Public));
gen.AddExtension(X509Extensions.SubjectKeyIdentifier, false, subjectKeyIdentifier);
var authorityKeyIdentifier = new AuthorityKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(kp.Public), new GeneralNames(new GeneralName(subject)), serial);
gen.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, authorityKeyIdentifier);
////gen.AddExtension(X509Extensions.ExtendedKeyUsage, false, new ExtendedKeyUsage(KeyPurposeID.IdKPEmailProtection));
switch (keyUsage)
{
case KeyType.Signature: //signature
gen.AddExtension(X509Extensions.KeyUsage, false, new KeyUsage(X509KeyUsage.NonRepudiation)); break;
case KeyType.Authentication: //authentication
gen.AddExtension(X509Extensions.KeyUsage, false, new KeyUsage(X509KeyUsage.DigitalSignature)); break;
case KeyType.Encryption: //encryption
gen.AddExtension(X509Extensions.KeyUsage, false, new KeyUsage(X509KeyUsage.KeyEncipherment | X509KeyUsage.KeyAgreement)); break;
default:
gen.AddExtension(X509Extensions.KeyUsage, false, new KeyUsage(X509KeyUsage.KeyEncipherment | X509KeyUsage.DigitalSignature)); break;
}
var bouncyCert = gen.Generate(sf);
bouncyCert.CheckValidity();
bouncyCert.Verify(kp.Public);
var store = new Pkcs12Store();
var certificateEntry = new X509CertificateEntry(bouncyCert);
store.SetCertificateEntry(bouncyCert.SubjectDN.ToString(), certificateEntry);
store.SetKeyEntry(bouncyCert.SubjectDN.ToString(), new AsymmetricKeyEntry(kp.Private), new[] { certificateEntry });
using (var sw = File.Create(filename))
store.Save(sw, password.ToCharArray(), random);
return(bouncyCert);
}
/// <summary>
/// Convert DER encoded private key data and certificate data into a PKCS12 container.
/// </summary>
/// <param name="password">The password to encrypt the container with, or null for no encryption.</param>
/// <param name="privateKeyData">The private key data that will be stored in the container.</param>
/// <param name="certificateData">The list of certificates that will be stored in the container.</param>
/// <returns>A PKCS12 byte array.</returns>
static public byte[] GetPkcs12Certificate(string password, byte[] privateKeyData, ICollection <byte[]> certificateData)
{
var certPrivateKey = PrivateKeyFactory.CreateKey(privateKeyData);
List <X509CertificateEntry> certificates = new List <X509CertificateEntry>();
var x509Parser = new X509CertificateParser();
var pkStore = new Pkcs12Store();
//
// Load all the certificates from the raw data.
//
foreach (var certdata in certificateData)
{
certificates.Add(new X509CertificateEntry(x509Parser.ReadCertificate(certdata)));
}
//
// Set the primary certificate and key.
//
var keyEntry = new AsymmetricKeyEntry(certPrivateKey);
pkStore.SetCertificateEntry(string.Empty, certificates[0]);
pkStore.SetKeyEntry(string.Empty, new AsymmetricKeyEntry(certPrivateKey), new[] { certificates[0] });
//
// Add in any additional chain certificates.
//
for (int i = 1; i < certificates.Count; i++)
{
pkStore.SetCertificateEntry(i.ToString(), certificates[i]);
}
//
// Do a final conversion of the certificate data into a PKCS12 blob and add it to the store.
//
using (var ms = new MemoryStream())
{
pkStore.Save(ms, password?.ToArray(), new SecureRandom());
return(ms.ToArray());
}
}
public CertificationResult Certify(byte[][] publicKey)
{
var randomGenerator = new CryptoApiRandomGenerator();
var random = new SecureRandom(randomGenerator);
var certificateGenerator = new X509V3CertificateGenerator();
BigInteger serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(long.MaxValue), random);
certificateGenerator.SetSerialNumber(serialNumber);
DateTime notBefore = DateTime.UtcNow.Date;
DateTime notAfter = notBefore.AddDays(10);
var subjectDN = new X509Name("CN=fritzenUpload.Client");
var issuerDN = new X509Name("CN=fritzenUpload");
certificateGenerator.SetIssuerDN(issuerDN);
certificateGenerator.SetSubjectDN(subjectDN);
certificateGenerator.SetNotBefore(notBefore);
certificateGenerator.SetNotAfter(notAfter);
var subjectPublic = new RsaKeyParameters(false, new BigInteger(publicKey[1]), new BigInteger(publicKey[0]));
certificateGenerator.SetPublicKey(subjectPublic);
// Selfsign certificate
Org.BouncyCastle.X509.X509Certificate certificate = certificateGenerator.Generate(currentCert.GetFactory(random));
string serial = string.Concat(serialNumber.ToByteArray().Select(b => b.ToString("X2")));
TextWriter textWriter = new StringWriter();
PemWriter writer = new(textWriter);
writer.WriteObject(certificate);
textWriter.Flush();
byte[] data = Encoding.UTF8.GetBytes(textWriter.ToString());
var store = new Pkcs12Store();
var certificateEntry = new X509CertificateEntry(certificate);
string friendlyName = certificate.SubjectDN.ToString();
store.SetCertificateEntry(friendlyName, certificateEntry);
//TODO change encoding from pfx to something more efficient
var stream = new MemoryStream();
store.Save(stream, "".ToCharArray(), random);
return(new CertificationResult()
{
Rawdata = stream.ToArray(), SerialNumber = serial, ValidUntil = notAfter
});
}
/// <summary>
/// Exports the specified stream and password to a pkcs12 encrypted file.
/// </summary>
/// <remarks>
/// Exports the specified stream and password to a pkcs12 encrypted file.
/// </remarks>
/// <param name="stream">The output stream.</param>
/// <param name="password">The password to use to lock the private keys.</param>
/// <exception cref="System.ArgumentNullException">
/// <para><paramref name="stream"/> is <c>null</c>.</para>
/// <para>-or-</para>
/// <para><paramref name="password"/> is <c>null</c>.</para>
/// </exception>
/// <exception cref="System.IO.IOException">
/// An error occurred while writing to the stream.
/// </exception>
public void Export(Stream stream, string password)
{
if (stream == null)
{
throw new ArgumentNullException(nameof(stream));
}
if (password == null)
{
throw new ArgumentNullException(nameof(password));
}
var store = new Pkcs12Store();
foreach (var certificate in certs)
{
if (keys.ContainsKey(certificate))
{
continue;
}
var alias = certificate.GetCommonName();
if (alias == null)
{
continue;
}
var entry = new X509CertificateEntry(certificate);
store.SetCertificateEntry(alias, entry);
}
foreach (var kvp in keys)
{
var alias = kvp.Key.GetCommonName();
if (alias == null)
{
continue;
}
var entry = new AsymmetricKeyEntry(kvp.Value);
var cert = new X509CertificateEntry(kvp.Key);
var chain = new List <X509CertificateEntry> ();
chain.Add(cert);
store.SetKeyEntry(alias, entry, chain.ToArray());
}
store.Save(stream, password.ToCharArray(), new SecureRandom());
}
/// <summary>
/// Generates a self signed certificate for the specified host. In the future this will used to
/// test code that implements custom server certificate validation logic
/// </summary>
/// <param name="host"></param>
/// <returns></returns>
private X509Certificate2 GenerateCert(string host)
{
CryptoApiRandomGenerator randomGenerator = new CryptoApiRandomGenerator();
SecureRandom random = new SecureRandom(randomGenerator);
X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();
BigInteger serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
certificateGenerator.SetSerialNumber(serialNumber);
certificateGenerator.SetSignatureAlgorithm("SHA256WithRSA");
X509Name subjectDN = new X509Name("CN=wpad_audit");
X509Name issuerDN = subjectDN;
certificateGenerator.SetIssuerDN(issuerDN);
certificateGenerator.SetSubjectDN(subjectDN);
DateTime notBefore = DateTime.UtcNow.Date;
DateTime notAfter = notBefore.AddYears(2);
certificateGenerator.SetNotBefore(notBefore);
certificateGenerator.SetNotAfter(notAfter);
KeyGenerationParameters keyGenerationParameters = new KeyGenerationParameters(random, Strength);
RsaKeyPairGenerator keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
AsymmetricCipherKeyPair subjectKeyPair = keyPairGenerator.GenerateKeyPair();
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
AsymmetricCipherKeyPair issuerKeyPair = subjectKeyPair;
Org.BouncyCastle.X509.X509Certificate cert = certificateGenerator.Generate(issuerKeyPair.Private, random);
Pkcs12Store store = new Pkcs12Store();
string friendlyName = cert.SubjectDN.ToString();
X509CertificateEntry certificateEntry = new X509CertificateEntry(cert);
store.SetCertificateEntry(friendlyName, certificateEntry);
store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(subjectKeyPair.Private), new[] { certificateEntry });
byte[] streamContents;
using (MemoryStream stream = new MemoryStream())
{
store.Save(stream, Password.ToCharArray(), random);
stream.Flush();
streamContents = stream.ToArray();
}
return(new X509Certificate2(streamContents, Password, X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable));
}
/// <summary>
/// Generates the certificate.
/// </summary>
/// <param name="subjectName">Name of the subject.</param>
/// <returns>The generated certificate.</returns>
public static X509Certificate2 GenerateCertificate(string subjectName)
{
var randomGenerator = new CryptoApiRandomGenerator();
var random = new SecureRandom(randomGenerator);
var certificateGenerator = new X509V3CertificateGenerator();
var serialNumber =
BigIntegers.CreateRandomInRange(
BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
certificateGenerator.SetSerialNumber(serialNumber);
var subjectDN = new X509Name(subjectName);
var issuerDN = subjectDN;
certificateGenerator.SetIssuerDN(issuerDN);
certificateGenerator.SetSubjectDN(subjectDN);
var notBefore = DateTime.UtcNow.Date;
var notAfter = notBefore.AddDays(31);
certificateGenerator.SetNotBefore(notBefore);
certificateGenerator.SetNotAfter(notAfter);
var keyGenerationParameters = new KeyGenerationParameters(random, 2048);
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
var subjectKeyPair = keyPairGenerator.GenerateKeyPair();
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
var issuerKeyPair = subjectKeyPair;
ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA256WithRSA", issuerKeyPair.Private, random);
var certificate = certificateGenerator.Generate(signatureFactory);
var store = new Pkcs12Store();
string friendlyName = certificate.SubjectDN.ToString();
var certificateEntry = new X509CertificateEntry(certificate);
store.SetCertificateEntry(friendlyName, certificateEntry);
store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(subjectKeyPair.Private), new[] { certificateEntry });
var stream = new MemoryStream();
store.Save(stream, new char[0], random);
return(new X509Certificate2(stream.ToArray()));
}
private static void WriteToP12(X509Certificate newCertificate, AsymmetricKeyParameter privateKeyParameters)
{
var pkcs12Store = new Pkcs12Store();
var certEntry = new X509CertificateEntry(newCertificate);
pkcs12Store.SetCertificateEntry("RougeCA", certEntry);
pkcs12Store.SetKeyEntry("RougeCA", new AsymmetricKeyEntry(privateKeyParameters), new[] { certEntry });
using (var fileStream = new FileStream("Rogue.p12", FileMode.Create, FileAccess.Write))
{
pkcs12Store.Save(fileStream, new[] { 'T', 'e', 's', 't', '1', '2', '3', '4', }, new SecureRandom());
}
}
public X509Certificate2 MakeCertificate(string password, string issuedToDomainName, int validYears)
{
_certificateGenerator.Reset();
_certificateGenerator.SetSignatureAlgorithm(SignatureAlgorithm);
var serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), _random);
_certificateGenerator.SetSerialNumber(serialNumber);
_certificateGenerator.SetSubjectDN(new X509Name(issuedToDomainName));
_certificateGenerator.SetIssuerDN(_issuer);
var subjectAlternativeNames = new Asn1Encodable[_generalNames.Length + 1];
// first subject alternative name is the same as the subject
subjectAlternativeNames[0] = new GeneralName(new X509Name(issuedToDomainName));
for (int t = 1; t <= _generalNames.Length; t++)
{
subjectAlternativeNames[t] = _generalNames[t - 1];
}
var subjectAlternativeNamesExtension = new DerSequence(subjectAlternativeNames);
_certificateGenerator.AddExtension(X509Extensions.SubjectAlternativeName.Id, false, subjectAlternativeNamesExtension);
_certificateGenerator.SetNotBefore(DateTime.UtcNow.Date);
_certificateGenerator.SetNotAfter(DateTime.UtcNow.Date.AddYears(validYears));
var keyGenerationParameters = new KeyGenerationParameters(_random, _strength);
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
var subjectKeyPair = keyPairGenerator.GenerateKeyPair();
_certificateGenerator.SetPublicKey(subjectKeyPair.Public);
var issuerKeyPair = subjectKeyPair;
var certificate = _certificateGenerator.Generate(issuerKeyPair.Private, _random);
var store = new Pkcs12Store();
string friendlyName = certificate.SubjectDN.ToString();
var certificateEntry = new X509CertificateEntry(certificate);
store.SetCertificateEntry(friendlyName, certificateEntry);
store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(subjectKeyPair.Private), new[] { certificateEntry });
using (var stream = new MemoryStream())
{
store.Save(stream, password.ToCharArray(), _random);
return(new X509Certificate2(stream.ToArray(), password, X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable));
}
}
public static X509Certificate2 GenerateNewCertificate(string name)
{
var kpGen = new RsaKeyPairGenerator();
kpGen.Init(new KeyGenerationParameters(new SecureRandom(new CryptoApiRandomGenerator()), 1024));
AsymmetricCipherKeyPair keyPair = kpGen.GenerateKeyPair();
var gen = new X509V3CertificateGenerator();
var certificateName = new X509Name("CN=" + name);
BigInteger serialNumber = BigInteger.ProbablePrime(120, new Random());
gen.SetSerialNumber(serialNumber);
gen.SetSubjectDN(certificateName);
gen.SetIssuerDN(certificateName);
gen.SetNotAfter(DateTime.Now.AddYears(100));
gen.SetNotBefore(DateTime.Now.AddDays(-1));
gen.SetSignatureAlgorithm("SHA256WithRSAEncryption");
gen.SetPublicKey(keyPair.Public);
gen.AddExtension(X509Extensions.AuthorityKeyIdentifier.Id, false,
new AuthorityKeyIdentifier(
SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(keyPair.Public),
new GeneralNames(new GeneralName(certificateName)), serialNumber));
X509Certificate newCert = gen.Generate(keyPair.Private);
var newStore = new Pkcs12Store();
var certEntry = new X509CertificateEntry(newCert);
newStore.SetCertificateEntry(
Environment.MachineName,
certEntry
);
newStore.SetKeyEntry(
Environment.MachineName,
new AsymmetricKeyEntry(keyPair.Private),
new[] { certEntry }
);
var memoryStream = new MemoryStream();
newStore.Save(
memoryStream,
new char[0],
new SecureRandom(new CryptoApiRandomGenerator())
);
return(new X509Certificate2(memoryStream.ToArray()));
}
private X509Certificate2 GetSignedCertificate(Org.BouncyCastle.X509.X509Certificate bcCertificate, RsaPrivateCrtKeyParameters privateKey)
{
string alias = bcCertificate.SubjectDN.ToString();
var pkcs12 = new Pkcs12Store();
var entry = new X509CertificateEntry(bcCertificate);
pkcs12.SetCertificateEntry(alias, entry);
pkcs12.SetKeyEntry(alias, new AsymmetricKeyEntry(privateKey), new[] { entry });
using (var pfxStream = new MemoryStream())
{
pkcs12.Save(pfxStream, null, new SecureRandom());
return(new X509Certificate2(pfxStream.ToArray(), (string)null, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet));
}
}
