private X509Certificate2 BuildSelfSignedServerCertificate()
{
SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddIpAddress(IPAddress.Loopback);
sanBuilder.AddIpAddress(IPAddress.IPv6Loopback);
sanBuilder.AddDnsName("localhost");
sanBuilder.AddDnsName(Environment.MachineName);
X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN=https://issuer.com");
using RSA rsa = RSA.Create(2048);
var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(
new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false));
request.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(
new OidCollection {
new Oid("1.3.6.1.5.5.7.3.1")
}, false));
request.CertificateExtensions.Add(sanBuilder.Build());
var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(3650)));
return(certificate);
}
private static byte[] BuildSelfSignedCertificate(string password)
{
var sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddIpAddress(IPAddress.Loopback);
sanBuilder.AddIpAddress(IPAddress.IPv6Loopback);
sanBuilder.AddDnsName("localhost");
sanBuilder.AddDnsName(Environment.MachineName);
var distinguishedName = new X500DistinguishedName($"CN=SSNCert1");
using (var rsa = RSA.Create(2048))
{
var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(
new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyCertSign, false));
request.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(
new OidCollection {
new Oid("1.3.6.1.5.5.7.3.1")
}, false));
request.CertificateExtensions.Add(new X509BasicConstraintsExtension(true, false, 0, true));
request.CertificateExtensions.Add(sanBuilder.Build());
var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(3650)));
certificate.FriendlyName = "SSNCert1";
return(certificate.Export(X509ContentType.Pfx, password));
}
}
/// <summary>
/// Generate a new 2048 bit RSA key and cert bundle and self sign the public key with the private key
/// https://stackoverflow.com/a/50138133/6620171
/// </summary>
/// <param name="CommonName"></param>
/// <returns></returns>
private static X509Certificate2 BuildSelfSignedServerCertificate(string CommonName, int daysUntilExpire)
{
SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddIpAddress(IPAddress.Loopback);
sanBuilder.AddDnsName("localhost");
sanBuilder.AddDnsName(Environment.MachineName);
X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN={CommonName}");
using (RSA rsa = RSA.Create(2048))
{
CertificateRequest request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA512, RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(
new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false));
request.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(
new OidCollection {
new Oid("1.3.6.1.5.5.7.3.1")
}, false));
request.CertificateExtensions.Add(sanBuilder.Build());
X509Certificate2 certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(daysUntilExpire)));
//certificate.FriendlyName = CommonName; // Linux: System.PlatformNotSupportedException: The FriendlyName value cannot be set on Unix.
return(new X509Certificate2(certificate.Export(X509ContentType.Pfx, "WeNeedASaf3rPassword"), "WeNeedASaf3rPassword", X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable));
}
}
public static void EnumerateDnsNames(LoadMode loadMode)
{
SubjectAlternativeNameBuilder builder = new SubjectAlternativeNameBuilder();
builder.AddDnsName("foo");
builder.AddIpAddress(IPAddress.Loopback);
builder.AddUserPrincipalName("*****@*****.**");
builder.AddIpAddress(IPAddress.IPv6Loopback);
builder.AddDnsName("*.foo");
X509Extension built = builder.Build(true);
X509SubjectAlternativeNameExtension ext;
switch (loadMode)
{
case LoadMode.CopyFrom:
ext = new X509SubjectAlternativeNameExtension();
ext.CopyFrom(built);
break;
case LoadMode.Array:
ext = new X509SubjectAlternativeNameExtension(built.RawData);
break;
case LoadMode.Span:
byte[] tmp = new byte[built.RawData.Length + 2];
built.RawData.AsSpan().CopyTo(tmp.AsSpan(1));
ext = new X509SubjectAlternativeNameExtension(tmp.AsSpan()[1..^ 1]);
public static X509Certificate2 GenerateServerNodeCertificate(string nodeName, string password)
{
using (var rsa = RSA.Create(4096))
{
var request = new CertificateRequest($"CN={nodeName}", rsa, HashAlgorithmName.SHA512, RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false));
request.CertificateExtensions.Add(new X509EnhancedKeyUsageExtension(new OidCollection {
new Oid("1.3.6.1.5.5.7.3.1")
}, false));
var sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddIpAddress(IPAddress.Loopback);
sanBuilder.AddIpAddress(IPAddress.IPv6Loopback);
sanBuilder.AddDnsName("localhost");
sanBuilder.AddDnsName(Environment.MachineName);
request.CertificateExtensions.Add(sanBuilder.Build());
var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(3650)));
certificate.FriendlyName = "VanguardServerManagerNodeCertificate";
return(new X509Certificate2(certificate.Export(X509ContentType.Pfx, password), password, X509KeyStorageFlags.MachineKeySet));
}
}
private static X509Certificate2 Create()
{
var sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddIpAddress(IPAddress.Loopback);
sanBuilder.AddIpAddress(IPAddress.IPv6Loopback);
sanBuilder.AddDnsName("localhost");
sanBuilder.AddDnsName("127.0.0.1");
sanBuilder.AddDnsName(Environment.MachineName);
var distinguishedName = new X500DistinguishedName($"CN={CertificateName}");
using var rsa = RSA.Create(2048);
var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(
new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false));
request.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(
new OidCollection {
new Oid(OidServerAuthentication)
}, false));
request.CertificateExtensions.Add(sanBuilder.Build());
X509Certificate2 certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddYears(100)));
certificate.FriendlyName = CertificateName;
return(new X509Certificate2(certificate.Export(X509ContentType.Pfx, CertificatePass), CertificatePass, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable));
}
private X509Certificate2 GenerateCertificate()
{
string CertificateName = "sportal.qlikcloud.com";
SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddDnsName("localhost");
sanBuilder.AddDnsName("qlikcloud.com");
X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN={CertificateName}");
using (RSA rsa = RSA.Create(2048))
{
var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(
new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false));
request.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(
new OidCollection {
new Oid("1.3.6.1.5.5.7.3.1")
}, false));
request.CertificateExtensions.Add(sanBuilder.Build());
X509Certificate2 certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(825)));
return(certificate);
}
}
/// <summary>
/// Build a self signed certificate for use in SSL communication
/// </summary>
/// <param name="certName">Name of certificate</param>
/// <param name="password">Password for certificate</param>
/// <returns></returns>
public static X509Certificate2 BuildSelfSignedCertificate(string certName, string password = "")
{
SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddIpAddress(IPAddress.Loopback);
sanBuilder.AddIpAddress(IPAddress.IPv6Loopback);
sanBuilder.AddDnsName("localhost");
sanBuilder.AddDnsName(Environment.MachineName);
X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN={certName}");
using (RSA rsa = RSA.Create(2048))
{
var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(
new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false));
request.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(
new OidCollection {
new Oid("1.3.6.1.5.5.7.3.1")
}, false));
request.CertificateExtensions.Add(sanBuilder.Build());
var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(3650)));
certificate.FriendlyName = certName;
return(new X509Certificate2(certificate.Export(X509ContentType.Pfx, password), password, X509KeyStorageFlags.MachineKeySet));
}
}
public static void DnsNameMatchIgnoresTrailingPeriodFromParameter()
{
using (ECDsa key = ECDsa.Create())
{
CertificateRequest req = new CertificateRequest(
"CN=10.0.0.1",
key,
HashAlgorithmName.SHA256);
SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddDnsName("fruit.EXAMPLE");
sanBuilder.AddDnsName("*.FrUIt.eXaMpLE");
sanBuilder.AddEmailAddress("*****@*****.**");
req.CertificateExtensions.Add(sanBuilder.Build());
DateTimeOffset now = DateTimeOffset.UtcNow;
DateTimeOffset notBefore = now.AddMinutes(-1);
DateTimeOffset notAfter = now.AddMinutes(1);
using (X509Certificate2 cert = req.CreateSelfSigned(notBefore, notAfter))
{
AssertMatch(true, cert, "aPPlE.fruit.example.");
AssertMatch(true, cert, "tOmaTO.FRUIT.example.");
AssertMatch(false, cert, "tOmaTO.vegetable.example.");
AssertMatch(true, cert, "FRUit.example.");
AssertMatch(false, cert, "VEGetaBlE.example.");
}
}
}
public static void WildcardRequiresSuffixToMatch()
{
using (ECDsa key = ECDsa.Create())
{
CertificateRequest req = new CertificateRequest(
"CN=potato.vegetable.example",
key,
HashAlgorithmName.SHA256);
SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddDnsName("*");
sanBuilder.AddDnsName("*.");
sanBuilder.AddEmailAddress("*****@*****.**");
req.CertificateExtensions.Add(sanBuilder.Build());
DateTimeOffset now = DateTimeOffset.UtcNow;
DateTimeOffset notBefore = now.AddMinutes(-1);
DateTimeOffset notAfter = now.AddMinutes(1);
using (X509Certificate2 cert = req.CreateSelfSigned(notBefore, notAfter))
{
AssertMatch(false, cert, "example");
AssertMatch(false, cert, "example.");
}
}
}
public static void SanDnsMeansNoCommonNameFallback()
{
using (ECDsa key = ECDsa.Create())
{
CertificateRequest req = new CertificateRequest(
"CN=zalzalak.fruit.example",
key,
HashAlgorithmName.SHA256);
SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddDnsName("yumberry.fruit.example");
sanBuilder.AddDnsName("*.pome.fruit.example");
req.CertificateExtensions.Add(sanBuilder.Build());
DateTimeOffset now = DateTimeOffset.UtcNow;
DateTimeOffset notBefore = now.AddMinutes(-1);
DateTimeOffset notAfter = now.AddMinutes(1);
using (X509Certificate2 cert = req.CreateSelfSigned(notBefore, notAfter))
{
AssertMatch(true, cert, "yumberry.fruit.example");
AssertMatch(true, cert, "zalzalak.pome.fruit.example");
// zalzalak is a pome, and our fake DNS knows that, but the certificate doesn't.
AssertMatch(false, cert, "zalzalak.fruit.example");
}
}
}
public static void NoPartialWildcards()
{
using (ECDsa key = ECDsa.Create())
{
CertificateRequest req = new CertificateRequest(
"CN=10.0.0.1",
key,
HashAlgorithmName.SHA256);
SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddDnsName("*berry.fruit.example");
sanBuilder.AddDnsName("cran*.fruit.example");
sanBuilder.AddEmailAddress("*****@*****.**");
req.CertificateExtensions.Add(sanBuilder.Build());
DateTimeOffset now = DateTimeOffset.UtcNow;
DateTimeOffset notBefore = now.AddMinutes(-1);
DateTimeOffset notAfter = now.AddMinutes(1);
using (X509Certificate2 cert = req.CreateSelfSigned(notBefore, notAfter))
{
AssertMatch(false, cert, "cranberry.fruit.example");
AssertMatch(false, cert, "cranapple.fruit.example");
AssertMatch(false, cert, "strawberry.fruit.example");
}
}
}
private static X509Extension LocalSubjectAlternativeName()
{
var builder = new SubjectAlternativeNameBuilder();
builder.AddIpAddress(IPAddress.Loopback);
builder.AddIpAddress(IPAddress.IPv6Loopback);
builder.AddDnsName("localhost");
builder.AddDnsName(Environment.MachineName);
return(builder.Build());
}
public static X509Certificate2 Create(CertificateOptions options)
{
SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddIpAddress(IPAddress.Loopback);
sanBuilder.AddIpAddress(IPAddress.IPv6Loopback);
sanBuilder.AddDnsName("localhost");
sanBuilder.AddDnsName(options.Issuer);
X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN=" + options.Issuer);
var csp = new CspParameters
{
Flags = CspProviderFlags.UseArchivableKey | CspProviderFlags.UseMachineKeyStore
};
using (RSA rsa = new RSACryptoServiceProvider(2048, csp))
{
CertificateRequest req = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
req.CertificateExtensions.Add(sanBuilder.Build());
req.CertificateExtensions.Add(
new X509BasicConstraintsExtension(false, false, 0, false));
req.CertificateExtensions.Add(
new X509KeyUsageExtension(X509KeyUsageFlags.KeyAgreement | X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment, false));
req.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(new OidCollection {
new Oid("1.3.6.1.5.5.7.3.1")
}, true));
req.CertificateExtensions.Add(
new X509SubjectKeyIdentifierExtension(req.PublicKey, false));
X509Certificate2 CA = CreateCA(options);
X509Certificate2 cert = req.Create(
CA,
CA.NotBefore,
CA.NotAfter,
CertHelper.SerialNumber.ToByteArray());
X509Certificate2 certWithPK = cert.CopyWithPrivateKey(rsa);
certWithPK.FriendlyName = options.FriendlyName;
X509Certificate2 certificate = new X509Certificate2(certWithPK.Export(X509ContentType.Pfx, options.Password), options.Password, X509KeyStorageFlags.MachineKeySet);
CertHelper.AddToMyStore(certificate);
return(certificate);
}
}
public static void ArgumentValidation()
{
SubjectAlternativeNameBuilder builder = new SubjectAlternativeNameBuilder();
AssertExtensions.Throws <ArgumentOutOfRangeException>("dnsName", () => builder.AddDnsName(null));
AssertExtensions.Throws <ArgumentOutOfRangeException>("dnsName", () => builder.AddDnsName(string.Empty));
AssertExtensions.Throws <ArgumentOutOfRangeException>("emailAddress", () => builder.AddEmailAddress(null));
AssertExtensions.Throws <ArgumentOutOfRangeException>("emailAddress", () => builder.AddEmailAddress(string.Empty));
AssertExtensions.Throws <ArgumentNullException>("uri", () => builder.AddUri(null));
AssertExtensions.Throws <ArgumentNullException>("ipAddress", () => builder.AddIpAddress(null));
AssertExtensions.Throws <ArgumentOutOfRangeException>("upn", () => builder.AddUserPrincipalName(null));
AssertExtensions.Throws <ArgumentOutOfRangeException>("upn", () => builder.AddUserPrincipalName(string.Empty));
}
private X509Certificate2 GenerateSelfSignedServerCert(string certificateName)
{
var certPassword = Configuration["MPY:IdentityServer:X509CertToken:Password"];
if (string.IsNullOrEmpty(certPassword))
{
throw new ArgumentNullException("Token Signing Certificate Password needs to be set");
}
var dnsName = Configuration["MPY:IdentityServer:X509CertToken:DNSName"];
if (string.IsNullOrEmpty(dnsName))
{
throw new ArgumentNullException("Token Signing DNS Name needs to be set.");
}
SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddIpAddress(IPAddress.Loopback);
sanBuilder.AddIpAddress(IPAddress.IPv6Loopback);
sanBuilder.AddDnsName(dnsName);
sanBuilder.AddDnsName(System.Environment.MachineName);
X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN={certificateName}");
using (RSA rsa = RSA.Create(2048))
{
var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(
new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false));
request.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(
new OidCollection {
new Oid("1.3.6.1.5.5.7.3.1")
}, false));
request.CertificateExtensions.Add(sanBuilder.Build());
//var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(365)));
var yesterday = DateTime.Today.AddDays(-1).ToUniversalTime();
var future = DateTime.Today.AddDays(365).ToUniversalTime();
var certificate = request.CreateSelfSigned(new DateTimeOffset(yesterday), new DateTimeOffset(future));
certificate.FriendlyName = certificateName;
return(new X509Certificate2(certificate.Export(X509ContentType.Pfx, certPassword), certPassword, X509KeyStorageFlags.MachineKeySet));
}
}
/// <summary>
/// Create a self signed certificate, optionally providing a locally existente CA certificate
/// </summary>
/// <param name="subjectName"></param>
/// <param name="organization"></param>
/// <param name="country"></param>
/// <param name="authority">Optional authority cert to sign this one against.</param>
/// <param name="expirationDays"></param>
/// <returns></returns>
public static X509Certificate2 GenerateSelfSignedCertificate(
string subjectName,
string organization,
string country,
X509Certificate2 authority = null,
int expirationDays = 90)
{
// Have this certificate work with localhost, etc..
SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddIpAddress(IPAddress.Loopback);
sanBuilder.AddIpAddress(IPAddress.IPv6Loopback);
sanBuilder.AddDnsName("localhost");
sanBuilder.AddDnsName(Environment.MachineName);
X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN={subjectName}, O={organization}, C={country}");
using (RSA rsa = RSA.Create(2048))
{
var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(
new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false));
request.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(
new OidCollection {
new Oid("1.3.6.1.5.5.7.3.1")
}, false));
request.CertificateExtensions.Add(sanBuilder.Build());
DateTimeOffset notBefore = DateTimeOffset.UtcNow;
DateTimeOffset notAfter = notBefore.AddDays(expirationDays);
X509Certificate2 certWithPrivateKey;
if (authority == null)
{
certWithPrivateKey = request.CreateSelfSigned(notBefore, notAfter);
}
else
{
byte[] serialnumber = Encoding.ASCII.GetBytes(DateTime.UtcNow.ToString("MMMMddyyyyHHmmss"));
certWithPrivateKey = request.Create(authority, notBefore, notAfter, serialnumber);
}
return(certWithPrivateKey);
}
}
public async Task <(byte[] Cert, RSA PrivateKey)> GetCertificate(CancellationToken token = default(CancellationToken))
{
var key = new RSACryptoServiceProvider(4096);
var csr = new CertificateRequest("CN=" + _hosts[0],
key, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
var san = new SubjectAlternativeNameBuilder();
foreach (var host in _hosts)
{
san.AddDnsName(host);
}
csr.CertificateExtensions.Add(san.Build());
var certResponse = await _client.NewCertificateRequestAsync(csr.CreateSigningRequest(), token);
_cache.CachedCerts[_hosts[0]] = new CertificateCache
{
Cert = certResponse.Certificate,
Private = key.ExportCspBlob(true)
};
lock (Locker)
{
File.WriteAllText(_path,
JsonConvert.SerializeObject(_cache, Formatting.Indented));
}
return(certResponse.Certificate, key);
}
private static X509Certificate2 CreateSelfSigned13ServerCertificate()
{
using RSA rsa = RSA.Create();
var sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddDnsName("localhost");
var certReq = new CertificateRequest("CN=localhost", rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
certReq.CertificateExtensions.Add(new X509BasicConstraintsExtension(false, false, 0, false));
certReq.CertificateExtensions.Add(new X509EnhancedKeyUsageExtension(new OidCollection {
new Oid("1.3.6.1.5.5.7.3.1")
}, false));
certReq.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature, true));
certReq.CertificateExtensions.Add(sanBuilder.Build());
X509Certificate2 innerCert = certReq.CreateSelfSigned(DateTimeOffset.UtcNow.AddMonths(-1), DateTimeOffset.UtcNow.AddMonths(1));
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
using (innerCert)
{
return(new X509Certificate2(innerCert.Export(X509ContentType.Pfx)));
}
}
else
{
return(innerCert);
}
}
static X509Certificate2 GenerateCertificate(DateTime?notBefore = null, DateTime?notAfter = null, bool addServerAuthentication = true, bool addClientAuthentication = true)
{
var name = Guid.NewGuid().ToString("N");
var builder = new SubjectAlternativeNameBuilder();
builder.AddDnsName(name);
var dn = new X500DistinguishedName($"CN={name}");
using (var rsa = RSA.Create(2048))
{
var request = new CertificateRequest(dn, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
var usage = new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyAgreement, true);
request.CertificateExtensions.Add(usage);
var oids = new OidCollection();
if (addServerAuthentication)
{
oids.Add(new Oid("1.3.6.1.5.5.7.3.1"));
}
if (addClientAuthentication)
{
oids.Add(new Oid("1.3.6.1.5.5.7.3.2"));
}
request.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(oids, false));
request.CertificateExtensions.Add(builder.Build());
return(request.CreateSelfSigned(new DateTimeOffset(notBefore ?? DateTime.UtcNow.AddMinutes(-5)), new DateTimeOffset(notAfter ?? DateTime.UtcNow.AddMinutes(5))));
}
}
public void AddSubjectAlternativeName(CertificateRequest request, SubjectAlternativeName subjectAlternativeName)
{
foreach (var dnsName in subjectAlternativeName.DnsName)
{
if (UriHostNameType.Unknown == Uri.CheckHostName(dnsName))
{
throw new ArgumentException("Must be a valid DNS name", nameof(dnsName));
}
}
var sanBuilder = new SubjectAlternativeNameBuilder();
foreach (var dnsName in subjectAlternativeName.DnsName)
{
sanBuilder.AddDnsName(dnsName);
}
if (!string.IsNullOrEmpty(subjectAlternativeName.Email))
{
sanBuilder.AddEmailAddress(subjectAlternativeName.Email);
}
var sanExtension = sanBuilder.Build();
request.CertificateExtensions.Add(sanExtension);
}
protected X509Extension BuildSubjectAlternativeName()
{
var subjectAlternativeNameBuilder = new SubjectAlternativeNameBuilder();
subjectAlternativeNameBuilder.AddIpAddress(IPAddress.Loopback);
subjectAlternativeNameBuilder.AddIpAddress(IPAddress.IPv6Loopback);
foreach (var dnsName in _certificateBuilderConfiguration.DnsNames)
{
subjectAlternativeNameBuilder.AddDnsName(dnsName);
}
subjectAlternativeNameBuilder.AddDnsName(Environment.MachineName);
return(subjectAlternativeNameBuilder.Build());
}
public static void SanDoesNotMatchIPAddressInDnsName()
{
using (ECDsa key = ECDsa.Create())
{
CertificateRequest req = new CertificateRequest(
"CN=10.0.0.1",
key,
HashAlgorithmName.SHA256);
SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddDnsName("127.0.0.1");
sanBuilder.AddEmailAddress("*****@*****.**");
req.CertificateExtensions.Add(sanBuilder.Build());
DateTimeOffset now = DateTimeOffset.UtcNow;
DateTimeOffset notBefore = now.AddMinutes(-1);
DateTimeOffset notAfter = now.AddMinutes(1);
using (X509Certificate2 cert = req.CreateSelfSigned(notBefore, notAfter))
{
// 127.0.0.1 is an IP Address, but the SAN calls it a dNSName, so it won't match.
AssertMatch(false, cert, "127.0.0.1");
// Since the SAN contains no iPAddress values, we fall back to the CN.
AssertMatch(true, cert, "10.0.0.1");
}
}
}
/// <inheritdoc />
public X509Certificate2 GenerateAndSignCertificate(string subjectName)
{
using (RSA newKey = RSA.Create(_defaultKeyLength))
{
// Create the reguest
CertificateRequest request = new CertificateRequest(subjectName, newKey, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
var s = new SubjectAlternativeNameBuilder();
s.AddDnsName(subjectName.Substring("CN=".Length));
request.CertificateExtensions.Add(s.Build());
request.CertificateExtensions.Add(new X509SubjectKeyIdentifierExtension(request.PublicKey, true));
// This is no CA
request.CertificateExtensions.Add(new X509BasicConstraintsExtension(false, false, 0, false));
// Add default TLS key usages
request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyEncipherment, false));
request.CertificateExtensions.Add(new X509EnhancedKeyUsageExtension(new OidCollection
{
new Oid("1.3.6.1.5.5.7.3.1"), // Server-auth
new Oid("1.3.6.1.5.5.7.3.2") // Client-auth
}, true));
X509Certificate2 certificate = request.Create(this._caCertificate, DateTimeOffset.UtcNow.AddDays(-1),
this._caCertificate.NotAfter.AddDays(-10), GenerateSerialNumber());
return(certificate.CopyWithPrivateKey(newKey));
}
}
internal static (X509Certificate2 certificate, X509Certificate2Collection) GenerateCertificates(string name, string?testName = null)
{
X509Certificate2Collection chain = new X509Certificate2Collection();
X509ExtensionCollection extensions = new X509ExtensionCollection();
SubjectAlternativeNameBuilder builder = new SubjectAlternativeNameBuilder();
builder.AddDnsName(name);
extensions.Add(builder.Build());
extensions.Add(s_eeConstraints);
extensions.Add(s_eeKeyUsage);
extensions.Add(s_tlsServerEku);
CertificateAuthority.BuildPrivatePki(
PkiOptions.IssuerRevocationViaCrl,
out RevocationResponder responder,
out CertificateAuthority root,
out CertificateAuthority intermediate,
out X509Certificate2 endEntity,
subjectName: name,
testName: testName,
keySize: 2048,
extensions: extensions);
chain.Add(intermediate.CloneIssuerCert());
chain.Add(root.CloneIssuerCert());
responder.Dispose();
root.Dispose();
intermediate.Dispose();
return(endEntity, chain);
}
public static X509Certificate2 BuildSelfSignedCertificate(string dns, string ipaddr, string issuer, string password)
{
SubjectAlternativeNameBuilder sanb = new SubjectAlternativeNameBuilder();
sanb.AddIpAddress(IPAddress.Parse(ipaddr));
sanb.AddDnsName(dns);
X500DistinguishedName subject = new X500DistinguishedName($"CN={issuer}");
using (RSA rsa = RSA.Create(2048))
{
var request = new CertificateRequest(subject, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(
new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false));
request.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(new OidCollection {
new Oid("1.3.6.1.5.5.7.3.1")
}, false));
request.CertificateExtensions.Add(sanb.Build());
var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(3650)));
certificate.FriendlyName = issuer;
return(new X509Certificate2(certificate.Export(X509ContentType.Pfx, password), password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable));
}
}
public X509Certificate2 GenerateCertificate(DateTime? notBefore = null, DateTime? notAfter = null)
{
var name = Guid.NewGuid().ToString("N");
var builder = new SubjectAlternativeNameBuilder();
builder.AddDnsName(name);
var dn = new X500DistinguishedName($"CN={name}");
using (var rsa = RSA.Create(2048))
{
var request = new CertificateRequest(dn, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
var usage = new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyAgreement, true);
request.CertificateExtensions.Add(usage);
var oids = new OidCollection
{
new Oid("1.3.6.1.5.5.7.3.1"), // Server authentication
new Oid("1.3.6.1.5.5.7.3.2") // Client authentication
};
request.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(oids, false));
request.CertificateExtensions.Add(builder.Build());
var certificate = request.CreateSelfSigned(new DateTimeOffset(notBefore ?? DateTime.UtcNow.AddMinutes(-5)), new DateTimeOffset(notAfter ?? DateTime.UtcNow.AddMinutes(5)));
var bytes = certificate.Export(X509ContentType.Pfx);
return new X509Certificate2(bytes, null as string, X509KeyStorageFlags.Exportable); // don't ask me why, but this is required for some tests to work; i.e. Mtls tests
}
}
public static X509Certificate2 BuildTlsSelfSignedServer(string[] domains)
{
var sanBuilder = new SubjectAlternativeNameBuilder();
foreach (var domain in domains)
{
sanBuilder.AddDnsName(domain);
}
using (var rsa = RSA.Create())
{
var request = new CertificateRequest("CN=" + domains.First(), rsa, HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(
new OidCollection {
new Oid("1.3.6.1.5.5.7.3.1")
}, false));
request.CertificateExtensions.Add(sanBuilder.Build());
var cert = request.CreateSelfSigned(DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddDays(90));
// Hack - https://github.com/dotnet/corefx/issues/24454
var buffer = cert.Export(X509ContentType.Pfx, (string)null);
return(new X509Certificate2(buffer, (string)null));
}
}
internal static (X509Certificate2 certificate, X509Certificate2Collection) GenerateCertificates(string targetName, [CallerMemberName] string?testName = null, bool longChain = false, bool serverCertificate = true)
{
const int keySize = 2048;
if (PlatformDetection.IsWindows && testName != null)
{
CleanupCertificates(testName);
}
X509Certificate2Collection chain = new X509Certificate2Collection();
X509ExtensionCollection extensions = new X509ExtensionCollection();
SubjectAlternativeNameBuilder builder = new SubjectAlternativeNameBuilder();
builder.AddDnsName(targetName);
extensions.Add(builder.Build());
extensions.Add(s_eeConstraints);
extensions.Add(s_eeKeyUsage);
extensions.Add(serverCertificate ? s_tlsServerEku : s_tlsClientEku);
CertificateAuthority.BuildPrivatePki(
PkiOptions.IssuerRevocationViaCrl,
out RevocationResponder responder,
out CertificateAuthority root,
out CertificateAuthority[] intermediates,
/// <summary>
/// Build the Subject Alternative name extension
/// </summary>
/// <param name="uris">The Uris</param>
/// <param name="addresses">The domain names.
/// DNS Hostnames, IPv4 or IPv6 addresses</param>
/// <param name="critical"></param>
public static X509Extension BuildSubjectAlternativeName(
IEnumerable <string> uris, IEnumerable <string> addresses, bool critical)
{
var sanBuilder = new SubjectAlternativeNameBuilder();
foreach (var uri in uris)
{
sanBuilder.AddUri(new Uri(uri));
}
foreach (var domainName in addresses)
{
if (string.IsNullOrWhiteSpace(domainName))
{
continue;
}
if (IPAddress.TryParse(domainName, out var ipAddr))
{
sanBuilder.AddIpAddress(ipAddr);
}
else
{
sanBuilder.AddDnsName(domainName);
}
}
return(sanBuilder.Build(critical));
}