Example #1
0
        static void RetrieveCertificates(AcmeClient client, string api, string domain, string certificatesFolder, int certBits)
        {
            var cp     = CertificateProvider.GetProvider();
            var rsaPkp = new RsaPrivateKeyParams()
            {
                NumBits = certBits
            };

            var rsaKeys   = cp.GeneratePrivateKey(rsaPkp);
            var csrParams = new CsrParams
            {
                Details = new CsrDetails {
                    CommonName = domain
                }
            };

            var derRaw = default(byte[]);
            var csr    = cp.GenerateCsr(csrParams, rsaKeys, Crt.MessageDigest.SHA256);

            using (var bs = new MemoryStream())
            {
                cp.ExportCsr(csr, EncodingFormat.DER, bs);
                derRaw = bs.ToArray();
            }

            var derB64U  = JwsHelper.Base64UrlEncode(derRaw);
            var certRequ = client.RequestCertificate(derB64U);

            if (certRequ.StatusCode == HttpStatusCode.Created)
            {
                GenerateCertFiles(cp, rsaKeys, csr, certRequ, certificatesFolder, domain);
            }
        }
        private void TestExportRsaPrivateKey(EncodingFormat fmt)
        {
            using (var cp = GetCP())
            {
                var pkp = new RsaPrivateKeyParams();
                var pk  = cp.GeneratePrivateKey(pkp);

                using (var target = new MemoryStream())
                {
                    cp.ExportPrivateKey(pk, fmt, target);
                }
            }
        }
        public void TestGenerateRsaPrivateKey()
        {
            using (var cp = GetCP())
            {
                var pkp = new RsaPrivateKeyParams();
                var pk  = cp.GeneratePrivateKey(pkp);

                Assert.IsInstanceOfType(pk, typeof(RsaPrivateKey));

                var rsaPk = (RsaPrivateKey)pk;

                // TODO:  verify the components of RSA PK?
                //rsaPk.BigNumber
                //rsaPk.Bits
                //rsaPk.E
            }
        }
        public void TestGenerateRsaCsr()
        {
            using (var cp = GetCP())
            {
                var pkp = new RsaPrivateKeyParams();
                var pk  = cp.GeneratePrivateKey(pkp);

                var crp = new CsrParams
                {
                    Details = new CsrDetails
                    {
                        CommonName = "TEST CERT",
                    }
                };

                var csr = cp.GenerateCsr(crp, pk, Crt.MessageDigest.SHA256);
            }
        }
        private void TestImportRsaCsr(EncodingFormat fmt)
        {
            using (var cp = CertificateProvider.GetProvider())
            {
                var pkp = new RsaPrivateKeyParams();
                var pk  = cp.GeneratePrivateKey(pkp);

                var crp = new CsrParams
                {
                    Details = new CsrDetails
                    {
                        CommonName = "TEST CERT",
                    }
                };

                var    csr = cp.GenerateCsr(crp, pk, Crt.MessageDigest.SHA256);
                byte[] bytes;
                using (var target = new MemoryStream())
                {
                    cp.ExportCsr(csr, fmt, target);
                    bytes = target.ToArray();
                }

                var imp = csr;
                using (var source = new MemoryStream(bytes))
                {
                    imp = cp.ImportCsr(fmt, source);
                }

                using (MemoryStream save1 = new MemoryStream(), save2 = new MemoryStream())
                {
                    cp.SaveCsr(csr, save1);
                    cp.SaveCsr(imp, save2);

                    var bytes1 = save1.ToArray();
                    var bytes2 = save2.ToArray();

                    CollectionAssert.AreEqual(bytes1, bytes2);
                }
            }
        }
 /// <summary>
 /// Parameters to generate the key for
 /// </summary>
 /// <returns></returns>
 private RsaPrivateKeyParams GetRsaKeyParameters()
 {
     var rsaPkp = new RsaPrivateKeyParams();
     try
     {
         if (Properties.Settings.Default.RSAKeyBits >= 1024)
         {
             rsaPkp.NumBits = Properties.Settings.Default.RSAKeyBits;
             _log.Debug("RSAKeyBits: {RSAKeyBits}", Properties.Settings.Default.RSAKeyBits);
         }
         else
         {
             _log.Warning("RSA Key Bits less than 1024 is not secure. Letting ACMESharp default key bits. http://openssl.org/docs/manmaster/crypto/RSA_generate_key_ex.html");
         }
     }
     catch (Exception ex)
     {
         _log.Warning("Unable to set RSA Key Bits, Letting ACMESharp default key bits, Error: {@ex}", ex);
     }
     return rsaPkp;
 }
        private void TestExportRsaCsr(EncodingFormat fmt)
        {
            using (var cp = CertificateProvider.GetProvider())
            {
                var pkp = new RsaPrivateKeyParams();
                var pk  = cp.GeneratePrivateKey(pkp);

                var crp = new CsrParams
                {
                    Details = new CsrDetails
                    {
                        CommonName = "TEST CERT",
                    }
                };

                var csr = cp.GenerateCsr(crp, pk, Crt.MessageDigest.SHA256);

                using (var target = new MemoryStream())
                {
                    cp.ExportCsr(csr, fmt, target);
                }
            }
        }
Example #8
0
        private string RequestCertificate()
        {
            var cp     = CertificateProvider.GetProvider("BouncyCastle");
            var rsaPkp = new RsaPrivateKeyParams
            {
                NumBits = this.keyLength
            };
            var rsaKeys = cp.GeneratePrivateKey(rsaPkp);

            var csrDetails = new CsrDetails
            {
                CommonName       = this.mainDomain,
                AlternativeNames = this.alternateNames.Except(new string[] { this.mainDomain })
            };
            var csrParams = new CsrParams
            {
                Details = csrDetails,
            };
            var csr = cp.GenerateCsr(csrParams, rsaKeys, Crt.MessageDigest.SHA256);

            byte[] derRaw;
            using (var bs = new MemoryStream())
            {
                cp.ExportCsr(csr, EncodingFormat.DER, bs);
                derRaw = bs.ToArray();
            }
            var derB64U = JwsHelper.Base64UrlEncode(derRaw);

            logger.Debug("Requesting Certificate");

            var certRequ = client.RequestCertificate(derB64U);

            logger.Debug("Request Status: {0}", certRequ.StatusCode);

            if (certRequ.StatusCode == System.Net.HttpStatusCode.Created)
            {
                var    keyGenFile = Path.Combine(certificatePath, $"{this.mainDomain}-gen-key.json");
                var    keyPemFile = Path.Combine(certificatePath, $"{this.mainDomain}-key.pem");
                var    csrGenFile = Path.Combine(certificatePath, $"{this.mainDomain}-gen-csr.json");
                var    csrPemFile = Path.Combine(certificatePath, $"{this.mainDomain}-csr.pem");
                var    crtDerFile = Path.Combine(certificatePath, $"{this.mainDomain}-crt.der");
                var    crtPemFile = Path.Combine(certificatePath, $"{this.mainDomain}-crt.pem");
                string crtPfxFile = Path.Combine(certificatePath, $"{this.mainDomain}-all.pfx");

                using (var fs = new FileStream(keyGenFile, FileMode.Create))
                {
                    cp.SavePrivateKey(rsaKeys, fs);
                }
                using (var fs = new FileStream(keyPemFile, FileMode.Create))
                {
                    cp.ExportPrivateKey(rsaKeys, EncodingFormat.PEM, fs);
                }
                using (var fs = new FileStream(csrGenFile, FileMode.Create))
                {
                    cp.SaveCsr(csr, fs);
                }
                using (var fs = new FileStream(csrPemFile, FileMode.Create))
                {
                    cp.ExportCsr(csr, EncodingFormat.PEM, fs);
                }

                logger.Info("Saving Certificate to {0}", crtDerFile);
                using (var file = File.Create(crtDerFile))
                {
                    certRequ.SaveCertificate(file);
                }

                Crt crt;
                using (FileStream source = new FileStream(crtDerFile, FileMode.Open),
                       target = new FileStream(crtPemFile, FileMode.Create))
                {
                    crt = cp.ImportCertificate(EncodingFormat.DER, source);
                    cp.ExportCertificate(crt, EncodingFormat.PEM, target);
                }

                // To generate a PKCS#12 (.PFX) file, we need the issuer's public certificate
                var isuPemFile = GetIssuerCertificate(certRequ, cp);

                logger.Info($"Saving Certificate to {crtPfxFile}");
                using (FileStream source = new FileStream(isuPemFile, FileMode.Open),
                       target = new FileStream(crtPfxFile, FileMode.Create))
                {
                    try
                    {
                        var isuCrt = cp.ImportCertificate(EncodingFormat.PEM, source);
                        cp.ExportArchive(rsaKeys, new[] { crt, isuCrt }, ArchiveFormat.PKCS12, target);
                    }
                    catch (Exception ex)
                    {
                        logger.Error("Error exporting archive: {0}", ex.Message);
                    }
                }

                cp.Dispose();

                return(crtPfxFile);
            }

            throw new Exception($"Request status = {certRequ.StatusCode}");
        }
Example #9
0
        public void Test0170_GenCsrAndRequestCertificate()
        {
            using (var cp = CertificateProvider.GetProvider())
            {
                var rsaKeyParams = new RsaPrivateKeyParams();
                var rsaKey       = cp.GeneratePrivateKey(rsaKeyParams);

                _testGenCsr_RsaKeysFile = $"{_baseLocalStore}\\TestGenCsr-rsaKeys.txt";
                using (var fs = new FileStream(_testGenCsr_RsaKeysFile, FileMode.Create))
                {
                    cp.SavePrivateKey(rsaKey, fs);
                }

                var csrParams = new CsrParams
                {
                    Details = new CsrDetails
                    {
                        CommonName = TEST_CN1
                    }
                };

                var csr = cp.GenerateCsr(csrParams, rsaKey, Crt.MessageDigest.SHA256);
                _testGenCsr_CsrDetailsFile = $"{_baseLocalStore}\\TestGenCsr-csrDetails.txt";
                using (var fs = new FileStream(_testGenCsr_CsrDetailsFile, FileMode.Create))
                {
                    cp.SaveCsrParams(csrParams, fs);
                }
                _testGenCsr_CsrFile = $"{_baseLocalStore}\\TestGenCsr-csr.txt";
                using (var fs = new FileStream(_testGenCsr_CsrFile, FileMode.Create))
                {
                    cp.SaveCsr(csr, fs);
                }

                using (var signer = new RS256Signer())
                {
                    signer.Init();
                    using (var fs = new FileStream(_testRegister_AcmeSignerFile, FileMode.Open))
                    {
                        signer.Load(fs);
                    }

                    AcmeRegistration reg;
                    using (var fs = new FileStream(_testRegister_AcmeRegFile, FileMode.Open))
                    {
                        reg = AcmeRegistration.Load(fs);
                    }

                    byte[] derRaw;
                    using (var bs = new MemoryStream())
                    {
                        cp.ExportCsr(csr, EncodingFormat.DER, bs);
                        derRaw = bs.ToArray();
                    }
                    var derB64u = JwsHelper.Base64UrlEncode(derRaw);

                    using (var client = BuildClient(testTagHeader: nameof(Test0170_GenCsrAndRequestCertificate)))
                    {
                        client.RootUrl      = _rootUrl;
                        client.Signer       = signer;
                        client.Registration = reg;
                        client.Init();

                        client.GetDirectory(true);

                        var certRequ = client.RequestCertificate(derB64u);

                        _testCertRequ_AcmeCertRequFile = $"{_baseLocalStore}\\TestCertRequ.acmeCertRequ";
                        using (var fs = new FileStream(_testCertRequ_AcmeCertRequFile, FileMode.Create))
                        {
                            certRequ.Save(fs);
                        }
                    }
                }
            }
        }
Example #10
0
        public static string GetCertificate(Target binding)
        {
            List <string> identifiers = new List <string>();

            if (!Options.San)
            {
                identifiers.Add(binding.Host);
            }
            identifiers.AddRange(binding.AlternativeNames);
            identifiers = identifiers.Where(x => !string.IsNullOrWhiteSpace(x)).Distinct().ToList();
            if (identifiers.Count() == 0)
            {
                Log.Error("No DNS identifiers found.");
                throw new Exception("No DNS identifiers found.");
            }

            var identifier = identifiers.First();

            var cp     = CertificateProvider.GetProvider();
            var rsaPkp = new RsaPrivateKeyParams();

            try
            {
                if (Properties.Settings.Default.RSAKeyBits >= 1024)
                {
                    rsaPkp.NumBits = Properties.Settings.Default.RSAKeyBits;
                    Log.Debug("RSAKeyBits: {RSAKeyBits}", Properties.Settings.Default.RSAKeyBits);
                }
                else
                {
                    Log.Warning(
                        "RSA Key Bits less than 1024 is not secure. Letting ACMESharp default key bits. http://openssl.org/docs/manmaster/crypto/RSA_generate_key_ex.html");
                }
            }
            catch (Exception ex)
            {
                Log.Warning("Unable to set RSA Key Bits, Letting ACMESharp default key bits, Error: {@ex}", ex);
            }

            var rsaKeys    = cp.GeneratePrivateKey(rsaPkp);
            var csrDetails = new CsrDetails()
            {
                CommonName       = identifiers.FirstOrDefault(),
                AlternativeNames = identifiers
            };

            var csrParams = new CsrParams
            {
                Details = csrDetails
            };
            var csr = cp.GenerateCsr(csrParams, rsaKeys, Crt.MessageDigest.SHA256);

            byte[] derRaw;
            using (var bs = new MemoryStream())
            {
                cp.ExportCsr(csr, EncodingFormat.DER, bs);
                derRaw = bs.ToArray();
            }
            var derB64U = JwsHelper.Base64UrlEncode(derRaw);

            Log.Information("Requesting Certificate: {dnsIdentifier}");
            var certRequ = _client.RequestCertificate(derB64U);

            Log.Debug("certRequ {@certRequ}", certRequ);

            Log.Information("Request Status: {StatusCode}", certRequ.StatusCode);

            if (certRequ.StatusCode == System.Net.HttpStatusCode.Created)
            {
                var    keyGenFile   = Path.Combine(_certificatePath, $"{identifier}-gen-key.json");
                var    keyPemFile   = Path.Combine(_certificatePath, $"{identifier}-key.pem");
                var    csrGenFile   = Path.Combine(_certificatePath, $"{identifier}-gen-csr.json");
                var    csrPemFile   = Path.Combine(_certificatePath, $"{identifier}-csr.pem");
                var    crtDerFile   = Path.Combine(_certificatePath, $"{identifier}-crt.der");
                var    crtPemFile   = Path.Combine(_certificatePath, $"{identifier}-crt.pem");
                var    chainPemFile = Path.Combine(_certificatePath, $"{identifier}-chain.pem");
                string crtPfxFile   = null;
                if (!Options.CentralSsl)
                {
                    crtPfxFile = Path.Combine(_certificatePath, $"{identifier}-all.pfx");
                }
                else
                {
                    crtPfxFile = Path.Combine(Options.CentralSslStore, $"{identifier}.pfx");
                }

                using (var fs = new FileStream(keyGenFile, FileMode.Create))
                    cp.SavePrivateKey(rsaKeys, fs);
                using (var fs = new FileStream(keyPemFile, FileMode.Create))
                    cp.ExportPrivateKey(rsaKeys, EncodingFormat.PEM, fs);
                using (var fs = new FileStream(csrGenFile, FileMode.Create))
                    cp.SaveCsr(csr, fs);
                using (var fs = new FileStream(csrPemFile, FileMode.Create))
                    cp.ExportCsr(csr, EncodingFormat.PEM, fs);

                Log.Information("Saving Certificate to {crtDerFile}", crtDerFile);
                using (var file = File.Create(crtDerFile))
                    certRequ.SaveCertificate(file);

                Crt crt;
                using (FileStream source = new FileStream(crtDerFile, FileMode.Open),
                       target = new FileStream(crtPemFile, FileMode.Create))
                {
                    crt = cp.ImportCertificate(EncodingFormat.DER, source);
                    cp.ExportCertificate(crt, EncodingFormat.PEM, target);
                }

                // To generate a PKCS#12 (.PFX) file, we need the issuer's public certificate
                var isuPemFile = GetIssuerCertificate(certRequ, cp);

                using (FileStream intermediate = new FileStream(isuPemFile, FileMode.Open),
                       certificate = new FileStream(crtPemFile, FileMode.Open),
                       chain = new FileStream(chainPemFile, FileMode.Create))
                {
                    certificate.CopyTo(chain);
                    intermediate.CopyTo(chain);
                }

                Log.Debug("CentralSsl {CentralSsl} San {San}", Options.CentralSsl.ToString(), Options.San.ToString());

                if (Options.CentralSsl && Options.San)
                {
                    foreach (var host in identifiers)
                    {
                        Console.WriteLine($"Host: {host}");
                        crtPfxFile = Path.Combine(Options.CentralSslStore, $"{host}.pfx");

                        Log.Information("Saving Certificate to {crtPfxFile}", crtPfxFile);
                        using (FileStream source = new FileStream(isuPemFile, FileMode.Open),
                               target = new FileStream(crtPfxFile, FileMode.Create))
                        {
                            try
                            {
                                var isuCrt = cp.ImportCertificate(EncodingFormat.PEM, source);
                                cp.ExportArchive(rsaKeys, new[] { crt, isuCrt }, ArchiveFormat.PKCS12, target,
                                                 Properties.Settings.Default.PFXPassword);
                            }
                            catch (Exception ex)
                            {
                                Log.Error("Error exporting archive {@ex}", ex);
                            }
                        }
                    }
                }
                else //Central SSL and San need to save the cert for each hostname
                {
                    Log.Information("Saving Certificate to {crtPfxFile}", crtPfxFile);
                    using (FileStream source = new FileStream(isuPemFile, FileMode.Open),
                           target = new FileStream(crtPfxFile, FileMode.Create))
                    {
                        try
                        {
                            var isuCrt = cp.ImportCertificate(EncodingFormat.PEM, source);
                            cp.ExportArchive(rsaKeys, new[] { crt, isuCrt }, ArchiveFormat.PKCS12, target,
                                             Properties.Settings.Default.PFXPassword);
                        }
                        catch (Exception ex)
                        {
                            Log.Error("Error exporting archive {@ex}", ex);
                        }
                    }
                }

                cp.Dispose();

                return(crtPfxFile);
            }
            Log.Error("Request status = {StatusCode}", certRequ.StatusCode);
            throw new Exception($"Request status = {certRequ.StatusCode}");
        }
Example #11
0
        private string GetCertificate(string host)
        {
            Log("\t\t\tGetCertificate started");

            var certificateProvider = CertificateProvider.GetProvider();
            var rsaPrivateKeyParams = new RsaPrivateKeyParams()
            {
                NumBits = Properties.Settings.Default.RSAKeyBits,
            };
            var rsaPrivateKey = certificateProvider.GeneratePrivateKey(rsaPrivateKeyParams);
            var csrDetails    = new CsrDetails
            {
                CommonName = host,
            };
            var csrParams = new CsrParams
            {
                Details = csrDetails,
            };
            var csr = certificateProvider.GenerateCsr(csrParams, rsaPrivateKey, Crt.MessageDigest.SHA256);

            byte[] derBytes;
            using (var ms = new MemoryStream())
            {
                certificateProvider.ExportCsr(csr, EncodingFormat.DER, ms);
                derBytes = ms.ToArray();
            }

            CertificateRequest requestCertificate = null;
            var derBase64UrlEncoded = JwsHelper.Base64UrlEncode(derBytes);

            try
            {
                requestCertificate = this.client.RequestCertificate(derBase64UrlEncoded);
            }
            catch (Exception ex)
            {
                Log("\t\t\t\tGetCertificate error {0}", ex.InnerException.Message);
                certificateProvider.Dispose();
                return(null);
            }

            var crtPfxFile = host + "-all.pfx";

            if (requestCertificate.StatusCode != System.Net.HttpStatusCode.Created)
            {
                crtPfxFile = null;
                Log("\t\t\t\tGetCertificate certRequ.StatusCode {0}", requestCertificate.StatusCode);
            }
            else
            {
                var keyGenFile   = host + "-gen-key.json";
                var keyPemFile   = host + "-key.pem";
                var csrGenFile   = host + "-gen-csr.json";
                var csrPemFile   = host + "-csr.pem";
                var crtDerFile   = host + "-crt.der";
                var crtPemFile   = host + "-crt.pem";
                var chainPemFile = host + "-chain.pem";

                using (var fs = new FileStream(keyGenFile, FileMode.Create))
                    certificateProvider.SavePrivateKey(rsaPrivateKey, fs);
                using (var fs = new FileStream(keyPemFile, FileMode.Create))
                    certificateProvider.ExportPrivateKey(rsaPrivateKey, EncodingFormat.PEM, fs);
                using (var fs = new FileStream(csrGenFile, FileMode.Create))
                    certificateProvider.SaveCsr(csr, fs);
                using (var fs = new FileStream(csrPemFile, FileMode.Create))
                    certificateProvider.ExportCsr(csr, EncodingFormat.PEM, fs);

                using (var file = File.Create(crtDerFile))
                    requestCertificate.SaveCertificate(file);

                Crt crt;
                using (FileStream source = new FileStream(crtDerFile, FileMode.Open),
                       target = new FileStream(crtPemFile, FileMode.Create))
                {
                    crt = certificateProvider.ImportCertificate(EncodingFormat.DER, source);
                    certificateProvider.ExportCertificate(crt, EncodingFormat.PEM, target);
                }

                // To generate a PKCS#12 (.PFX) file, we need the issuer's public certificate
                var isuPemFile = GetIssuerCertificate(requestCertificate, certificateProvider);

                using (FileStream intermediate = new FileStream(isuPemFile, FileMode.Open),
                       certificate = new FileStream(crtPemFile, FileMode.Open),
                       chain = new FileStream(chainPemFile, FileMode.Create))
                {
                    certificate.CopyTo(chain);
                    intermediate.CopyTo(chain);
                }

                using (FileStream source = new FileStream(isuPemFile, FileMode.Open),
                       target = new FileStream(crtPfxFile, FileMode.Create))
                {
                    try
                    {
                        var isuCrt = certificateProvider.ImportCertificate(EncodingFormat.PEM, source);
                        certificateProvider.ExportArchive(rsaPrivateKey, new[] { crt, isuCrt }, ArchiveFormat.PKCS12, target,
                                                          Properties.Settings.Default.PFXPassword);
                    }
                    catch (Exception ex)
                    {
                        Log("\t\t\t\tGetCertificate error {0}", ex.Message);
                    }
                }
            }
            certificateProvider.Dispose();
            Log("\t\t\tGetCertificate ended");

            return(crtPfxFile);
        }
        private void TestExportRsaPrivateKey(EncodingFormat fmt)
        {
            using (var cp = GetCP())
            {
                var pkp = new RsaPrivateKeyParams();
                var pk = cp.GeneratePrivateKey(pkp);

                using (var target = new MemoryStream())
                {
                    cp.ExportPrivateKey(pk, fmt, target);
                }
            }
        }
Example #13
0
        public string GetCertificate(AcmeClient client)
        {
            IdnMapping idn           = new IdnMapping();
            var        dnsIdentifier = idn.GetAscii(config.Host);

            CertificateProvider.RegisterProvider <BouncyCastleProvider>(BouncyCastleProvider.PROVIDER_NAME);
            var cp     = CertificateProvider.GetProvider(BouncyCastleProvider.PROVIDER_NAME);
            var rsaPkp = new RsaPrivateKeyParams();

            try
            {
                if (config.RSAKeyLength >= 1024)
                {
                    rsaPkp.NumBits = config.RSAKeyLength;
                    Trace.TraceInformation("RSAKeyBits: {0}", config.RSAKeyLength);
                }
                else
                {
                    Trace.TraceWarning("RSA Key Bits less than 1024 is not secure. Letting ACMESharp default key bits. http://openssl.org/docs/manmaster/crypto/RSA_generate_key_ex.html");
                }
            }
            catch (Exception ex)
            {
                Trace.TraceWarning("Unable to set RSA Key Bits, Letting ACMESharp default key bits, Error: {0}", ex);
                Console.WriteLine($"Unable to set RSA Key Bits, Letting ACMESharp default key bits, Error: {ex.Message.ToString()}");
            }

            var rsaKeys    = cp.GeneratePrivateKey(rsaPkp);
            var csrDetails = new CsrDetails
            {
                CommonName = dnsIdentifier,
            };

            if (config.AlternateNames != null)
            {
                if (config.AlternateNames.Count > 0)
                {
                    csrDetails.AlternativeNames = config.AlternateNames.Select(s => idn.GetAscii(s));
                }
            }
            var csrParams = new CsrParams
            {
                Details = csrDetails,
            };
            var csr = cp.GenerateCsr(csrParams, rsaKeys, Crt.MessageDigest.SHA256);

            byte[] derRaw;
            using (var bs = new MemoryStream())
            {
                cp.ExportCsr(csr, EncodingFormat.DER, bs);
                derRaw = bs.ToArray();
            }
            var derB64u = JwsHelper.Base64UrlEncode(derRaw);

            Console.WriteLine($"\nRequesting Certificate");
            Trace.TraceInformation("Requesting Certificate");
            CertificateRequest certRequ = client.RequestCertificate(derB64u);

            Trace.TraceInformation("certRequ {0}", JsonConvert.SerializeObject(certRequ));

            Console.WriteLine($" Request Status: {certRequ.StatusCode}");
            Trace.TraceInformation("Request Status: {0}", certRequ.StatusCode);

            if (certRequ.StatusCode == System.Net.HttpStatusCode.Created)
            {
                var    keyGenFile = Path.Combine(this.configPath, $"{dnsIdentifier}-gen-key.json");
                var    keyPemFile = Path.Combine(configPath, $"{dnsIdentifier}-key.pem");
                var    csrGenFile = Path.Combine(configPath, $"{dnsIdentifier}-gen-csr.json");
                var    csrPemFile = Path.Combine(configPath, $"{dnsIdentifier}-csr.pem");
                var    crtDerFile = Path.Combine(configPath, $"{dnsIdentifier}-crt.der");
                var    crtPemFile = Path.Combine(configPath, $"{dnsIdentifier}-crt.pem");
                string crtPfxFile = null;

                crtPfxFile = Path.Combine(configPath, $"{dnsIdentifier}-all.pfx");



                using (var fs = new FileStream(keyGenFile, FileMode.Create))
                    cp.SavePrivateKey(rsaKeys, fs);
                using (var fs = new FileStream(keyPemFile, FileMode.Create))
                    cp.ExportPrivateKey(rsaKeys, EncodingFormat.PEM, fs);
                using (var fs = new FileStream(csrGenFile, FileMode.Create))
                    cp.SaveCsr(csr, fs);
                using (var fs = new FileStream(csrPemFile, FileMode.Create))
                    cp.ExportCsr(csr, EncodingFormat.PEM, fs);

                Console.WriteLine($" Saving Certificate to {crtDerFile}");
                Trace.TraceInformation("Saving Certificate to {0}", crtDerFile);
                using (var file = File.Create(crtDerFile))
                    certRequ.SaveCertificate(file);

                Crt crt;
                using (FileStream source = new FileStream(crtDerFile, FileMode.Open),
                       target = new FileStream(crtPemFile, FileMode.Create))
                {
                    crt = cp.ImportCertificate(EncodingFormat.DER, source);
                    cp.ExportCertificate(crt, EncodingFormat.PEM, target);
                }

                // To generate a PKCS#12 (.PFX) file, we need the issuer's public certificate
                var isuPemFile = GetIssuerCertificate(certRequ, cp);



                Console.WriteLine($" Saving Certificate to {crtPfxFile}");
                Trace.TraceInformation("Saving Certificate to {0}", crtPfxFile);
                using (FileStream source = new FileStream(isuPemFile, FileMode.Open),
                       target = new FileStream(crtPfxFile, FileMode.Create))
                {
                    try
                    {
                        var isuCrt = cp.ImportCertificate(EncodingFormat.PEM, source);
                        cp.ExportArchive(rsaKeys, new[] { crt, isuCrt }, ArchiveFormat.PKCS12, target, config.PFXPassword);
                    }
                    catch (Exception ex)
                    {
                        Trace.TraceError("Error exporting archive {0}", ex);
                        Console.ForegroundColor = ConsoleColor.Red;
                        Console.WriteLine($"Error exporting archive: {ex.Message.ToString()}");
                        Console.ResetColor();
                    }
                }


                cp.Dispose();

                return(crtPfxFile);
            }
            if ((int)certRequ.StatusCode == 429)
            {
                Trace.TraceError("Unable to request certificate, too many certificate requests to Let's Encrypt certificate servers for the domain within the last 7 days. Please try again later. (If you are testing, please use the staging enviroment where you can request unlimited number of certificates. During the beta period only 5 certificate requests per domain per week are allowed to the production environment.)");
                throw new Exception("Unable to request certificate, too many certificate requests to Let's Encrypt certificate servers for the domain within the last 7 days. Please try again later. (If you are testing, please use the staging enviroment where you can request unlimited number of certificates. During the beta period only 5 certificate requests per domain per week are allowed to the production environment.)");
            }

            Trace.TraceError("Request status = {0}", certRequ.StatusCode);
            throw new Exception($"Request status = {certRequ.StatusCode}");
        }
Example #14
0
        protected override void ProcessRecord()
        {
            using (var vlt = Util.VaultHelper.GetVault(VaultProfile))
            {
                vlt.OpenStorage();
                var v = vlt.LoadVault();

                if (v.Registrations == null || v.Registrations.Count < 1)
                {
                    throw new InvalidOperationException("No registrations found");
                }

                var ri = v.Registrations[0];
                var r  = ri.Registration;

                if (v.Certificates == null || v.Certificates.Count < 1)
                {
                    throw new InvalidOperationException("No certificates found");
                }

                var ci = v.Certificates.GetByRef(CertificateRef);
                if (ci == null)
                {
                    throw new Exception("Unable to find a Certificate for the given reference");
                }

                using (var cp = CertificateProvider.GetProvider())
                {
                    if (!string.IsNullOrEmpty(ci.GenerateDetailsFile))
                    {
                        // Generate a private key and CSR:
                        //    Key:  RSA 2048-bit
                        //    MD:   SHA 256
                        //    CSR:  Details pulled from CSR Details JSON file

                        CsrDetails csrDetails;
                        var        csrDetailsAsset = vlt.GetAsset(VaultAssetType.CsrDetails, ci.GenerateDetailsFile);
                        using (var s = vlt.LoadAsset(csrDetailsAsset))
                        {
                            csrDetails = JsonHelper.Load <CsrDetails>(s);
                        }

                        var keyGenFile = $"{ci.Id}-gen-key.json";
                        var keyPemFile = $"{ci.Id}-key.pem";
                        var csrGenFile = $"{ci.Id}-gen-csr.json";
                        var csrPemFile = $"{ci.Id}-csr.pem";

                        var keyGenAsset = vlt.CreateAsset(VaultAssetType.KeyGen, keyGenFile, getOrCreate: Force);
                        var keyPemAsset = vlt.CreateAsset(VaultAssetType.KeyPem, keyPemFile, isSensitive: true, getOrCreate: Force);
                        var csrGenAsset = vlt.CreateAsset(VaultAssetType.CsrGen, csrGenFile, getOrCreate: Force);
                        var csrPemAsset = vlt.CreateAsset(VaultAssetType.CsrPem, csrPemFile, getOrCreate: Force);

                        var genKeyParams = new RsaPrivateKeyParams();

                        var genKey = cp.GeneratePrivateKey(genKeyParams);
                        using (var s = vlt.SaveAsset(keyGenAsset))
                        {
                            cp.SavePrivateKey(genKey, s);
                        }
                        using (var s = vlt.SaveAsset(keyPemAsset))
                        {
                            cp.ExportPrivateKey(genKey, EncodingFormat.PEM, s);
                        }

                        // TODO: need to surface details of the CSR params up higher
                        var csrParams = new CsrParams
                        {
                            Details = csrDetails
                        };
                        var genCsr = cp.GenerateCsr(csrParams, genKey, Crt.MessageDigest.SHA256);
                        using (var s = vlt.SaveAsset(csrGenAsset))
                        {
                            cp.SaveCsr(genCsr, s);
                        }
                        using (var s = vlt.SaveAsset(csrPemAsset))
                        {
                            cp.ExportCsr(genCsr, EncodingFormat.PEM, s);
                        }

                        ci.KeyPemFile = keyPemFile;
                        ci.CsrPemFile = csrPemFile;
                    }



                    byte[] derRaw;

                    var asset = vlt.GetAsset(VaultAssetType.CsrPem, ci.CsrPemFile);
                    // Convert the stored CSR in PEM format to DER
                    using (var source = vlt.LoadAsset(asset))
                    {
                        var csr = cp.ImportCsr(EncodingFormat.PEM, source);
                        using (var target = new MemoryStream())
                        {
                            cp.ExportCsr(csr, EncodingFormat.DER, target);
                            derRaw = target.ToArray();
                        }
                    }

                    var derB64u = JwsHelper.Base64UrlEncode(derRaw);

                    try
                    {
                        using (var c = ClientHelper.GetClient(v, ri))
                        {
                            c.Init();
                            c.GetDirectory(true);

                            ci.CertificateRequest = c.RequestCertificate(derB64u);
                        }
                    }
                    catch (AcmeClient.AcmeWebException ex)
                    {
                        ThrowTerminatingError(PoshHelper.CreateErrorRecord(ex, ci));
                        return;
                    }

                    if (!string.IsNullOrEmpty(ci.CertificateRequest.CertificateContent))
                    {
                        var crtDerFile = $"{ci.Id}-crt.der";
                        var crtPemFile = $"{ci.Id}-crt.pem";

                        var crtDerBytes = ci.CertificateRequest.GetCertificateContent();

                        var crtDerAsset = vlt.CreateAsset(VaultAssetType.CrtDer, crtDerFile);
                        var crtPemAsset = vlt.CreateAsset(VaultAssetType.CrtPem, crtPemFile);

                        using (Stream source = new MemoryStream(crtDerBytes),
                               derTarget = vlt.SaveAsset(crtDerAsset),
                               pemTarget = vlt.SaveAsset(crtPemAsset))
                        {
                            var crt = cp.ImportCertificate(EncodingFormat.DER, source);

                            cp.ExportCertificate(crt, EncodingFormat.DER, derTarget);
                            ci.CrtDerFile = crtDerFile;

                            cp.ExportCertificate(crt, EncodingFormat.PEM, pemTarget);
                            ci.CrtPemFile = crtPemFile;
                        }

                        // Extract a few pieces of info from the issued
                        // cert that we like to have quick access to
                        var x509 = new X509Certificate2(ci.CertificateRequest.GetCertificateContent());
                        ci.SerialNumber       = x509.SerialNumber;
                        ci.Thumbprint         = x509.Thumbprint;
                        ci.SignatureAlgorithm = x509.SignatureAlgorithm?.FriendlyName;
                        ci.Signature          = x509.GetCertHashString();
                    }
                }

                vlt.SaveVault(v);

                WriteObject(ci);
            }
        }
Example #15
0
        public string GetCertificate(TargetApplication targetApplication)
        {
            using (var pkiTool = PkiToolExtManager.GetPkiTool("BouncyCastle"))
            {
                var rsaKeyParams = new RsaPrivateKeyParams();
                var rsaKeys      = pkiTool.GeneratePrivateKey(rsaKeyParams);

                var certificateName   = targetApplication.Hostnames.First();
                var baseOutPutPath    = _configuration.GetBaseOutPutPath(targetApplication);
                var certificateFolder = Path.Combine(baseOutPutPath, $"{DateTime.Now:yyyyMMdd_HHmmss}");

                if (Directory.Exists(certificateFolder) == false)
                {
                    Directory.CreateDirectory(certificateFolder);
                }

                var csrDetails = new CsrDetails
                {
                    CommonName       = certificateName,
                    AlternativeNames = targetApplication.Hostnames,
                };

                var certificateSigningRequest = pkiTool.GenerateCsr(
                    new CsrParams {
                    Details = csrDetails
                }, rsaKeys, Crt.MessageDigest.SHA256);

                byte[] certificateSigningRequestBytes;
                using (var bs = new MemoryStream())
                {
                    pkiTool.ExportCsr(certificateSigningRequest, EncodingFormat.DER, bs);
                    certificateSigningRequestBytes = bs.ToArray();
                }

                var certificateSigningRequestBytesBase64 = JwsHelper.Base64UrlEncode(certificateSigningRequestBytes);

                _logger.Information("Requesting a certificate");
                var certificateRequest = _acmeClient.RequestCertificate(certificateSigningRequestBytesBase64);

                _logger.Debug("Result of certificate request {certificateRequest}", certificateRequest);
                _logger.Information("Certificate request status is {statusCode}", certificateRequest.StatusCode);

                if (certificateRequest.StatusCode == HttpStatusCode.Created)
                {
                    var keyGenFile   = Path.Combine(certificateFolder, $"{certificateName}-gen-key.json");
                    var keyPemFile   = Path.Combine(certificateFolder, $"{certificateName}-key.pem");
                    var csrGenFile   = Path.Combine(certificateFolder, $"{certificateName}-gen-csr.json");
                    var csrPemFile   = Path.Combine(certificateFolder, $"{certificateName}-csr.pem");
                    var crtDerFile   = Path.Combine(certificateFolder, $"{certificateName}-crt.der");
                    var crtPemFile   = Path.Combine(certificateFolder, $"{certificateName}-crt.pem");
                    var chainPemFile = Path.Combine(certificateFolder, $"{certificateName}-chain.pem");

                    using (var fileStream = new FileStream(keyGenFile, FileMode.Create))
                        pkiTool.SavePrivateKey(rsaKeys, fileStream);
                    using (var fileStream = new FileStream(keyPemFile, FileMode.Create))
                        pkiTool.ExportPrivateKey(rsaKeys, EncodingFormat.PEM, fileStream);
                    using (var fileStream = new FileStream(csrGenFile, FileMode.Create))
                        pkiTool.SaveCsr(certificateSigningRequest, fileStream);
                    using (var fileStream = new FileStream(csrPemFile, FileMode.Create))
                        pkiTool.ExportCsr(certificateSigningRequest, EncodingFormat.PEM, fileStream);

                    _logger.Information("Saving certificate to {crtDerFile}", crtDerFile);
                    using (var file = File.Create(crtDerFile))
                        certificateRequest.SaveCertificate(file);

                    Crt crt;
                    using (FileStream source = new FileStream(crtDerFile, FileMode.Open), target = new FileStream(crtPemFile, FileMode.Create))
                    {
                        crt = pkiTool.ImportCertificate(EncodingFormat.DER, source);
                        pkiTool.ExportCertificate(crt, EncodingFormat.PEM, target);
                    }

                    var issuerCertificate = GetIssuerCertificate(certificateRequest, pkiTool, certificateFolder, targetApplication);
                    using (FileStream intermediate = new FileStream(issuerCertificate, FileMode.Open),
                           certificate = new FileStream(crtPemFile, FileMode.Open), chain = new FileStream(chainPemFile, FileMode.Create))
                    {
                        certificate.CopyTo(chain);
                        intermediate.CopyTo(chain);
                    }

                    var crtPfxFile = Path.Combine(certificateFolder, $"{targetApplication.Hostnames.First()}.pfx");

                    _logger.Information("Saving certificate for hostname {host} and alternative hostnames {@altHostNames} to {crtPfxFile}",
                                        targetApplication.Hostnames.First(), targetApplication.Hostnames.Skip(1), crtPfxFile);

                    using (FileStream source = new FileStream(issuerCertificate, FileMode.Open),
                           target = new FileStream(crtPfxFile, FileMode.Create))
                    {
                        try
                        {
                            var importCertificate = pkiTool.ImportCertificate(EncodingFormat.PEM, source);
                            pkiTool.ExportArchive(rsaKeys, new[] { crt, importCertificate }, ArchiveFormat.PKCS12, target,
                                                  targetApplication.CertificatePassword);
                        }
                        catch (Exception ex)
                        {
                            _logger.Error("Error exporting archive {@ex}", ex);
                        }
                    }

                    pkiTool.Dispose();

                    return(crtPfxFile);
                }

                _logger.Error("Request status is {statusCode}", certificateRequest.StatusCode);
                throw new Exception($"Request status = {certificateRequest.StatusCode}");
            }
        }
        public static string GetCertificate(Target binding)
        {
            var           dnsIdentifier     = binding.Host;
            var           SANList           = binding.AlternativeNames;
            List <string> allDnsIdentifiers = new List <string>();

            if (!Options.SAN)
            {
                allDnsIdentifiers.Add(binding.Host);
            }
            if (binding.AlternativeNames != null)
            {
                allDnsIdentifiers.AddRange(binding.AlternativeNames);
            }

            var cp     = CertificateProvider.GetProvider();
            var rsaPkp = new RsaPrivateKeyParams();

            try
            {
                if (Properties.Settings.Default.RSAKeyBits >= 1024)
                {
                    rsaPkp.NumBits = Properties.Settings.Default.RSAKeyBits;
                    Log.Debug("RSAKeyBits: {RSAKeyBits}", Properties.Settings.Default.RSAKeyBits);
                }
                else
                {
                    Log.Warning("RSA Key Bits less than 1024 is not secure. Letting ACMESharp default key bits. http://openssl.org/docs/manmaster/crypto/RSA_generate_key_ex.html");
                }
            }
            catch (Exception ex)
            {
                Log.Warning("Unable to set RSA Key Bits, Letting ACMESharp default key bits, Error: {@ex}", ex);
                Console.ForegroundColor = ConsoleColor.Yellow;
                Console.WriteLine($"Unable to set RSA Key Bits, Letting ACMESharp default key bits, Error: {ex.Message.ToString()}");
                Console.ResetColor();
            }

            var rsaKeys    = cp.GeneratePrivateKey(rsaPkp);
            var csrDetails = new CsrDetails
            {
                CommonName = allDnsIdentifiers[0],
            };

            if (SANList != null)
            {
                if (SANList.Count > 0)
                {
                    csrDetails.AlternativeNames = SANList;
                }
            }
            var csrParams = new CsrParams
            {
                Details = csrDetails,
            };
            var csr = cp.GenerateCsr(csrParams, rsaKeys, Crt.MessageDigest.SHA256);

            byte[] derRaw;
            using (var bs = new MemoryStream())
            {
                cp.ExportCsr(csr, EncodingFormat.DER, bs);
                derRaw = bs.ToArray();
            }
            var derB64u = JwsHelper.Base64UrlEncode(derRaw);

            Console.WriteLine($"\nRequesting Certificate");
            Log.Information("Requesting Certificate");
            var certRequ = client.RequestCertificate(derB64u);

            Log.Debug("certRequ {@certRequ}", certRequ);

            Console.WriteLine($" Request Status: {certRequ.StatusCode}");
            Log.Information("Request Status: {StatusCode}", certRequ.StatusCode);

            if (certRequ.StatusCode == System.Net.HttpStatusCode.Created)
            {
                var    keyGenFile = Path.Combine(certificatePath, $"{dnsIdentifier}-gen-key.json");
                var    keyPemFile = Path.Combine(certificatePath, $"{dnsIdentifier}-key.pem");
                var    csrGenFile = Path.Combine(certificatePath, $"{dnsIdentifier}-gen-csr.json");
                var    csrPemFile = Path.Combine(certificatePath, $"{dnsIdentifier}-csr.pem");
                var    crtDerFile = Path.Combine(certificatePath, $"{dnsIdentifier}-crt.der");
                var    crtPemFile = Path.Combine(certificatePath, $"{dnsIdentifier}-crt.pem");
                string crtPfxFile = null;
                if (!CentralSSL)
                {
                    crtPfxFile = Path.Combine(certificatePath, $"{dnsIdentifier}-all.pfx");
                }
                else
                {
                    crtPfxFile = Path.Combine(Options.CentralSSLStore, $"{dnsIdentifier}.pfx");
                }

                using (var fs = new FileStream(keyGenFile, FileMode.Create))
                    cp.SavePrivateKey(rsaKeys, fs);
                using (var fs = new FileStream(keyPemFile, FileMode.Create))
                    cp.ExportPrivateKey(rsaKeys, EncodingFormat.PEM, fs);
                using (var fs = new FileStream(csrGenFile, FileMode.Create))
                    cp.SaveCsr(csr, fs);
                using (var fs = new FileStream(csrPemFile, FileMode.Create))
                    cp.ExportCsr(csr, EncodingFormat.PEM, fs);

                Console.WriteLine($" Saving Certificate to {crtDerFile}");
                Log.Information("Saving Certificate to {crtDerFile}", crtDerFile);
                using (var file = File.Create(crtDerFile))
                    certRequ.SaveCertificate(file);

                Crt crt;
                using (FileStream source = new FileStream(crtDerFile, FileMode.Open),
                       target = new FileStream(crtPemFile, FileMode.Create))
                {
                    crt = cp.ImportCertificate(EncodingFormat.DER, source);
                    cp.ExportCertificate(crt, EncodingFormat.PEM, target);
                }

                // To generate a PKCS#12 (.PFX) file, we need the issuer's public certificate
                var isuPemFile = GetIssuerCertificate(certRequ, cp);

                Log.Debug("CentralSSL {CentralSSL} SAN {SAN}", CentralSSL.ToString(), Options.SAN.ToString());

                if (CentralSSL && Options.SAN)
                {
                    foreach (var host in allDnsIdentifiers)
                    {
                        Console.WriteLine($"Host: {host}");
                        crtPfxFile = Path.Combine(Options.CentralSSLStore, $"{host}.pfx");

                        Console.WriteLine($" Saving Certificate to {crtPfxFile}");
                        Log.Information("Saving Certificate to {crtPfxFile}", crtPfxFile);
                        using (FileStream source = new FileStream(isuPemFile, FileMode.Open),
                               target = new FileStream(crtPfxFile, FileMode.Create))
                        {
                            try
                            {
                                var isuCrt = cp.ImportCertificate(EncodingFormat.PEM, source);
                                cp.ExportArchive(rsaKeys, new[] { crt, isuCrt }, ArchiveFormat.PKCS12, target, Properties.Settings.Default.PFXPassword);
                            }
                            catch (Exception ex)
                            {
                                Log.Error("Error exporting archive {@ex}", ex);
                                Console.ForegroundColor = ConsoleColor.Red;
                                Console.WriteLine($"Error exporting archive: {ex.Message.ToString()}");
                                Console.ResetColor();
                            }
                        }
                    }
                }
                else //Central SSL and SAN need to save the cert for each hostname
                {
                    Console.WriteLine($" Saving Certificate to {crtPfxFile}");
                    Log.Information("Saving Certificate to {crtPfxFile}", crtPfxFile);
                    using (FileStream source = new FileStream(isuPemFile, FileMode.Open),
                           target = new FileStream(crtPfxFile, FileMode.Create))
                    {
                        try
                        {
                            var isuCrt = cp.ImportCertificate(EncodingFormat.PEM, source);
                            cp.ExportArchive(rsaKeys, new[] { crt, isuCrt }, ArchiveFormat.PKCS12, target, Properties.Settings.Default.PFXPassword);
                        }
                        catch (Exception ex)
                        {
                            Log.Error("Error exporting archive {@ex}", ex);
                            Console.ForegroundColor = ConsoleColor.Red;
                            Console.WriteLine($"Error exporting archive: {ex.Message.ToString()}");
                            Console.ResetColor();
                        }
                    }
                }

                cp.Dispose();

                return(crtPfxFile);
            }
            Log.Error("Request status = {StatusCode}", certRequ.StatusCode);
            throw new Exception($"Request status = {certRequ.StatusCode}");
        }
        public void TestGenerateRsaCsr()
        {
            using (var cp = GetCP())
            {
                var pkp = new RsaPrivateKeyParams();
                var pk = cp.GeneratePrivateKey(pkp);

                var crp = new CsrParams
                {
                    Details = new CsrDetails
                    {
                        CommonName = "TEST CERT",
                    }
                };

                var csr = cp.GenerateCsr(crp, pk, Crt.MessageDigest.SHA256);
            }
        }
        private void TestImportRsaCsr(EncodingFormat fmt)
        {
            using (var cp = GetCP())
            {
                var pkp = new RsaPrivateKeyParams();
                var pk = cp.GeneratePrivateKey(pkp);

                var crp = new CsrParams
                {
                    Details = new CsrDetails
                    {
                        CommonName = "TEST CERT",
                    }
                };

                var csr = cp.GenerateCsr(crp, pk, Crt.MessageDigest.SHA256);
                byte[] bytes;
                using (var target = new MemoryStream())
                {
                    cp.ExportCsr(csr, fmt, target);
                    bytes = target.ToArray();
                }

                var imp = csr;
                using (var source = new MemoryStream(bytes))
                {
                    imp = cp.ImportCsr(fmt, source);
                }

                using (MemoryStream save1 = new MemoryStream(), save2 = new MemoryStream())
                {
                    cp.SaveCsr(csr, save1);
                    cp.SaveCsr(imp, save2);

                    var bytes1 = save1.ToArray();
                    var bytes2 = save2.ToArray();

                    CollectionAssert.AreEqual(bytes1, bytes2);
                }
            }
        }
        private void GetCertificate()
        {
            Log.Information("Requesting Certificate");

            using (CertificateProvider cp = CertificateProvider.GetProvider())
            {
                RsaPrivateKeyParams rsaPkp = new RsaPrivateKeyParams();

                PrivateKey rsaKeys   = cp.GeneratePrivateKey(rsaPkp);
                CsrParams  csrParams = new CsrParams
                {
                    Details = new CsrDetails
                    {
                        CommonName = _options.HostName,
                    },
                };

                Csr csr = cp.GenerateCsr(csrParams, rsaKeys, Crt.MessageDigest.SHA256);

                byte[] derRaw;
                using (MemoryStream bs = new MemoryStream())
                {
                    cp.ExportCsr(csr, EncodingFormat.DER, bs);
                    derRaw = bs.ToArray();
                }
                string derB64U = JwsHelper.Base64UrlEncode(derRaw);

                CertificateRequest certReq = _acmeClient.RequestCertificate(derB64U);

                if (certReq.StatusCode != HttpStatusCode.Created)
                {
                    throw new Exception($"Request status = {certReq.StatusCode}");
                }

                using (FileStream fs = new FileStream(_options.WellKnownFilePaths[WellKnownFile.KeyGen], FileMode.Create))
                    cp.SavePrivateKey(rsaKeys, fs);
                using (FileStream fs = new FileStream(_options.WellKnownFilePaths[WellKnownFile.KeyPem], FileMode.Create))
                    cp.ExportPrivateKey(rsaKeys, EncodingFormat.PEM, fs);
                using (FileStream fs = new FileStream(_options.WellKnownFilePaths[WellKnownFile.CsrGen], FileMode.Create))
                    cp.SaveCsr(csr, fs);
                using (FileStream fs = new FileStream(_options.WellKnownFilePaths[WellKnownFile.CsrPem], FileMode.Create))
                    cp.ExportCsr(csr, EncodingFormat.PEM, fs);

                Log.Information($"Saving Certificate to {_options.WellKnownFilePaths[WellKnownFile.CrtDer]}");
                using (FileStream file = File.Create(_options.WellKnownFilePaths[WellKnownFile.CrtDer]))
                    certReq.SaveCertificate(file);

                Crt crt;
                using (FileStream source = new FileStream(_options.WellKnownFilePaths[WellKnownFile.CrtDer], FileMode.Open),
                       target = new FileStream(_options.WellKnownFilePaths[WellKnownFile.CrtPem], FileMode.Create))
                {
                    crt = cp.ImportCertificate(EncodingFormat.DER, source);
                    cp.ExportCertificate(crt, EncodingFormat.PEM, target);
                }

                // To generate a PKCS#12 (.PFX) file, we need the issuer's public certificate
                string isuPemFile = GetIssuerCertificate(certReq, cp);

                using (FileStream intermediate = new FileStream(isuPemFile, FileMode.Open),
                       certificate = new FileStream(_options.WellKnownFilePaths[WellKnownFile.CrtPem], FileMode.Open),
                       chain = new FileStream(_options.WellKnownFilePaths[WellKnownFile.ChainPem], FileMode.Create))
                {
                    certificate.CopyTo(chain);
                    intermediate.CopyTo(chain);
                }

                Log.Information($"Saving Certificate to {_options.WellKnownFilePaths[WellKnownFile.CrtPfx]}");
                using (FileStream source = new FileStream(isuPemFile, FileMode.Open),
                       target = new FileStream(_options.WellKnownFilePaths[WellKnownFile.CrtPfx], FileMode.Create))
                {
                    Crt isuCrt = cp.ImportCertificate(EncodingFormat.PEM, source);
                    cp.ExportArchive(rsaKeys, new[] { crt, isuCrt }, ArchiveFormat.PKCS12, target, _options.PfxPassword);
                }
            }
        }
        /// <summary>
        /// Generate a certificate request
        /// </summary>
        /// <param name="certificatename"></param>
        /// <param name="mainhost">Main host: www.google.com</param>
        /// <param name="certificatePath">Path to store the generated certificates</param>
        /// <param name="alternatehosts">Alterante hosts: list of alterante hosts for this certificate</param>
        /// <returns></returns>
        public CertificatePaths DownloadCertificate(
            string certificatename,
            string mainhost,
            string certificatePath,
            List <string> alternatehosts = null)
        {
            if (alternatehosts != null && alternatehosts.Any())
            {
                throw new NotSupportedException("Alternate host provisioning not supported yet.");
            }

            List <string> allDnsIdentifiers = new List <string>()
            {
                mainhost
            };

            if (alternatehosts != null)
            {
                allDnsIdentifiers.AddRange(alternatehosts);
            }

            // Tomado de app.config
            var rsaKeyBits = 2048; // 1024;//

            if (Environment.Is64BitProcess)
            {
                CertificateProvider.RegisterProvider(typeof(ACMESharp.PKI.Providers.OpenSslLib64Provider));
            }
            else
            {
                CertificateProvider.RegisterProvider(typeof(ACMESharp.PKI.Providers.OpenSslLib32Provider));
            }

            var cp     = CertificateProvider.GetProvider();
            var rsaPkp = new RsaPrivateKeyParams();

            try
            {
                if (rsaKeyBits >= 1024)
                {
                    rsaPkp.NumBits = rsaKeyBits;

                    // Log.Debug("RSAKeyBits: {RSAKeyBits}", Properties.Settings.Default.RSAKeyBits);
                }
                else
                {
                    // Log.Warning(
                    //    "RSA Key Bits less than 1024 is not secure. Letting ACMESharp default key bits. http://openssl.org/docs/manmaster/crypto/RSA_generate_key_ex.html");
                }
            }
            catch (Exception ex)
            {
                this.Logger.LogInfo(true, $"Unable to set RSA Key Bits, Letting ACMESharp default key bits, Error: {ex.Message.ToString()}");
            }

            var rsaKeys    = cp.GeneratePrivateKey(rsaPkp);
            var csrDetails = new CsrDetails
            {
                CommonName = allDnsIdentifiers[0]
            };

            if (alternatehosts != null)
            {
                if (alternatehosts.Count > 0)
                {
                    csrDetails.AlternativeNames = alternatehosts;
                }
            }

            var csrParams = new CsrParams
            {
                Details = csrDetails,
            };

            var csr = cp.GenerateCsr(csrParams, rsaKeys, Crt.MessageDigest.SHA256);

            byte[] derRaw;
            using (var bs = new MemoryStream())
            {
                cp.ExportCsr(csr, EncodingFormat.DER, bs);
                derRaw = bs.ToArray();
            }

            var derB64U = JwsHelper.Base64UrlEncode(derRaw);

            this.Logger.LogInfo(true, $"Requesting Certificate");

            // Log.Information("Requesting Certificate");
            var certRequ = this.AcmeClient.RequestCertificate(derB64U);

            // Log.Debug("certRequ {@certRequ}", certRequ);

            this.Logger.LogInfo(true, $"Request Status: {certRequ.StatusCode}");

            if (certRequ.StatusCode != System.Net.HttpStatusCode.Created)
            {
                throw new Exception($"Could not create certificate request, response code: = {certRequ.StatusCode}");
            }

            var keyGenFile   = Path.Combine(certificatePath, $"{certificatename}-gen-key.json");
            var keyPemFile   = Path.Combine(certificatePath, $"{certificatename}-key.pem");
            var csrGenFile   = Path.Combine(certificatePath, $"{certificatename}-gen-csr.json");
            var csrPemFile   = Path.Combine(certificatePath, $"{certificatename}-csr.pem");
            var crtDerFile   = Path.Combine(certificatePath, $"{certificatename}-crt.der");
            var crtPemFile   = Path.Combine(certificatePath, $"{certificatename}-crt.pem");
            var chainPemFile = Path.Combine(certificatePath, $"{certificatename}-chain.pem");
            var pfxPemFile   = Path.Combine(certificatePath, $"{certificatename}.pfx");

            using (var fs = new FileStream(keyGenFile, FileMode.Create))
            {
                cp.SavePrivateKey(rsaKeys, fs);
            }

            using (var fs = new FileStream(keyPemFile, FileMode.Create))
            {
                cp.ExportPrivateKey(rsaKeys, EncodingFormat.PEM, fs);
            }

            using (var fs = new FileStream(csrGenFile, FileMode.Create))
            {
                cp.SaveCsr(csr, fs);
            }

            using (var fs = new FileStream(csrPemFile, FileMode.Create))
            {
                cp.ExportCsr(csr, EncodingFormat.PEM, fs);
            }

            this.Logger.LogInfo(true, $"Saving Certificate to {crtDerFile}");

            // Log.Information("Saving Certificate to {crtDerFile}", crtDerFile);
            using (var file = File.Create(crtDerFile))
            {
                certRequ.SaveCertificate(file);
            }

            Crt crt;

            using (FileStream source = new FileStream(crtDerFile, FileMode.Open),
                   target = new FileStream(crtPemFile, FileMode.Create))
            {
                crt = cp.ImportCertificate(EncodingFormat.DER, source);
                cp.ExportCertificate(crt, EncodingFormat.PEM, target);
            }

            cp.Dispose();

            var ret = new CertificatePaths()
            {
                chainPemFile = chainPemFile,
                crtDerFile   = crtDerFile,
                crtPemFile   = crtPemFile,
                csrGenFile   = csrGenFile,
                csrPemFile   = csrPemFile,
                keyGenFile   = keyGenFile,
                keyPemFile   = keyPemFile,
                name         = certificatename,
                pfxPemFile   = pfxPemFile
            };

            // Generate the PFX version manually
            UtilsCertificate.CreatePfXfromPem(ret.crtPemFile, ret.keyPemFile, ret.pfxPemFile, null);

            return(ret);
        }
Example #21
0
        public static string GetCertificate(Target binding)
        {
            var dnsIdentifier = binding.Host;

            var cp     = CertificateProvider.GetProvider();
            var rsaPkp = new RsaPrivateKeyParams();

            var rsaKeys    = cp.GeneratePrivateKey(rsaPkp);
            var csrDetails = new CsrDetails
            {
                CommonName = dnsIdentifier,
            };
            var csrParams = new CsrParams
            {
                Details = csrDetails,
            };
            var csr = cp.GenerateCsr(csrParams, rsaKeys, Crt.MessageDigest.SHA256);

            byte[] derRaw;
            using (var bs = new MemoryStream())
            {
                cp.ExportCsr(csr, EncodingFormat.DER, bs);
                derRaw = bs.ToArray();
            }
            var derB64u = JwsHelper.Base64UrlEncode(derRaw);

            Console.WriteLine($"\nRequesting Certificate");
            var certRequ = client.RequestCertificate(derB64u);

            Console.WriteLine($" Request Status: {certRequ.StatusCode}");

            //Console.WriteLine($"Refreshing Cert Request");
            //client.RefreshCertificateRequest(certRequ);

            if (certRequ.StatusCode == System.Net.HttpStatusCode.Created)
            {
                var    keyGenFile = Path.Combine(configPath, $"{dnsIdentifier}-gen-key.json");
                var    keyPemFile = Path.Combine(configPath, $"{dnsIdentifier}-key.pem");
                var    csrGenFile = Path.Combine(configPath, $"{dnsIdentifier}-gen-csr.json");
                var    csrPemFile = Path.Combine(configPath, $"{dnsIdentifier}-csr.pem");
                var    crtDerFile = Path.Combine(configPath, $"{dnsIdentifier}-crt.der");
                var    crtPemFile = Path.Combine(configPath, $"{dnsIdentifier}-crt.pem");
                string crtPfxFile = null;
                if (!CentralSSL)
                {
                    crtPfxFile = Path.Combine(configPath, $"{dnsIdentifier}-all.pfx");
                }
                else
                {
                    crtPfxFile = Path.Combine(Options.CentralSSLStore, $"{dnsIdentifier}.pfx");
                }

                using (var fs = new FileStream(keyGenFile, FileMode.Create))
                    cp.SavePrivateKey(rsaKeys, fs);
                using (var fs = new FileStream(keyPemFile, FileMode.Create))
                    cp.ExportPrivateKey(rsaKeys, EncodingFormat.PEM, fs);
                using (var fs = new FileStream(csrGenFile, FileMode.Create))
                    cp.SaveCsr(csr, fs);
                using (var fs = new FileStream(csrPemFile, FileMode.Create))
                    cp.ExportCsr(csr, EncodingFormat.PEM, fs);

                Console.WriteLine($" Saving Certificate to {crtDerFile}");
                using (var file = File.Create(crtDerFile))
                    certRequ.SaveCertificate(file);

                Crt crt;
                using (FileStream source = new FileStream(crtDerFile, FileMode.Open),
                       target = new FileStream(crtPemFile, FileMode.Create))
                {
                    crt = cp.ImportCertificate(EncodingFormat.DER, source);
                    cp.ExportCertificate(crt, EncodingFormat.PEM, target);
                }

                // To generate a PKCS#12 (.PFX) file, we need the issuer's public certificate
                var isuPemFile = GetIssuerCertificate(certRequ, cp);

                Console.WriteLine($" Saving Certificate to {crtPfxFile} (with no password set)");
                using (FileStream source = new FileStream(isuPemFile, FileMode.Open),
                       target = new FileStream(crtPfxFile, FileMode.Create))
                {
                    var isuCrt = cp.ImportCertificate(EncodingFormat.PEM, source);
                    cp.ExportArchive(rsaKeys, new[] { crt, isuCrt }, ArchiveFormat.PKCS12, target);
                }

                cp.Dispose();

                return(crtPfxFile);
            }

            throw new Exception($"Request status = {certRequ.StatusCode}");
        }
        public void TestGenerateRsaPrivateKey()
        {
            using (var cp = GetCP())
            {
                var pkp = new RsaPrivateKeyParams();
                var pk = cp.GeneratePrivateKey(pkp);

                Assert.IsInstanceOfType(pk, typeof(RsaPrivateKey));

                var rsaPk = (RsaPrivateKey)pk;

                // TODO:  verify the components of RSA PK?
                //rsaPk.BigNumber
                //rsaPk.Bits
                //rsaPk.E
            }
        }
        public string RequestCertificateAndConvertToPfx(List <Binding> bindings)
        {
            var keyGenFile   = Path.Combine(Config.Path, $"{bindings[0].IPAddress}-gen-key.json");
            var keyPemFile   = Path.Combine(Config.Path, $"{bindings[0].IPAddress}-key.pem");
            var csrGenFile   = Path.Combine(Config.Path, $"{bindings[0].IPAddress}-gen-csr.json");
            var csrPemFile   = Path.Combine(Config.Path, $"{bindings[0].IPAddress}-csr.pem");
            var crtDerFile   = Path.Combine(Config.Path, $"{bindings[0].IPAddress}-crt.der");
            var crtPemFile   = Path.Combine(Config.Path, $"{bindings[0].IPAddress}-crt.pem");
            var chainPemFile = Path.Combine(Config.Path, $"{bindings[0].IPAddress}-chain.pem");
            var crtPfxFile   = Path.Combine(Config.Path, $"{bindings[0].IPAddress}-all.pfx");

            if (Globals.ShouldCreateCertificate())
            {
                // TODOX Should check if the requested certificate (lowercase and sort hostnames) was issued in previous 10 days

                var cp     = CertificateProvider.GetProvider();
                var rsaPkp = new RsaPrivateKeyParams();
                try {
                    if (Properties.Settings.Default.RSAKeyBits >= 2048)
                    {
                        rsaPkp.NumBits = Properties.Settings.Default.RSAKeyBits;
                    }
                    else
                    {
                        Globals.Log($"Requested key size of {Properties.Settings.Default.RSAKeyBits} is not secure.  Using 2048.");
                        rsaPkp.NumBits = 2048;
                    }
                } catch (Exception ex) {
                    Console.ForegroundColor = ConsoleColor.Red;
                    Globals.Log($"Unable to set RSA key size, letting ACMESharp select default. Error: {ex}");
                    Console.ResetColor();
                }

                var rsaKeys    = cp.GeneratePrivateKey(rsaPkp);
                var csrDetails = new CsrDetails {
                    CommonName       = bindings[0].Hostname,
                    AlternativeNames = bindings.Select(x => x.Hostname).ToList(),
                };
                var csrParams = new CsrParams {
                    Details = csrDetails,
                };
                var csr = cp.GenerateCsr(csrParams, rsaKeys, Crt.MessageDigest.SHA256);

                byte[] derRaw;
                using (var bs = new MemoryStream()) {
                    cp.ExportCsr(csr, EncodingFormat.DER, bs);
                    derRaw = bs.ToArray();
                }
                var derB64U = JwsHelper.Base64UrlEncode(derRaw);

                Globals.Log();
                Globals.Log("Requesting Certificate");
                var certRequ = _Client.RequestCertificate(derB64U);

                Globals.Log($" - Request Status: {certRequ.StatusCode}");

                if (certRequ.StatusCode == System.Net.HttpStatusCode.Created)
                {
                    using (var fs = new FileStream(keyGenFile, FileMode.Create))
                        cp.SavePrivateKey(rsaKeys, fs);
                    using (var fs = new FileStream(keyPemFile, FileMode.Create))
                        cp.ExportPrivateKey(rsaKeys, EncodingFormat.PEM, fs);
                    using (var fs = new FileStream(csrGenFile, FileMode.Create))
                        cp.SaveCsr(csr, fs);
                    using (var fs = new FileStream(csrPemFile, FileMode.Create))
                        cp.ExportCsr(csr, EncodingFormat.PEM, fs);

                    Globals.Log($" - Saving DER certificate to {crtDerFile}");
                    using (var file = File.Create(crtDerFile))
                        certRequ.SaveCertificate(file);

                    Crt crt;
                    using (FileStream source = new FileStream(crtDerFile, FileMode.Open),
                           target = new FileStream(crtPemFile, FileMode.Create)) {
                        crt = cp.ImportCertificate(EncodingFormat.DER, source);
                        cp.ExportCertificate(crt, EncodingFormat.PEM, target);
                    }

                    // To generate a PKCS#12 (.PFX) file, we need the issuer's public certificate
                    var isuPemFile = GetIssuerCertificate(certRequ, cp);

                    using (FileStream intermediate = new FileStream(isuPemFile, FileMode.Open),
                           certificate = new FileStream(crtPemFile, FileMode.Open),
                           chain = new FileStream(chainPemFile, FileMode.Create)) {
                        certificate.CopyTo(chain);
                        intermediate.CopyTo(chain);
                    }

                    Globals.Log($" - Saving PFX certificate to {crtPfxFile}");
                    using (FileStream source = new FileStream(isuPemFile, FileMode.Open),
                           target = new FileStream(crtPfxFile, FileMode.Create)) {
                        var isuCrt = cp.ImportCertificate(EncodingFormat.PEM, source);
                        cp.ExportArchive(rsaKeys, new[] { crt, isuCrt }, ArchiveFormat.PKCS12, target, "");
                    }

                    cp.Dispose();

                    // TODOX Should store that the requested certificate (lowercase and sort hostnames) was issued

                    return(crtPfxFile);
                }
                else
                {
                    throw new Exception($"Certificate request status = {certRequ.StatusCode}, uri = {certRequ.Uri}");
                }
            }
            else
            {
                // Don't want to request a new cert, so return the filename to the last requested cert
                return(crtPfxFile);
            }
        }
        private void TestExportRsaCsr(EncodingFormat fmt)
        {
            using (var cp = GetCP())
            {
                var pkp = new RsaPrivateKeyParams();
                var pk = cp.GeneratePrivateKey(pkp);

                var crp = new CsrParams
                {
                    Details = new CsrDetails
                    {
                        CommonName = "TEST CERT",
                    }
                };

                var csr = cp.GenerateCsr(crp, pk, Crt.MessageDigest.SHA256);

                using (var target = new MemoryStream())
                {
                    cp.ExportCsr(csr, fmt, target);
                }
            }
        }
        public static void GetCertificateAutoGen(CertificateGeneratorParam param)
        {
            if (param == null)
            {
                log.Info($" {nameof(param)} is null");
                return;
            }
            param.domains = param.domains.Where(o => o.valid).ToList();
            if (param.domains.Count == 0)
            {
                log.Info($" can't find a valid domain name.");
                return;
            }
            var dnsIdentifier = string.IsNullOrWhiteSpace(param.common_name) ? param.domains.FirstOrDefault().domain : param.common_name.Trim();
            var cp            = CertificateProvider.GetProvider();
            var rsaPkp        = new RsaPrivateKeyParams();

            var rsaKeys    = cp.GeneratePrivateKey(rsaPkp);
            var csrDetails = new CsrDetails
            {
                CommonName       = dnsIdentifier,
                AlternativeNames = param.domains.Select(o => o.domain).ToList(),
            };
            var csrParams = new CsrParams
            {
                Details = csrDetails,
            };
            var csr = cp.GenerateCsr(csrParams, rsaKeys, Crt.MessageDigest.SHA256);

            byte[] derRaw;
            using (var bs = new MemoryStream())
            {
                cp.ExportCsr(csr, EncodingFormat.DER, bs);
                derRaw = bs.ToArray();
            }
            var derB64u = JwsHelper.Base64UrlEncode(derRaw);

            log.Info($"\nRequesting Certificate");
            var certRequ = param.client.RequestCertificate(derB64u);

            log.Info($" Request Status: {certRequ.StatusCode}");

            //log.Info($"Refreshing Cert Request");
            //client.RefreshCertificateRequest(certRequ);

            if (certRequ.StatusCode == System.Net.HttpStatusCode.Created)
            {
                var    keyGenFile = Path.Combine(param.path, $"{dnsIdentifier}-gen-key.json");
                var    keyPemFile = Path.Combine(param.path, $"{dnsIdentifier}-key.pem");
                var    csrGenFile = Path.Combine(param.path, $"{dnsIdentifier}-gen-csr.json");
                var    csrPemFile = Path.Combine(param.path, $"{dnsIdentifier}-csr.pem");
                var    crtDerFile = Path.Combine(param.path, $"{dnsIdentifier}-crt.der");
                var    crtPemFile = Path.Combine(param.path, $"{dnsIdentifier}-crt.pem");
                string crtPfxFile = null;

                crtPfxFile = Path.Combine(param.path, $"{dnsIdentifier}-all.pfx");


                using (var fs = new FileStream(keyGenFile, FileMode.Create))
                    cp.SavePrivateKey(rsaKeys, fs);
                using (var fs = new FileStream(keyPemFile, FileMode.Create))
                    cp.ExportPrivateKey(rsaKeys, EncodingFormat.PEM, fs);
                using (var fs = new FileStream(csrGenFile, FileMode.Create))
                    cp.SaveCsr(csr, fs);
                using (var fs = new FileStream(csrPemFile, FileMode.Create))
                    cp.ExportCsr(csr, EncodingFormat.PEM, fs);

                log.Info($" Saving Certificate to {crtDerFile}");
                using (var file = File.Create(crtDerFile))
                    certRequ.SaveCertificate(file);

                Crt crt;
                using (FileStream source = new FileStream(crtDerFile, FileMode.Open),
                       target = new FileStream(crtPemFile, FileMode.Create))
                {
                    crt = cp.ImportCertificate(EncodingFormat.DER, source);
                    cp.ExportCertificate(crt, EncodingFormat.PEM, target);
                }

                // To generate a PKCS#12 (.PFX) file, we need the issuer's public certificate
                var isuPemFile = GetIssuerCertificate(certRequ, cp, param.account);

                log.Info($" Saving Certificate to {crtPfxFile} (with no password set)");
                using (FileStream source = new FileStream(isuPemFile, FileMode.Open),
                       target = new FileStream(crtPfxFile, FileMode.Create))
                {
                    var isuCrt = cp.ImportCertificate(EncodingFormat.PEM, source);
                    cp.ExportArchive(rsaKeys, new[] { crt, isuCrt }, ArchiveFormat.PKCS12, target);
                }

                cp.Dispose();

                return;
            }

            throw new Exception($"Request status = {certRequ.StatusCode}");
        }
Example #26
0
        protected override void ProcessRecord()
        {
            using (var vlt = Util.VaultHelper.GetVault(VaultProfile))
            {
                vlt.OpenStorage();
                var v = vlt.LoadVault();

                if (v.Registrations == null || v.Registrations.Count < 1)
                    throw new InvalidOperationException("No registrations found");

                var ri = v.Registrations[0];
                var r = ri.Registration;

                if (v.Certificates == null || v.Certificates.Count < 1)
                    throw new InvalidOperationException("No certificates found");

                var ci = v.Certificates.GetByRef(CertificateRef, throwOnMissing: false);
                if (ci == null)
                    throw new Exception("Unable to find a Certificate for the given reference");

                using (var cp = PkiHelper.GetPkiTool(
                            StringHelper.IfNullOrEmpty(PkiTool, v.PkiTool)))
                {

                    if (!string.IsNullOrEmpty(ci.GenerateDetailsFile))
                    {
                        // Generate a private key and CSR:
                        //    Key:  RSA 2048-bit
                        //    MD:   SHA 256
                        //    CSR:  Details pulled from CSR Details JSON file

                        CsrDetails csrDetails;
                        var csrDetailsAsset = vlt.GetAsset(VaultAssetType.CsrDetails, ci.GenerateDetailsFile);
                        using (var s = vlt.LoadAsset(csrDetailsAsset))
                        {
                            csrDetails = JsonHelper.Load<CsrDetails>(s);
                        }

                        var keyGenFile = $"{ci.Id}-gen-key.json";
                        var keyPemFile = $"{ci.Id}-key.pem";
                        var csrGenFile = $"{ci.Id}-gen-csr.json";
                        var csrPemFile = $"{ci.Id}-csr.pem";

                        var keyGenAsset = vlt.CreateAsset(VaultAssetType.KeyGen, keyGenFile, getOrCreate: Force);
                        var keyPemAsset = vlt.CreateAsset(VaultAssetType.KeyPem, keyPemFile, isSensitive: true, getOrCreate: Force);
                        var csrGenAsset = vlt.CreateAsset(VaultAssetType.CsrGen, csrGenFile, getOrCreate: Force);
                        var csrPemAsset = vlt.CreateAsset(VaultAssetType.CsrPem, csrPemFile, getOrCreate: Force);

                        var genKeyParams = new RsaPrivateKeyParams();

                        var genKey = cp.GeneratePrivateKey(genKeyParams);
                        using (var s = vlt.SaveAsset(keyGenAsset))
                        {
                            cp.SavePrivateKey(genKey, s);
                        }
                        using (var s = vlt.SaveAsset(keyPemAsset))
                        {
                            cp.ExportPrivateKey(genKey, EncodingFormat.PEM, s);
                        }

                        // TODO: need to surface details of the CSR params up higher
                        var csrParams = new CsrParams
                        {
                            Details = csrDetails
                        };
                        var genCsr = cp.GenerateCsr(csrParams, genKey, Crt.MessageDigest.SHA256);
                        using (var s = vlt.SaveAsset(csrGenAsset))
                        {
                            cp.SaveCsr(genCsr, s);
                        }
                        using (var s = vlt.SaveAsset(csrPemAsset))
                        {
                            cp.ExportCsr(genCsr, EncodingFormat.PEM, s);
                        }

                        ci.KeyPemFile = keyPemFile;
                        ci.CsrPemFile = csrPemFile;
                    }

                    byte[] derRaw;

                    var asset = vlt.GetAsset(VaultAssetType.CsrPem, ci.CsrPemFile);
                    // Convert the stored CSR in PEM format to DER
                    using (var source = vlt.LoadAsset(asset))
                    {
                        var csr = cp.ImportCsr(EncodingFormat.PEM, source);
                        using (var target = new MemoryStream())
                        {
                            cp.ExportCsr(csr, EncodingFormat.DER, target);
                            derRaw = target.ToArray();
                        }
                    }

                    var derB64u = JwsHelper.Base64UrlEncode(derRaw);

                    try
                    {
                        using (var c = ClientHelper.GetClient(v, ri))
                        {
                            c.Init();
                            c.GetDirectory(true);

                            ci.CertificateRequest = c.RequestCertificate(derB64u);
                        }
                    }
                    catch (AcmeClient.AcmeWebException ex)
                    {
                        ThrowTerminatingError(PoshHelper.CreateErrorRecord(ex, ci));
                        return;
                    }

                    if (!string.IsNullOrEmpty(ci.CertificateRequest.CertificateContent))
                    {
                        var crtDerFile = $"{ci.Id}-crt.der";
                        var crtPemFile = $"{ci.Id}-crt.pem";

                        var crtDerBytes = ci.CertificateRequest.GetCertificateContent();

                        var crtDerAsset = vlt.CreateAsset(VaultAssetType.CrtDer, crtDerFile);
                        var crtPemAsset = vlt.CreateAsset(VaultAssetType.CrtPem, crtPemFile);

                        using (Stream source = new MemoryStream(crtDerBytes),
                                derTarget = vlt.SaveAsset(crtDerAsset),
                                pemTarget = vlt.SaveAsset(crtPemAsset))
                        {
                            var crt = cp.ImportCertificate(EncodingFormat.DER, source);

                            cp.ExportCertificate(crt, EncodingFormat.DER, derTarget);
                            ci.CrtDerFile = crtDerFile;

                            cp.ExportCertificate(crt, EncodingFormat.PEM, pemTarget);
                            ci.CrtPemFile = crtPemFile;
                        }

                        // Extract a few pieces of info from the issued
                        // cert that we like to have quick access to
                        var x509 = new X509Certificate2(ci.CertificateRequest.GetCertificateContent());
                        ci.SerialNumber = x509.SerialNumber;
                        ci.Thumbprint = x509.Thumbprint;
                        ci.SignatureAlgorithm = x509.SignatureAlgorithm?.FriendlyName;
                        ci.Signature = x509.GetCertHashString();
                    }
                }

                vlt.SaveVault(v);

                WriteObject(ci);
            }
        }