public static void GenerateSslCertificate(PfxData pfx, Org.BouncyCastle.Security.SecureRandom random)
{
string curveName = "curve25519"; curveName = "secp256k1";
// IIS does not support Elliptic Curve...
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair certKeyPair = KeyGenerator.GenerateEcKeyPair(curveName, random);
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair certKeyPair = KeyGenerator.GenerateRsaKeyPair(2048, random);
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair certKeyPair = KeyGenerator.GenerateDsaKeyPair(1024, random);
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair certKeyPair = KeyGenerator.GenerateDHKeyPair(1024, random);
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair certKeyPair = KeyGenerator.GenerateGostKeyPair(4096, random);
Org.BouncyCastle.X509.X509Certificate sslCertificate = SelfSignSslCertificate(random, pfx.Certificate, certKeyPair.Public, pfx.PrivateKey);
bool val = CerGenerator.ValidateSelfSignedCert(sslCertificate, pfx.Certificate.GetPublicKey());
// SSL
(string Private, string Public)certKeys = KeyPairToPem(certKeyPair);
PfxFile.Create(@"obelix.pfx", sslCertificate, certKeyPair.Private, "");
WriteCerAndCrt(sslCertificate, @"obelix");
System.IO.File.WriteAllText(@"obelix_private.key", certKeys.Private, System.Text.Encoding.ASCII);
// System.IO.File.WriteAllText(@"obelix_public.key", certKeys.Public, System.Text.Encoding.ASCII);
string pemCert = ToPem(sslCertificate);
System.IO.File.WriteAllText(@"obelix.pem", pemCert, System.Text.Encoding.ASCII);
} // End Sub GenerateSslCertificate
public static PfxData GenerateRootCertificate(Org.BouncyCastle.Security.SecureRandom random)
{
// string curveName = "curve25519"; curveName = "secp256k1";
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair rootKeyPair = KeyGenerator.GenerateEcKeyPair(curveName, random);
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair rootKeyPair = KeyGenerator.GenerateRsaKeyPair(2048, random);
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair rootKeyPair = KeyGenerator.GenerateDsaKeyPair(1024, random);
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair rootKeyPair = KeyGenerator.GenerateDHKeyPair(1024, random);
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair rootKeyPair = KeyGenerator.GenerateGostKeyPair(4096, random);
Org.BouncyCastle.X509.X509Certificate rootCertificate = GenerateRootCertificate(rootKeyPair, random);
// root
(string Private, string Public)rootKeys = KeyPairToPem(rootKeyPair);
PfxFile.Create(@"skynet.pfx", rootCertificate, rootKeyPair.Private, "");
WriteCerAndCrt(rootCertificate, @"skynet");
System.IO.File.WriteAllText(@"skynet_private.key", rootKeys.Private, System.Text.Encoding.ASCII);
// System.IO.File.WriteAllText(@"ca_public.key", rootKeys.Public, System.Text.Encoding.ASCII);
return(new PfxData(rootCertificate, rootKeyPair.Private));
}
public async Task UpdateCertificate(CertificateInfo input, string?site, string?host, string?username, string?password)
{
const string location = "/nsconfig/ssl";
var pemFilesName = PfxFile.Filename(input.CommonName.Value, "");
site ??= Path.GetFileNameWithoutExtension(pemFilesName);
host ??= DefaultNitroHost;
username ??= DefaultNitroUsername;
password ??= new ProtectedString(DefaultNitroPasswordProtected, _log).Value ?? "";
_log.Verbose($"CitrixAdcClient UpdateCertificate site {site} host {host} creds {username}/{new string('*', password?.Length ?? 1)}");
var apiUrl = GetApiUrl(host);
// initialize the HTTP client
using var handler = new HttpClientHandler();
using var httpClient = NewHttpClient(handler, username, password);
// send the private key and cert chain files
var keyFilename = $"{pemFilesName}{PemFiles.KeyFilenameSuffix}{PemFiles.FilenameExtension}";
keyFilename = await PostSystemFile(httpClient, apiUrl, location, site, keyFilename, key : true);
if (keyFilename == null)
{
throw new Exception($"Failed to post {site} key pem.");
}
var chainFilename = $"{pemFilesName}{PemFiles.ChainFilenameSuffix}{PemFiles.FilenameExtension}";
chainFilename = await PostSystemFile(httpClient, apiUrl, location, site, chainFilename, key : false);
if (chainFilename == null)
{
throw new Exception($"Failed to post {site} chain pem.");
}
// update the cert
var success = await PostSSLCertKey(httpClient, apiUrl, site, chainFilename, keyFilename, _pemFilesPassword);
if (!success)
{
throw new Exception($"Failed to update {site} certificate.");
}
// verify the cert was successfully updated
var verified = await VerifySSLCertKey(httpClient, apiUrl, site, chainFilename, keyFilename);
if (!verified)
{
throw new Exception($"Verification failed for {site} cert update.");
}
// delete the private key and cert chain files
var deletedKey = await DeleteSystemFile(httpClient, apiUrl, location, keyFilename);
if (!deletedKey)
{
_log.Warning("Failed to delete {keyFilename}.", keyFilename);
}
var deletedCert = await DeleteSystemFile(httpClient, apiUrl, location, chainFilename);
if (!deletedCert)
{
_log.Warning("Failed to delete {chainFilename}.", chainFilename);
}
}
