public string CreateRequest(string cn, string ou, string o, string l, string s, string c, string oid, int keylength)
{
var objCSPs = new CCspInformations();
objCSPs.AddAvailableCsps();
var objPrivateKey = new CX509PrivateKey();
objPrivateKey.Length = keylength;
objPrivateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; //http://msdn.microsoft.com/en-us/library/windows/desktop/aa379409(v=vs.85).aspx
objPrivateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES; //http://msdn.microsoft.com/en-us/library/windows/desktop/aa379417(v=vs.85).aspx
objPrivateKey.MachineContext = false; //http://msdn.microsoft.com/en-us/library/windows/desktop/aa379024(v=vs.85).aspx
objPrivateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG; //http://msdn.microsoft.com/en-us/library/windows/desktop/aa379412(v=vs.85).aspx
objPrivateKey.CspInformations = objCSPs;
objPrivateKey.Create();
var objPkcs10 = new CX509CertificateRequestPkcs10();
objPkcs10.InitializeFromPrivateKey(
X509CertificateEnrollmentContext.ContextUser, //http://msdn.microsoft.com/en-us/library/windows/desktop/aa379399(v=vs.85).aspx
objPrivateKey,
string.Empty);
var objExtensionKeyUsage = new CX509ExtensionKeyUsage();
objExtensionKeyUsage.InitializeEncode(
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE | // http://msdn.microsoft.com/en-us/library/windows/desktop/aa379410(v=vs.85).aspx
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE | // http://msdn.microsoft.com/en-us/library/windows/desktop/aa379410(v=vs.85).aspx
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE | // http://msdn.microsoft.com/en-us/library/windows/desktop/aa379410(v=vs.85).aspx
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE); // http://msdn.microsoft.com/en-us/library/windows/desktop/aa379410(v=vs.85).aspx
objPkcs10.X509Extensions.Add((CX509Extension)objExtensionKeyUsage);
var objObjectId = new CObjectId();
var objObjectIds = new CObjectIds();
var objX509ExtensionEnhancedKeyUsage = new CX509ExtensionEnhancedKeyUsage();
//objObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.1");
objObjectId.InitializeFromValue(oid); //Some info about OIDS: http://www.alvestrand.no/objectid/1.3.6.1.5.5.7.3.html
objObjectIds.Add(objObjectId);
objX509ExtensionEnhancedKeyUsage.InitializeEncode(objObjectIds);
objPkcs10.X509Extensions.Add((CX509Extension)objX509ExtensionEnhancedKeyUsage);
// TODO: Create CERTS with SAN: http://msdn.microsoft.com/en-us/library/windows/desktop/aa378081(v=vs.85).aspx
/*
var test3 = new CX509ExtensionAlternativeNames();
var test4 = new CAlternativeName();
var test2 = new CAlternativeNames();
test4.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME,"CRAP.no");
test2.Add(test4);
test3.InitializeEncode(test2);
*/
//objPkcs10.X509Extensions.Add((CX509Extension));
var objDN = new CX500DistinguishedName();
var subjectName = "CN = " + cn + ",OU = " + ou + ",O = " + o + ",L = " + l + ",S = " + s + ",C = " + c;
objDN.Encode(subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE); //http://msdn.microsoft.com/en-us/library/windows/desktop/aa379394(v=vs.85).aspx
objPkcs10.Subject = objDN;
var objEnroll = new CX509Enrollment();
objEnroll.InitializeFromRequest(objPkcs10);
var strRequest = objEnroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64); //http://msdn.microsoft.com/en-us/library/windows/desktop/aa374936(v=vs.85).aspx
return strRequest;
}
static void Main()
{
CX509Enrollment enroll = new CX509Enrollment();
CX509PrivateKey pri = new CX509PrivateKey();
CX509CertificateRequestPkcs10 request = new CX509CertificateRequestPkcs10();
CX500DistinguishedName dn = new CX500DistinguishedName();
pri.ProviderName = "eToken Base Cryptographic Provider";
pri.Length = 2048;
pri.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE;
//pri.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_DECRYPT_FLAG;
pri.ProviderType = X509ProviderType.XCN_PROV_RSA_FULL;
pri.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_NONE;
request.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextUser, pri, "");
dn.Encode("CN=KimiNoNaWa", X500NameFlags.XCN_CERT_NAME_STR_DISABLE_UTF8_DIR_STR_FLAG);
request.Subject = dn;
enroll.InitializeFromRequest(request);
string pkcs10 = enroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64);
Console.WriteLine(pkcs10);
//Do Enrollment
//Install certificate
//enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedRoot, pkcs10, EncodingType.XCN_CRYPT_STRING_BASE64REQUESTHEADER, "");
}
// http://stackoverflow.com/questions/13806299/how-to-create-a-self-signed-certificate-using-c
private static X509Certificate2 CreateSelfSignedCertificate(string subjectName)
{
// create DN for subject and issuer
var dn = new CX500DistinguishedName();
dn.Encode("CN=" + subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);
// create a new private key for the certificate
CX509PrivateKey privateKey = new CX509PrivateKey();
privateKey.ProviderName = "Microsoft Base Cryptographic Provider v1.0";
privateKey.MachineContext = true;
privateKey.Length = 2048;
privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; // use is not limited
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
privateKey.Create();
// Use the stronger SHA512 hashing algorithm
var hashobj = new CObjectId();
hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY,
AlgorithmFlags.AlgorithmFlagsNone, "SHA512");
// add extended key usage if you want - look at MSDN for a list of possible OIDs
var oid = new CObjectId();
oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // SSL server
var oidlist = new CObjectIds();
oidlist.Add(oid);
var eku = new CX509ExtensionEnhancedKeyUsage();
eku.InitializeEncode(oidlist);
// Create the self signing request
var cert = new CX509CertificateRequestCertificate();
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, "");
cert.Subject = dn;
cert.Issuer = dn; // the issuer and the subject are the same
cert.NotBefore = DateTime.Now;
// this cert expires immediately. Change to whatever makes sense for you
cert.NotAfter = DateTime.Now;
cert.X509Extensions.Add((CX509Extension)eku); // add the EKU
cert.HashAlgorithm = hashobj; // Specify the hashing algorithm
cert.Encode(); // encode the certificate
// Do the final enrollment process
var enroll = new CX509Enrollment();
enroll.InitializeFromRequest(cert); // load the certificate
enroll.CertificateFriendlyName = subjectName; // Optional: add a friendly name
string csr = enroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64); // Output the request in base64
// and install it back as the response
enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate,
csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password
// output a base64 encoded PKCS#12 so we can import it back to the .Net security classes
var base64encoded = enroll.CreatePFX("", // no password, this is for internal consumption
PFXExportOptions.PFXExportChainWithRoot, EncodingType.XCN_CRYPT_STRING_BASE64);
// instantiate the target class with the PKCS#12 data (and the empty password)
return new System.Security.Cryptography.X509Certificates.X509Certificate2(
System.Convert.FromBase64String(base64encoded), "",
// mark the private key as exportable (this is usually what you want to do)
System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.Exportable
);
}
// create a certificate for testing
// https://stackoverflow.com/q/18339706
static public X509Certificate2 CreateSelfSignedCertificate(string subjectName, TimeSpan expirationLength)
{
// create DN for subject and issuer
var dn = new CX500DistinguishedName();
dn.Encode("CN=" + subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);
CX509PrivateKey privateKey = new CX509PrivateKey
{
ProviderName = "Microsoft Strong Cryptographic Provider",
Length = 2048,
KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE,
KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_DECRYPT_FLAG | X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_KEY_AGREEMENT_FLAG,
MachineContext = true,
ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG
};
privateKey.Create();
// Use the stronger SHA512 hashing algorithm
var hashobj = new CObjectId();
hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY,
AlgorithmFlags.AlgorithmFlagsNone, "SHA512");
// Create the self signing request
var cert = new CX509CertificateRequestCertificate();
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, "");
cert.Subject = dn;
cert.Issuer = dn; // the issuer and the subject are the same
cert.NotBefore = DateTime.Now.Date;
// this cert expires immediately. Change to whatever makes sense for you
cert.NotAfter = cert.NotBefore + expirationLength;
cert.HashAlgorithm = hashobj; // Specify the hashing algorithm
cert.Encode(); // encode the certificate
// Do the final enrollment process
var enroll = new CX509Enrollment();
enroll.InitializeFromRequest(cert); // load the certificate
enroll.CertificateFriendlyName = subjectName; // Optional: add a friendly name
string csr = enroll.CreateRequest(); // Output the request in base64
// and install it back as the response
enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate,
csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password
// output a base64 encoded PKCS#12 so we can import it back to the .Net security classes
var base64encoded = enroll.CreatePFX("", // no password, this is for internal consumption
PFXExportOptions.PFXExportChainWithRoot);
// instantiate the target class with the PKCS#12 data (and the empty password)
return(new System.Security.Cryptography.X509Certificates.X509Certificate2(
System.Convert.FromBase64String(base64encoded), "",
// mark the private key as exportable (this is usually what you want to do)
// mark private key to go into the Machine store instead of the current users store
X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet
));
}
private CX509CertificateRequestCertificate CreateCertificateRequest(string publisherName)
{
// create DN for subject and issuer
var dn = new CX500DistinguishedName();
dn.Encode("CN=" + publisherName);
// create a new private key for the certificate
var privateKey = (IX509PrivateKey)Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX509PrivateKey"));
privateKey.ProviderName = "Microsoft Base Cryptographic Provider v1.0";
privateKey.MachineContext = false;
privateKey.Length = 2048;
privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE;
privateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_SIGNING_FLAG;
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
privateKey.Create();
// Create the self signing request
var cert = new CX509CertificateRequestCertificate();
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextUser, privateKey, "");
cert.Subject = dn;
cert.Issuer = dn;
cert.NotBefore = DateTime.Now.Date.AddDays(-1);
cert.NotAfter = DateTime.Now.Date.AddYears(1);
return(cert);
}
private CX509CertificateRequestCertificate FinalizeRequest(CX509CertificateRequestCertificate cert)
{
var subDN = new CX500DistinguishedName();
subDN.Encode("CN=" + SubjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);
cert.Subject = subDN;
cert.Issuer = cert.Subject;
cert.NotBefore = DateTime.Now;
cert.NotAfter = ValidUntil;
for (int i = 0; i < ExtensionsToAdd.Count; i++)
{
var ext = ExtensionsToAdd[i];
cert.X509Extensions.Add(ext);
}
var sigId = new CObjectId();
var hash = Oid.FromFriendlyName(Algorithm, OidGroup.HashAlgorithm);
sigId.InitializeFromValue(hash.Value);
cert.SignatureInformation.HashAlgorithm = sigId;
// Complete it
cert.Encode();
ExtensionsToAdd.Clear();
return(cert);
}
private CX500DistinguishedName GetEncodedSubject(CertificateSubject subject)
{
CX500DistinguishedName certDn = new CX500DistinguishedName();
certDn.Encode(subject.ToString(), X500NameFlags.XCN_CERT_NAME_STR_NONE);
return(certDn);
}
public static X509Certificate2 CreateSelfSignedCertificate(string subjectName)
{
//To make a certificate was used system library from CERTENROLLLib
//This lib provides methods for creation certificates in windows envinronment
//Defines the subject and issuer of the cert
CX500DistinguishedName dn = new CX500DistinguishedName();
dn.Encode("CN=" + subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);
//Create a new private key for the certificate
//Was decided not to make them variably in this progr
CX509PrivateKey privateKey = new CX509PrivateKey();
privateKey.ProviderName = "Microsoft Base Cryptographic Provider v1.0"; //issuer for a selfsigned certificate
privateKey.MachineContext = true;
privateKey.Length = 2048;
privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; //Use is not limited
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
privateKey.Create();
//Use trong SHA512 hashing algorithm
var hashobj = new CObjectId();
hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY,
AlgorithmFlags.AlgorithmFlagsNone, "SHA512");
// Create the self signing request
var cert = new CX509CertificateRequestCertificate();
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, "");
cert.Subject = dn;
cert.Issuer = dn; // The issuer and the subject are the same
cert.NotBefore = DateTime.Now;
cert.NotAfter = new DateTime(2018, 12, 31); // I don't think that anybody cares about using this cert longer than this period
cert.HashAlgorithm = hashobj; // Specify the hashing algorithm
cert.Encode(); // Encode the certificate
// Do the final stuff
//Enroll is
var enroll = new CX509Enrollment();
enroll.InitializeFromRequest(cert); // load the certificate
string csr = enroll.CreateRequest(); // Output the request in base64
// and install it back as the response
enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate,
csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password
// output a base64 encoded PKCS#12 so we can import it back to the .Net security classes
var base64encoded = enroll.CreatePFX("", // password isn't possible
PFXExportOptions.PFXExportChainWithRoot);
// instantiate the target class with the PKCS#12 data (and the empty password)
return(new X509Certificate2(Convert.FromBase64String(base64encoded), "",
// mark the private key as exportable, coz we want to put it into registry
X509KeyStorageFlags.Exportable));
}
public static X509Certificate2 CreateSelfSignedCertificate(string issuer, string name)
{
try
{
// create a DN for issuer and subject
var dn = new CX500DistinguishedName();
dn.Encode("CN=" + issuer, X500NameFlags.XCN_CERT_NAME_STR_NONE);
// create a private key for the certificate
var privateKey = new CX509PrivateKey();
privateKey.ProviderName = "Microsoft Base Cryptographic Provider v1.0";
privateKey.MachineContext = true;
privateKey.Length = 2048;
privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE;
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
privateKey.Create();
// use the stronger SHA512 hashing algorithm
var hashobj = new CObjectId();
hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, "SHA512");
// add extended key usage (look at MSDN for a list of possible OIDs)
var oid = new CObjectId();
oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // SSL server
var oidlist = new CObjectIds();
oidlist.Add(oid);
var eku = new CX509ExtensionEnhancedKeyUsage();
eku.InitializeEncode(oidlist);
// create the self signing request
var cert = new CX509CertificateRequestCertificate();
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, "");
cert.Issuer = dn;
cert.Subject = dn;
cert.NotBefore = DateTime.Now;
cert.NotAfter = DateTime.Now.AddYears(1); // 1 year expiration
cert.X509Extensions.Add((CX509Extension)eku);
cert.HashAlgorithm = hashobj;
cert.Encode();
// do the final enrollment process
var enroll = new CX509Enrollment();
enroll.InitializeFromRequest(cert);
enroll.CertificateFriendlyName = name;
string csr = enroll.CreateRequest();
// output a base64 encoded PKCS#12
enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, "");
var base64encoded = enroll.CreatePFX("", PFXExportOptions.PFXExportChainWithRoot);
// return the certificate
return(new X509Certificate2(Convert.FromBase64String(base64encoded), "", X509KeyStorageFlags.Exportable));
}
catch (Exception exc)
{
Trace.TraceError("Failed to create a self-signed certificate ({0})", exc);
throw;
}
}
private CertificateSubject BuildSubject(CX500DistinguishedName subject)
{
if (subject == null)
{
throw new CryptographicException("Win32CertificateProvider.BuildSubject - Subject from a decoded request cannot be null");
}
return(CertificateSubject.CreateFromDistinguishedName(subject.Name));
}
public static X509Certificate2 CreateSelfSignedCertificate(string subjectName, DateTime startDate, DateTime endDate, String password)
{
// Create DistinguishedName for subject and issuer
var name = new CX500DistinguishedName();
name.Encode("CN=" + subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);
// Create a new Private Key for the certificate
CX509PrivateKey privateKey = new CX509PrivateKey();
privateKey.ProviderName = "Microsoft RSA SChannel Cryptographic Provider";
privateKey.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE;
privateKey.Length = 2048;
privateKey.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)";
privateKey.MachineContext = true;
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG;
privateKey.Create();
// Define the hashing algorithm
var serverauthoid = new CObjectId();
serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // Server Authentication
var ekuoids = new CObjectIds();
ekuoids.Add(serverauthoid);
var ekuext = new CX509ExtensionEnhancedKeyUsage();
ekuext.InitializeEncode(ekuoids);
// Create the self signing request
var cert = new CX509CertificateRequestCertificate();
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, String.Empty);
cert.Subject = name;
cert.Issuer = cert.Subject;
cert.NotBefore = startDate;
cert.NotAfter = endDate;
cert.X509Extensions.Add((CX509Extension)ekuext);
cert.Encode();
// Enroll the certificate
var enroll = new CX509Enrollment();
enroll.InitializeFromRequest(cert);
string certData = enroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64HEADER);
enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate,
certData, EncodingType.XCN_CRYPT_STRING_BASE64HEADER, String.Empty);
var base64encoded = enroll.CreatePFX(password, PFXExportOptions.PFXExportChainWithRoot);
// Instantiate the target class with the PKCS#12 data
return(new X509Certificate2(
System.Convert.FromBase64String(base64encoded), password,
System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.Exportable));
}
internal static Pkcs10CertificationRequest createKeyPair()
{
var objCSPs = new CCspInformations();
objCSPs.AddAvailableCsps();
var objPrivateKey = new CX509PrivateKey();
objPrivateKey.Length = 1024;
objPrivateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE;
objPrivateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES;
objPrivateKey.MachineContext = false;
objPrivateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG;
objPrivateKey.CspInformations = objCSPs;
objPrivateKey.Create();
var objPkcs10 = new CX509CertificateRequestPkcs10();
objPkcs10.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextUser,
objPrivateKey,
string.Empty);
//var objExtensionKeyUsage = new CX509ExtensionKeyUsage();
//objExtensionKeyUsage.InitializeEncode(
// CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_CERT_SIGN_KEY_USAGE |
// CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_CRL_SIGN_KEY_USAGE);
//objPkcs10.X509Extensions.Add((CX509Extension)objExtensionKeyUsage);
//var objObjectId = new CObjectId();
//var objObjectIds = new CObjectIds();
//var objX509ExtensionEnhancedKeyUsage = new CX509ExtensionEnhancedKeyUsage();
//objObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.2");
//objObjectIds.Add(objObjectId);
//objX509ExtensionEnhancedKeyUsage.InitializeEncode(objObjectIds);
//objPkcs10.X509Extensions.Add((CX509Extension)objX509ExtensionEnhancedKeyUsage);
var objDN = new CX500DistinguishedName();
var subjectName = "CN = shaunxu.me, OU = ADCS, O = Blog, L = Beijng, S = Beijing, C = CN";
objDN.Encode(subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);
objPkcs10.Subject = objDN;
var objEnroll = new CX509Enrollment();
objEnroll.InitializeFromRequest(objPkcs10);
var strRequest = objEnroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64);
Pkcs10CertificationRequest p10 = new Pkcs10CertificationRequest(Convert.FromBase64String(strRequest));
return(p10);
}
//rennew certficiate that expired
public int RenewCert(string Cert, int reqid)
{
int iDisposition;
string CertifcateStr;
string status;
string HostName;
CX509CertificateRequestPkcs10 objPkcs10 = new CX509CertificateRequestPkcs10();
CX509Enrollment objEnroll = new CX509Enrollment();
CCertConfig objCertConfig = new CCertConfig();
CX500DistinguishedName objDN = new CX500DistinguishedName();
CCertAdmin objCertAdmin = new CCertAdmin();
string strCAConfig;
var inheritOptions = X509RequestInheritOptions.InheritPrivateKey | X509RequestInheritOptions.InheritSubjectFlag | X509RequestInheritOptions.InheritExtensionsFlag | X509RequestInheritOptions.InheritSubjectAltNameFlag;
try
{
strCAConfig = objCertConfig.GetConfig(CC_DEFAULTCONFIG); //connect to the ca
InstallCert(Cert);
objPkcs10.InitializeFromCertificate(X509CertificateEnrollmentContext.ContextUser, Cert, EncodingType.XCN_CRYPT_STRING_BASE64HEADER, inheritOptions); //create new cert request from exists expired cert
objDN = objPkcs10.Subject; //getting old cert subject (hostname)
HostName = objDN.Name.ToString().Substring(3);
objEnroll.InitializeFromRequest(objPkcs10); //create enroll rquest
CertifcateStr = objEnroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64); //crearte new cert request
Database db = new Database();
var cert = db.ReturnCertificateInformation(HostName);
db.DeleteCertificateRecordFromDb(reqid);
// revokeCert(cert.serialnumber);
iDisposition = SubmitRequest(CertifcateStr, HostName); //submit cert to the ca
objCertAdmin.ResubmitRequest(strCAConfig, iDisposition); //issue the Certificate
if (iDisposition > 0) //if cert was created delete the old cert from the table
{
DeleteCertificateFromStore(objDN.Name.ToString());
return(iDisposition);
}
return(0);
}
catch (Exception ex)
{
status = ex.Message;
Database db = new Database();
db.InsertToErrorMessageTable("", reqid, ex.Message, "RenewCert");//insert Error Message into The Error Table Log In The DataBase
return(1);
}
}
private static string CreateCertContent(string cn, TimeSpan expirationLength, string pwd)
{
var base64encoded = string.Empty;
var dn = new CX500DistinguishedName();
dn.Encode("CN=" + cn, X500NameFlags.XCN_CERT_NAME_STR_NONE);
var privateKey = new CX509PrivateKey();
privateKey.ProviderName = "Microsoft Strong Cryptographic Provider";
privateKey.Length = 2048;
privateKey.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE;
privateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_DECRYPT_FLAG |
X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_KEY_AGREEMENT_FLAG;
privateKey.MachineContext = true;
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
privateKey.Create();
// Use the stronger SHA512 hashing algorithm
var hashobj = new CObjectId();
hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY,
AlgorithmFlags.AlgorithmFlagsNone, "SHA256");
// Create the self signing request
var cert = new CX509CertificateRequestCertificate();
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, "");
cert.Subject = dn;
cert.Issuer = dn; // the issuer and the subject are the same
cert.NotBefore = DateTime.Now.Date;
// this cert expires immediately. Change to whatever makes sense for you
cert.NotAfter = cert.NotBefore + expirationLength;
cert.HashAlgorithm = hashobj; // Specify the hashing algorithm
cert.Encode(); // encode the certificate
// Do the final enrollment process
var enroll = new CX509Enrollment();
enroll.InitializeFromRequest(cert); // load the certificate
enroll.CertificateFriendlyName = cn; // Optional: add a friendly name
var csr = enroll.CreateRequest(); // Output the request in base64
// and install it back as the response
enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate,
csr, EncodingType.XCN_CRYPT_STRING_BASE64, pwd); // no password
// output a base64 encoded PKCS#12 so we can import it back to the .Net security classes
base64encoded = enroll.CreatePFX(pwd, // no password, this is for internal consumption
PFXExportOptions.PFXExportChainWithRoot);
return base64encoded;
}
// enroll a certificate based on given template name
public static void EnrollCert(
string templateName,
string subjectName,
string friendlyName)
{
// create a CX509Enrollment object
// either from CX509EnrollmentClass or CX509Enrollment should work
//CX509EnrollmentClass objEnroll = new CX509EnrollmentClass();
CX509Enrollment objEnroll = new CX509Enrollment();
// initialize the CX509Enrollment object
objEnroll.InitializeFromTemplateName(
X509CertificateEnrollmentContext.ContextUser,
templateName);
// set up the subject name
//
// first get the request
IX509CertificateRequest iRequest = objEnroll.Request;
// then get the inner PKCS10 request
IX509CertificateRequest iInnerRequest =
iRequest.GetInnerRequest(InnerRequestLevel.LevelInnermost);
IX509CertificateRequestPkcs10 iRequestPkcs10 =
iInnerRequest as IX509CertificateRequestPkcs10;
// create CX500DistinguishedName
CX500DistinguishedName objName = new CX500DistinguishedName();
objName.Encode(subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);
// set up the subject name
iRequestPkcs10.Subject = objName;
// set up friendly name
objEnroll.CertificateFriendlyName = friendlyName;
// enroll for the certificate, which should install the certficate
// in MY store if the certificate is successfully issued by CA
objEnroll.Enroll();
}
public string CreateTemplateRequest(string cn, string ou, string o, string l, string s, string c,
int keyLength,
string templateName)
{
var csp = new CCspInformations();
csp.AddAvailableCsps();
var privateKey = new CX509PrivateKey();
privateKey.Length = keyLength;
privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE;
privateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES;
privateKey.MachineContext = false;
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG;
privateKey.CspInformations = csp;
privateKey.Create();
var pkcs10 = new CX509CertificateRequestPkcs10();
pkcs10.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextUser,
privateKey,
templateName);
var san = GetSAN(cn);
pkcs10.X509Extensions.Add((CX509Extension)san);
var distinguishedName = new CX500DistinguishedName();
var subjectName = $"{cn},OU = {ou},O = {o} ,L = {l},S = {s},C = {c}";
distinguishedName.Encode(subjectName);
pkcs10.Subject = distinguishedName;
var enroll = new CX509Enrollment();
enroll.InitializeFromRequest(pkcs10);
var strRequest = enroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64HEADER);
return(strRequest);
}
// enroll a certificate based on given template name
public static void EnrollCert(
string templateName,
string subjectName,
string friendlyName)
{
// create a CX509Enrollment object
// either from CX509EnrollmentClass or CX509Enrollment should work
//CX509EnrollmentClass objEnroll = new CX509EnrollmentClass();
CX509Enrollment objEnroll = new CX509Enrollment();
// initialize the CX509Enrollment object
objEnroll.InitializeFromTemplateName(
X509CertificateEnrollmentContext.ContextUser,
templateName);
// set up the subject name
//
// first get the request
IX509CertificateRequest iRequest = objEnroll.Request;
// then get the inner PKCS10 request
IX509CertificateRequest iInnerRequest =
iRequest.GetInnerRequest(InnerRequestLevel.LevelInnermost);
IX509CertificateRequestPkcs10 iRequestPkcs10 =
iInnerRequest as IX509CertificateRequestPkcs10;
// create CX500DistinguishedName
CX500DistinguishedName objName = new CX500DistinguishedName();
objName.Encode(subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);
// set up the subject name
iRequestPkcs10.Subject = objName;
// set up friendly name
objEnroll.CertificateFriendlyName = friendlyName;
// enroll for the certificate, which should install the certficate
// in MY store if the certificate is successfully issued by CA
objEnroll.Enroll();
}
/// <summary>
/// Generates a certificate signing request for use with Xbox Live.
/// </summary>
public string GenerateCertRequest()
{
this.EnsureAdmin();
CX509CertificateRequestCertificate certRequest = new CX509CertificateRequestCertificate();
certRequest.Initialize(X509CertificateEnrollmentContext.ContextMachine);
certRequest.PrivateKey.Length = 2048;
certRequest.PrivateKey.ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider";
certRequest.PrivateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
CX500DistinguishedName subject = new CX500DistinguishedName();
subject.Encode("CN=NOT USED");
certRequest.Subject = subject;
CX509Enrollment enroll = new CX509Enrollment();
enroll.InitializeFromRequest(certRequest);
enroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64HEADER);
this.privateKey = certRequest.PrivateKey.Export("PRIVATEBLOB", EncodingType.XCN_CRYPT_STRING_BASE64).ToSecureString();
return(certRequest.PrivateKey.Export("PUBLICBLOB", EncodingType.XCN_CRYPT_STRING_BASE64 | EncodingType.XCN_CRYPT_STRING_NOCRLF));
}
private static StoreName store = StoreName.My; // Store as a personal certificate
private static X509Certificate2 CreateSelfSignedCertificate(string Operator, string SiteId, int SeqNo, bool isServerCert, string SAN)
{
// Create a custom subject name & friendly name
string distName = $"CN={FriendlyName.ToLower()}_{SiteId}_{SeqNo}, OU={Operator}_{SiteId}, O={Operator}, C=GB";
// create DN for subject and issuer
// var dn = new X500DistinguishedName(distName);
// dn.Encode(distName, X500NameFlags.XCN_CERT_NAME_STR_NONE);
var dn = new CX500DistinguishedName();
dn.Encode(distName, X500NameFlags.XCN_CERT_NAME_STR_NONE);
// create a new private key for the certificate
//CX509PrivateKey privateKey = new CX509PrivateKey();
//var privateKey = new CX509PrivateKey();
var typeName = "X509Enrollment.CX509PrivateKey";
var type = Type.GetTypeFromProgID(typeName);
if (type == null)
{
throw new Exception(typeName + " is not available on your system: 0x80040154 (REGDB_E_CLASSNOTREG)");
}
var privateKey = Activator.CreateInstance(type) as IX509PrivateKey;
if (privateKey == null)
{
throw new Exception("Your certlib does not know an implementation of " + typeName +
" (in HKLM:\\SOFTWARE\\Classes\\Interface\\)!");
}
privateKey.ProviderName = "Microsoft Base Cryptographic Provider v1.0";
privateKey.MachineContext = true;
privateKey.Length = 2048;
privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; // use is not limited
// privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG;
privateKey.Create();
// Use the stronger SHA512 hashing algorithm
var hashobj = new CObjectId();
hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY,
AlgorithmFlags.AlgorithmFlagsNone, "SHA512");
// add extended key usage if you want - look at MSDN for a list of possible OIDs
var oid = new CObjectId();
// oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // SSL server
if (isServerCert)
{
oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // SSL Server
}
else
{
oid.InitializeFromValue("1.3.6.1.5.5.7.3.2"); // SSL client
}
var oidlist = new CObjectIds();
oidlist.Add(oid);
var eku = new CX509ExtensionEnhancedKeyUsage();
eku.InitializeEncode(oidlist);
// Create the self signing request
var cert = new CX509CertificateRequestCertificate();
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, "");
if (!string.IsNullOrEmpty(SAN))
{
CAlternativeName objRfc822Name = new CAlternativeName();
CAlternativeNames objAlternativeNames = new CAlternativeNames();
CX509ExtensionAlternativeNames objExtensionAlternativeNames = new CX509ExtensionAlternativeNames();
// Set Alternative RFC822 Name
objRfc822Name.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME, SAN);
// Set Alternative Names
objAlternativeNames.Add(objRfc822Name);
objExtensionAlternativeNames.InitializeEncode(objAlternativeNames);
cert.X509Extensions.Add((CX509Extension)objExtensionAlternativeNames);
}
cert.Subject = dn;
cert.Issuer = dn; // the issuer and the subject are the same
cert.NotBefore = DateTime.Today;
cert.NotAfter = DateTime.Today.AddYears(10); // expire in 10 years time
cert.X509Extensions.Add((CX509Extension)eku); // add the EKU
cert.HashAlgorithm = hashobj; // Specify the hashing algorithm
cert.Encode(); // encode the certificate
// Do the final enrollment process
var enroll = new CX509Enrollment();
enroll.InitializeFromRequest(cert); // load the certificate
enroll.CertificateFriendlyName = FriendlyName; // Optional: add a friendly name
string csr = enroll.CreateRequest(); // Output the request in base64
// and install it back as the response
enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate,
csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password
// output a base64 encoded PKCS#12 so we can import it back to the .Net security classes
var base64encoded = enroll.CreatePFX("", // no password, this is for internal consumption
PFXExportOptions.PFXExportChainWithRoot);
// instantiate the target class with the PKCS#12 data (and the empty password)
X509Certificate2 newCert = new X509Certificate2(System.Convert.FromBase64String(base64encoded), "",
// mark the private key as exportable (this is usually what you want to do)
System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.Exportable
// Ensure the machine key is created and retained
// http://stackoverflow.com/questions/425688/how-to-set-read-permission-on-the-private-key-file-of-x-509-certificate-from-ne
| X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet);
return(newCert);
}
public static X509Certificate2 CreateSelfSignedCertificate(string subjectName)
{
var distinguishedName = new CX500DistinguishedName();
distinguishedName.Encode(
"CN=" + subjectName,
X500NameFlags.XCN_CERT_NAME_STR_NONE);
CCspInformations objCSPs = new CCspInformations();
CCspInformation objCSP = new CCspInformation();
objCSP.InitializeFromName(
"Microsoft Enhanced RSA and AES Cryptographic Provider");
objCSPs.Add(objCSP);
// Build the private key
CX509PrivateKey privateKey = new CX509PrivateKey();
privateKey.MachineContext = false;
privateKey.Length = 2048;
privateKey.CspInformations = objCSPs;
privateKey.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE;
privateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES;
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
// Create the private key in the CSP's protected storage
privateKey.Create();
// Build the algorithm identifier
var hashobj = new CObjectId();
hashobj.InitializeFromAlgorithmName(
ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY,
AlgorithmFlags.AlgorithmFlagsNone,
"SHA256");
// Create the self-signing request from the private key
var certificateRequest = new CX509CertificateRequestCertificate();
certificateRequest.InitializeFromPrivateKey(
X509CertificateEnrollmentContext.ContextUser,
privateKey,
string.Empty);
certificateRequest.Subject = distinguishedName;
certificateRequest.Issuer = distinguishedName;
certificateRequest.NotBefore = DateTime.Now.AddDays(-1);
certificateRequest.NotAfter = DateTime.Now.AddYears(100);
certificateRequest.HashAlgorithm = hashobj;
certificateRequest.Encode();
var enrollment = new CX509Enrollment();
// Load the certificate request
enrollment.InitializeFromRequest(certificateRequest);
enrollment.CertificateFriendlyName = subjectName;
// Output the request in base64 and install it back as the response
string csr = enrollment.CreateRequest();
// Install the response
enrollment.InstallResponse(
InstallResponseRestrictionFlags.AllowUntrustedCertificate,
csr,
EncodingType.XCN_CRYPT_STRING_BASE64,
string.Empty);
// Get the new certificate without the private key
byte[] certificateData = Convert.FromBase64String(enrollment.Certificate);
return(new X509Certificate2(certificateData));
}
/// <summary>
/// Add Reference: COM > TypeLibraries > CertEnroll 1.0 Type Library
/// </summary>
/// <param name="subjectName"></param>
/// <returns></returns>
public static X509Certificate2 CreateSelfSignedCertificate(string subjectName, TimeSpan expiresIn)
{
// create DN for subject and issuer
var dn = new CX500DistinguishedName();
dn.Encode("CN=" + subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);
// create a new private key for the certificate
CX509PrivateKey privateKey = new CX509PrivateKey();
privateKey.ProviderName = "Microsoft Base Cryptographic Provider v1.0";
privateKey.MachineContext = true;
privateKey.Length = 2048;
privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; // use is not limited
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
privateKey.Create();
// Use the stronger SHA512 hashing algorithm
var hashobj = new CObjectId();
hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY,
AlgorithmFlags.AlgorithmFlagsNone, "SHA512");
// add extended key usage if you want - look at MSDN for a list of possible OIDs
var oid = new CObjectId();
oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // SSL server
var oidlist = new CObjectIds();
oidlist.Add(oid);
var eku = new CX509ExtensionEnhancedKeyUsage();
eku.InitializeEncode(oidlist);
// Create the self signing request
var cert = new CX509CertificateRequestCertificate();
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, "");
cert.Subject = dn;
cert.Issuer = dn; // the issuer and the subject are the same
cert.NotBefore = DateTime.Now;
// this cert expires immediately. Change to whatever makes sense for you
cert.NotAfter = DateTime.Now.Add(expiresIn);
cert.X509Extensions.Add((CX509Extension)eku); // add the EKU
cert.HashAlgorithm = hashobj; // Specify the hashing algorithm
cert.Encode(); // encode the certificate
// Do the final enrollment process
var enroll = new CX509Enrollment();
enroll.InitializeFromRequest(cert); // load the certificate
enroll.CertificateFriendlyName = subjectName; // Optional: add a friendly name
string csr = enroll.CreateRequest(); // Output the request in base64
// and install it back as the response
enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate,
csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password
// output a base64 encoded PKCS#12 so we can import it back to the .Net security classes
var base64encoded = enroll.CreatePFX("", // no password, this is for internal consumption
PFXExportOptions.PFXExportChainWithRoot);
// instantiate the target class with the PKCS#12 data (and the empty password)
return(new System.Security.Cryptography.X509Certificates.X509Certificate2(
System.Convert.FromBase64String(base64encoded), "",
// mark the private key as exportable (this is usually what you want to do)
System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.Exportable
));
}
/// <summary>
/// Function used to create a certificate signing request using the OS.
/// Note that this function will place a certificate in the "Certificate Enrollment Requests" folder
/// of the certificate store specified in loc. You can view this by running either
/// certmgr or mmc from the command line.
/// </summary>
/// <param name="loc">Location to put certificate</param>
/// <param name="subject_line">The subject line of the certificate, fields should be ; seperated, i.e.: "C=US; ST=Minnesota; L=Eden Prairie; O=Forward Pay Systems, Inc.; OU=Forward Pay; CN=fps.com"</param>
/// <returns>The certificate signing request, if successful in PEM format</returns>
public string GenerateRequest()
{
//code originally came from: http://blogs.msdn.com/b/alejacma/archive/2008/09/05/how-to-create-a-certificate-request-with-certenroll-and-net-c.aspx
//modified version of it is here: http://stackoverflow.com/questions/16755634/issue-generating-a-csr-in-windows-vista-cx509certificaterequestpkcs10
//here is the standard for certificates: http://www.ietf.org/rfc/rfc3280.txt
//the PKCS#10 certificate request (http://msdn.microsoft.com/en-us/library/windows/desktop/aa377505.aspx)
CX509CertificateRequestPkcs10 objPkcs10 = new CX509CertificateRequestPkcs10();
//assymetric private key that can be used for encryption (http://msdn.microsoft.com/en-us/library/windows/desktop/aa378921.aspx)
CX509PrivateKey objPrivateKey = new CX509PrivateKey();
//access to the general information about a cryptographic provider (http://msdn.microsoft.com/en-us/library/windows/desktop/aa375967.aspx)
CCspInformation objCSP = new CCspInformation();
//collection on cryptographic providers available: http://msdn.microsoft.com/en-us/library/windows/desktop/aa375967(v=vs.85).aspx
CCspInformations objCSPs = new CCspInformations();
CX500DistinguishedName objDN = new CX500DistinguishedName();
//top level object that enables installing a certificate response http://msdn.microsoft.com/en-us/library/windows/desktop/aa377809.aspx
CX509Enrollment objEnroll = new CX509Enrollment();
CObjectIds objObjectIds = new CObjectIds();
CObjectId objObjectId = new CObjectId();
CObjectId objObjectId2 = new CObjectId();
CX509ExtensionKeyUsage objExtensionKeyUsage = new CX509ExtensionKeyUsage();
CX509ExtensionEnhancedKeyUsage objX509ExtensionEnhancedKeyUsage = new CX509ExtensionEnhancedKeyUsage();
string csr_pem = null;
// Initialize the csp object using the desired Cryptograhic Service Provider (CSP)
objCSPs.AddAvailableCsps();
//Provide key container name, key length and key spec to the private key object
objPrivateKey.ProviderName = providerName;
objPrivateKey.Length = KeyLength;
objPrivateKey.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE; //Must flag as XCN_AT_KEYEXCHANGE to use this certificate for exchanging symmetric keys (needed for most SSL cipher suites)
objPrivateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES;
if (Location == StoreLocation.LocalMachine)
{
objPrivateKey.MachineContext = true;
}
else
{
objPrivateKey.MachineContext = false; //must set this to true if installing to the local machine certificate store
}
objPrivateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG; //must set this if we want to be able to export it later. (for WinSIP maybe we don't want to be able to ever export the key??)
objPrivateKey.CspInformations = objCSPs;
// Create the actual key pair
objPrivateKey.Create();
// Initialize the PKCS#10 certificate request object based on the private key.
// Using the context, indicate that this is a user certificate request and don't
// provide a template name
if (Location == StoreLocation.LocalMachine)
{
objPkcs10.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, objPrivateKey, "");
}
else
{
objPkcs10.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextUser, objPrivateKey, "");
}
//Set has to sha256
CObjectId hashobj = new CObjectId();
hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, "SHA256");
objPkcs10.HashAlgorithm = hashobj;
// Key Usage Extension -- we only need digital signature and key encipherment for TLS:
// NOTE: in openSSL, I didn't used to request any specific extensions. Instead, I let the CA add them
objExtensionKeyUsage.InitializeEncode(
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE |
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE
);
objPkcs10.X509Extensions.Add((CX509Extension)objExtensionKeyUsage);
// Enhanced Key Usage Extension
objObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // OID for Server Authentication usage (see this: http://stackoverflow.com/questions/17477279/client-authentication-1-3-6-1-5-5-7-3-2-oid-in-server-certificates)
objObjectId2.InitializeFromValue("1.3.6.1.5.5.7.3.2"); // OID for Client Authentication usage (see this: http://stackoverflow.com/questions/17477279/client-authentication-1-3-6-1-5-5-7-3-2-oid-in-server-certificates)
objObjectIds.Add(objObjectId);
objObjectIds.Add(objObjectId2);
objX509ExtensionEnhancedKeyUsage.InitializeEncode(objObjectIds);
objPkcs10.X509Extensions.Add((CX509Extension)objX509ExtensionEnhancedKeyUsage);
// Encode the name in using the Distinguished Name object
// see here: http://msdn.microsoft.com/en-us/library/windows/desktop/aa379394(v=vs.85).aspx
/*objDN.Encode(
* "C=US, ST=Minnesota, L=Eden Prairie, O=Forward Pay Systems; Inc., OU=Forward Pay, CN=ERIC_CN",
* X500NameFlags.XCN_CERT_NAME_STR_NONE
* );*/
objDN.Encode(
Subject,
X500NameFlags.XCN_CERT_NAME_STR_SEMICOLON_FLAG
); //"C=US; ST=Minnesota; L=Eden Prairie; O=Forward Pay Systems, Inc.; OU=Forward Pay; CN=ERIC_CN"
// Assing the subject name by using the Distinguished Name object initialized above
objPkcs10.Subject = objDN;
//suppress extra attributes:
objPkcs10.SuppressDefaults = true;
// Create enrollment request
objEnroll.InitializeFromRequest(objPkcs10);
csr_pem = objEnroll.CreateRequest(
EncodingType.XCN_CRYPT_STRING_BASE64
);
csr_pem = "-----BEGIN CERTIFICATE REQUEST-----\r\n" + csr_pem + "-----END CERTIFICATE REQUEST-----";
return(csr_pem);
}
private void button1_Click(object sender, EventArgs e)
{
const int SCEPProcessDefault = 0x0;
//const int SCEPProcessSkipCertInstall = 0x1;
string protocol;
if (checkBox1.Checked)
{
protocol = "https";
}
else
{
protocol = "http";
}
var sConfigString = protocol + "://" + textBox1.Text + "/certsrv/mscep/mscep.dll/pkiclient.exe";
var oCertRequestPkcs10 = new CX509CertificateRequestPkcs10();
oCertRequestPkcs10.Initialize(CERTENROLLLib.X509CertificateEnrollmentContext.ContextUser);
var oSubjectDN = new CX500DistinguishedName();
oSubjectDN.Encode(textBox3.Text);
oCertRequestPkcs10.Subject = oSubjectDN;
oCertRequestPkcs10.PrivateKey.Length = 2048;
oCertRequestPkcs10.PrivateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE;
oCertRequestPkcs10.PrivateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_SIGNING_FLAG;
oCertRequestPkcs10.KeyContainerNamePrefix = "NDESTest";
if (checkBox2.Checked)
{
oCertRequestPkcs10.ChallengePassword = textBox2.Text;
}
var oEnrollmentHelper = new CX509SCEPEnrollmentHelper();
try
{
oEnrollmentHelper.Initialize(
sConfigString,
"",
oCertRequestPkcs10,
""
);
}
catch (Exception ex)
{
MessageBox.Show(ex.Message);
return;
}
var iDisposition = oEnrollmentHelper.Enroll(SCEPProcessDefault);
switch (iDisposition)
{
case CERTENROLLLib.X509SCEPDisposition.SCEPDispositionFailure:
MessageBox.Show(oEnrollmentHelper.ResultMessageText.ToString());
break;
case CERTENROLLLib.X509SCEPDisposition.SCEPDispositionSuccess:
string base64 = oEnrollmentHelper.X509SCEPEnrollment.Certificate[EncodingType.XCN_CRYPT_STRING_BASE64];
X509Certificate2 cert = new X509Certificate2();
cert.Import(Convert.FromBase64String(base64));
X509Certificate2UI.DisplayCertificate(cert);
break;
default:
MessageBox.Show("Unknown");
break;
}
}
/// <summary>
/// Certificate constructor to intialize objects and values required to create a certificate
/// </summary>
public Certificate()
{
try
{
// Create objects required
objCertRequest = new CX509CertificateRequestCertificate();
objCSP = new CCspInformation();
objCSPs = new CCspInformations();
objDN = new CX500DistinguishedName();
objEnroll = new CX509Enrollment();
objObjectId = new CObjectId();
objPrivateKey = (IX509PrivateKey)Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX509PrivateKey"));
// Friendly name
this.FriendlyName = "";
// Set default values. Refer to https://msdn.microsoft.com/en-us/library/windows/desktop/aa374846(v=vs.85).aspx
this.CryptographicProviderName = "Microsoft Enhanced Cryptographic Provider v1.0";
this.KeySize = 2048;
// Use key for encryption
this.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE;
// The key can be used for decryption
this.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_DECRYPT_FLAG;
// Create for user and not machine
this.MachineContext = false;
// Default to expire in 1 year
this.ExpirationLengthInDays = 365;
// Let th private key be exported in plain text
this.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
// This is intended for a computer
this.EnrollmentContextMachine = X509CertificateEnrollmentContext.ContextUser;
// Use a hasing algorithm
this.ObjectIdGroupId = ObjectIdGroupId. XCN_CRYPT_HASH_ALG_OID_GROUP_ID;
this.ObjectIdPublicKeyFlags = ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY;
this.AlgorithmFlags = AlgorithmFlags.AlgorithmFlagsNone;
// Use SHA-2 with 512 bits
this.AlgorithmName = "SHA512";
this.EncodingType = EncodingType.XCN_CRYPT_STRING_BASE64;
// Allow untrusted certificate to be installed
this.InstallResponseRestrictionFlags = InstallResponseRestrictionFlags.AllowUntrustedCertificate;
// No password set
this.Password = null;
// Enable key to be exported, keep the machine set, and persist the key set
// https://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509keystorageflags(v=vs.110).aspx
this.ExportableFlags = X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet;
}
catch (Exception ex)
{
throw ex;
}
}
public static X509Certificate2 CreateCertificate(string certSubject, bool isCA)
{
string CAsubject = certSubject;
CX500DistinguishedName dn = new CX500DistinguishedName();
dn.Encode("CN=" + CAsubject, X500NameFlags.XCN_CERT_NAME_STR_NONE);
string strRfc822Name = certSubject;
CAlternativeName objRfc822Name = new CAlternativeName();
CAlternativeNames objAlternativeNames = new CAlternativeNames();
CX509ExtensionAlternativeNames objExtensionAlternativeNames = new CX509ExtensionAlternativeNames();
// Set Alternative RFC822 Name
objRfc822Name.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME, strRfc822Name);
// Set Alternative Names
objAlternativeNames.Add(objRfc822Name);
objExtensionAlternativeNames.InitializeEncode(objAlternativeNames);
//objPkcs10.X509Extensions.Add((CX509Extension)objExtensionAlternativeNames);
//Issuer Property for cleanup
string issuer = "__Interceptor_Trusted_Root";
CX500DistinguishedName issuerdn = new CX500DistinguishedName();
issuerdn.Encode("CN=" + issuer, X500NameFlags.XCN_CERT_NAME_STR_NONE);
// Create a new Private Key
CX509PrivateKey key = new CX509PrivateKey();
key.ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider"; //"Microsoft Enhanced Cryptographic Provider v1.0"
// Set CAcert to 1 to be used for Signature
if (isCA)
{
key.KeySpec = X509KeySpec.XCN_AT_SIGNATURE;
}
else
{
key.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE;
}
key.Length = 2048;
key.MachineContext = true;
key.Create();
// Create Attributes
//var serverauthoid = new X509Enrollment.CObjectId();
CObjectId serverauthoid = new CObjectId();
serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1");
CObjectIds ekuoids = new CObjectIds();
ekuoids.Add(serverauthoid);
CX509ExtensionEnhancedKeyUsage ekuext = new CX509ExtensionEnhancedKeyUsage();
ekuext.InitializeEncode(ekuoids);
CX509CertificateRequestCertificate cert = new CX509CertificateRequestCertificate();
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, key, "");
cert.Subject = dn;
cert.Issuer = issuerdn;
cert.NotBefore = (DateTime.Now).AddDays(-1); //Backup One day to Avoid Timing Issues
cert.NotAfter = cert.NotBefore.AddDays(90); //Arbitrary... Change to persist longer...
//Use Sha256
CObjectId hashAlgorithmObject = new CObjectId();
hashAlgorithmObject.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, 0, 0, "SHA256");
cert.HashAlgorithm = hashAlgorithmObject;
cert.X509Extensions.Add((CX509Extension)ekuext);
cert.X509Extensions.Add((CX509Extension)objExtensionAlternativeNames);
//https://blogs.msdn.microsoft.com/alejacma/2011/11/07/how-to-add-subject-alternative-name-to-your-certificate-requests-c/
if (isCA)
{
CX509ExtensionBasicConstraints basicConst = new CX509ExtensionBasicConstraints();
basicConst.InitializeEncode(true, 1);
cert.X509Extensions.Add((CX509Extension)basicConst);
}
else
{
var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection signer = store.Certificates.Find(X509FindType.FindBySubjectName, "__Interceptor_Trusted_Root", false);
CSignerCertificate signerCertificate = new CSignerCertificate();
signerCertificate.Initialize(true, 0, EncodingType.XCN_CRYPT_STRING_HEX, signer[0].Thumbprint);
cert.SignerCertificate = signerCertificate;
}
cert.Encode();
CX509Enrollment enrollment = new CX509Enrollment();
enrollment.InitializeFromRequest(cert);
string certdata = enrollment.CreateRequest(0);
enrollment.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, certdata, 0, "");
if (isCA)
{
//Install CA Root Certificate
X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certList = store.Certificates.Find(X509FindType.FindBySubjectName, "__Interceptor_Trusted_Root", false);
store.Close();
X509Store rootStore = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
rootStore.Open(OpenFlags.ReadWrite);
X509Certificate2Collection rootcertList = rootStore.Certificates.Find(X509FindType.FindBySubjectName, "__Interceptor_Trusted_Root", false);
rootStore.Add(certList[0]);
rootStore.Close();
return(certList[0]);
}
else
{
//Return Per Domain Cert
X509Store xstore = new X509Store(StoreName.My, StoreLocation.LocalMachine);
xstore.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certList = xstore.Certificates.Find(X509FindType.FindBySubjectName, certSubject, false);
xstore.Close();
return(certList[0]);
}
}
public X509Certificate2 CreateSelfSignedCertificate(string FriendlyName, string SubjectName)
{
try
{
// Create DN for Subject
CX500DistinguishedName dnSubject = new CX500DistinguishedName();
dnSubject.Encode(String.Format(@"CN={0}", SubjectName), X500NameFlags.XCN_CERT_NAME_STR_NONE);
// Create DN for Issuer
CX500DistinguishedName dnIssuer = new CX500DistinguishedName();
dnIssuer.Encode(String.Format(@"CN={0}", IssuerName), X500NameFlags.XCN_CERT_NAME_STR_NONE);
// Use the stronger SHA512 hashing algorithm
CObjectId HashAlgorithm = new CObjectId();
HashAlgorithm.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, strAlgorithmName);
// add extended key usage if you want - look at MSDN for a list of possible OIDs
CObjectId oid1 = new CObjectId();
oid1.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // SSL Server
CObjectId oid2 = new CObjectId();
oid2.InitializeFromValue("1.3.6.1.5.5.7.3.2"); // SSL Client
CObjectIds oidlist = new CObjectIds();
oidlist.Add(oid1);
oidlist.Add(oid2);
CX509ExtensionEnhancedKeyUsage eku = new CX509ExtensionEnhancedKeyUsage();
eku.InitializeEncode(oidlist);
CX509ExtensionAlternativeNames objExtensionAlternativeNames = new CX509ExtensionAlternativeNames();
{
CAlternativeNames altNames = new CAlternativeNames();
CAlternativeName dnsLocalHost = new CAlternativeName();
dnsLocalHost.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME, "LOCALHOST");
altNames.Add(dnsLocalHost);
CAlternativeName dnsHostname = new CAlternativeName();
dnsHostname.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME, Environment.MachineName);
altNames.Add(dnsHostname);
foreach (var ipAddress in Dns.GetHostAddresses(Dns.GetHostName()))
{
if ((ipAddress.AddressFamily == AddressFamily.InterNetwork) && !IPAddress.IsLoopback(ipAddress))
{
CAlternativeName dns = new CAlternativeName();
dns.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME, ipAddress.ToString());
altNames.Add(dns);
}
}
objExtensionAlternativeNames.InitializeEncode(altNames);
}
//CX509ExtensionSmimeCapabilities smimeCapabilities = new CX509ExtensionSmimeCapabilities();
//smimeCapabilities.SmimeCapabilities.AddAvailableSmimeCapabilities(false);
CX509ExtensionBasicConstraints basicConst = new CX509ExtensionBasicConstraints();
basicConst.InitializeEncode(dnSubject.Name == dnIssuer.Name ? true : false, 1);
// Key Usage Extension
CX509ExtensionKeyUsage objExtensionKeyUsage = new CX509ExtensionKeyUsage();
objExtensionKeyUsage.InitializeEncode(
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE |
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE |
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE |
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE |
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_CERT_SIGN_KEY_USAGE
);
// Create the self signing request
CX509CertificateRequestCertificate cert = new CX509CertificateRequestCertificate();
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, PrivateKey, "");
cert.Subject = dnSubject;
cert.Issuer = dnIssuer;
cert.NotBefore = DateTime.Today.AddDays(-1);
cert.NotAfter = DateTime.Today.AddYears(ExpirationLengthInYear);
cert.X509Extensions.Add((CX509Extension)eku); // add the EKU
cert.X509Extensions.Add((CX509Extension)objExtensionAlternativeNames);
cert.X509Extensions.Add((CX509Extension)objExtensionKeyUsage);
cert.X509Extensions.Add((CX509Extension)basicConst);
//cert.X509Extensions.Add((CX509Extension)smimeCapabilities);
cert.HashAlgorithm = HashAlgorithm; // Specify the hashing algorithm
cert.Encode(); // encode the certificate
// Do the final enrollment process
CX509Enrollment enroll = new CX509Enrollment();
enroll.InitializeFromRequest(cert); // load the certificate
enroll.CertificateFriendlyName = FriendlyName; // Optional: add a friendly name
string csr = enroll.CreateRequest(); // Output the request in base64 and install it back as the response
// no password output a base64 encoded PKCS#12 so we can import it back to the .Net security classes
enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, "");
// no password, this is for internal consumption
var base64encoded = enroll.CreatePFX("", PFXExportOptions.PFXExportChainWithRoot);
// instantiate the target class with the PKCS#12 data (and the empty password)
// mark the private key as exportable (this is usually what you want to do)
return(new X509Certificate2(Convert.FromBase64String(base64encoded), "", X509KeyStorageFlags.Exportable));
}
catch (Exception ex)
{
throw new Exception(ex.Message);
}
}
/// <summary>
/// Create a certificate signing request.
/// </summary>
/// <param name="subjectName">The subject name of the certificate.</param>
/// <param name="keyLength">Size of the key in bits.</param>
/// <param name="durationYears">Duration of the certificate, specified in years.</param>
/// <param name="oids">Collection of OIDs identifying certificate usage.</param>
public static CX509CertificateRequestCertificate CreateCertificateSigningRequest(string subjectName, int keyLength, int durationYears, List<string> oids)
{
// Prepend the subject name with CN= if it doesn't begin with CN=, E=, etc..
if (subjectName.IndexOf("=") < 0)
subjectName = "CN=" + subjectName;
// Generate a distinguished name.
CX500DistinguishedName distinguishedName = new CX500DistinguishedName();
distinguishedName.Encode(subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);
// Generate a private key.
CX509PrivateKey privateKey = new CX509PrivateKey();
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE;
privateKey.Length = keyLength;
privateKey.MachineContext = true;
privateKey.ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0";
privateKey.Create();
// Use the SHA-512 hashing algorithm.
CObjectId hashAlgorithm = new CObjectId();
hashAlgorithm.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, "SHA512");
// Load the OIDs passed in and specify enhanced key usages.
CObjectIds oidCollection = new CObjectIds();
foreach (string oidID in oids)
{
CObjectId oid = new CObjectId();
oid.InitializeFromValue(oidID);
oidCollection.Add(oid);
}
CX509ExtensionKeyUsage keyUsage = new CX509ExtensionKeyUsage();
keyUsage.InitializeEncode(CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE);
CX509ExtensionEnhancedKeyUsage enhancedKeyUsages = new CX509ExtensionEnhancedKeyUsage();
enhancedKeyUsages.InitializeEncode(oidCollection);
string sanSubjectName = subjectName.Substring(subjectName.IndexOf("=") + 1);
CAlternativeName sanAlternateName = new CAlternativeName();
sanAlternateName.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_RFC822_NAME, sanSubjectName);
CAlternativeNames sanAlternativeNames = new CAlternativeNames();
sanAlternativeNames.Add(sanAlternateName);
CX509ExtensionAlternativeNames alternativeNamesExtension = new CX509ExtensionAlternativeNames();
alternativeNamesExtension.InitializeEncode(sanAlternativeNames);
CX509ExtensionSmimeCapabilities smimeCapabilities = new CX509ExtensionSmimeCapabilities();
smimeCapabilities.SmimeCapabilities.AddAvailableSmimeCapabilities(false);
// Create the self-signing request.
CX509CertificateRequestCertificate cert = new CX509CertificateRequestCertificate();
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, "");
cert.Subject = distinguishedName;
cert.Issuer = distinguishedName;
cert.NotBefore = DateTime.Now;
cert.NotAfter = DateTime.Now.AddYears(1);
cert.X509Extensions.Add((CX509Extension)keyUsage);
cert.X509Extensions.Add((CX509Extension)enhancedKeyUsages);
cert.X509Extensions.Add((CX509Extension)alternativeNamesExtension);
cert.X509Extensions.Add((CX509Extension)smimeCapabilities);
cert.HashAlgorithm = hashAlgorithm;
cert.Encode();
return cert;
}
public string CreateTemplateRequest(string cn, string ou, string o, string l, string s, string c, int keylength, string template)
{
var objCSPs = new CCspInformations();
objCSPs.AddAvailableCsps();
var objPrivateKey = new CX509PrivateKey();
objPrivateKey.Length = keylength;
objPrivateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE;
objPrivateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES;
objPrivateKey.MachineContext = false;
objPrivateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG;
objPrivateKey.CspInformations = objCSPs;
objPrivateKey.Create();
var objPkcs10 = new CX509CertificateRequestPkcs10();
objPkcs10.InitializeFromPrivateKey(
X509CertificateEnrollmentContext.ContextUser,
objPrivateKey,
template);
var objDN = new CX500DistinguishedName();
var subjectName = "CN = " + cn + ",OU = " + ou + ",O = " + o + ",L = " + l + ",S = " + s + ",C = " + c;
objDN.Encode(subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);
objPkcs10.Subject = objDN;
var objEnroll = new CX509Enrollment();
objEnroll.InitializeFromRequest(objPkcs10);
var strRequest = objEnroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64);
return strRequest;
}
public static X509Certificate2 CreateCertificate(Certificate crt)
{
bool isCA = !crt.SignByCertificateAuthority;
// create DN for subject and issuer
var dn = new CX500DistinguishedName();
dn.Encode(GetEncodedDistinguishedName(crt), X500NameFlags.XCN_CERT_NAME_STR_NONE);
// create a new private key for the certificate
CX509PrivateKey privateKey = new CX509PrivateKey
{
ProviderName = "Microsoft Base Cryptographic Provider v1.0",
MachineContext = crt.MachineContext,
Length = crt.KeyLength,
KeySpec = X509KeySpec.XCN_AT_SIGNATURE, // use is not limited
ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG
};
privateKey.Create();
var hashobj = new CObjectId();
hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY,
AlgorithmFlags.AlgorithmFlagsNone, crt.DigestAlgorithm);
CERTENROLLLib.X509KeyUsageFlags x509KeyUsageFlags;
CX509ExtensionBasicConstraints bc = new CX509ExtensionBasicConstraints();
if (isCA)
{
x509KeyUsageFlags =
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE |
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_CERT_SIGN_KEY_USAGE |
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_CRL_SIGN_KEY_USAGE |
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_OFFLINE_CRL_SIGN_KEY_USAGE;
bc.InitializeEncode(true, -1);
bc.Critical = true;
}
else
{
x509KeyUsageFlags =
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE |
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE;
if (crt.CertificateType == CertificateType.ClientCertificate)
{
x509KeyUsageFlags |= CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE;
}
if (crt.CertificateType == CertificateType.ServerCertificate)
{
x509KeyUsageFlags |= CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE;
}
bc.InitializeEncode(false, -1);
bc.Critical = false;
}
CX509ExtensionKeyUsage keyUsage = new CX509ExtensionKeyUsage();
keyUsage.InitializeEncode(x509KeyUsageFlags);
keyUsage.Critical = false;
// SAN
var canList = new List <CAlternativeName>();
foreach (var sanItem in crt.SANList)
{
if (!string.IsNullOrWhiteSpace(sanItem.Value))
{
var can = new CAlternativeName();
switch (sanItem.Type)
{
case Certificate.SANType.DNS:
can.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME, sanItem.Value);
break;
case Certificate.SANType.IP:
can.InitializeFromRawData(AlternativeNameType.XCN_CERT_ALT_NAME_IP_ADDRESS, EncodingType.XCN_CRYPT_STRING_BASE64,
Convert.ToBase64String(IPAddress.Parse(sanItem.Value).GetAddressBytes()));
break;
case Certificate.SANType.URI:
can.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_URL, sanItem.Value);
break;
case Certificate.SANType.email:
can.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_RFC822_NAME, sanItem.Value);
break;
}
canList.Add(can);
}
}
CX509ExtensionAlternativeNames san = null;
if (canList.Any())
{
san = new CX509ExtensionAlternativeNames();
var cans = new CAlternativeNames();
foreach (var item in canList)
{
cans.Add(item);
}
san.InitializeEncode(cans);
}
CX509ExtensionEnhancedKeyUsage eku = null;
if (crt.CertificateType != CertificateType.None)
{
const string XCN_OID_PKIX_KP_SERVER_AUTH = "1.3.6.1.5.5.7.3.1";
const string XCN_OID_PKIX_KP_CLIENT_AUTH = "1.3.6.1.5.5.7.3.2";
var oid = new CObjectId();
if (crt.CertificateType == CertificateType.ServerCertificate)
{
oid.InitializeFromValue(XCN_OID_PKIX_KP_SERVER_AUTH);
}
if (crt.CertificateType == CertificateType.ClientCertificate)
{
oid.InitializeFromValue(XCN_OID_PKIX_KP_CLIENT_AUTH);
}
var oidlist = new CObjectIds();
oidlist.Add(oid);
eku = new CX509ExtensionEnhancedKeyUsage();
eku.InitializeEncode(oidlist);
}
// Create the self signing request
var cereq = new CX509CertificateRequestCertificate();
cereq.InitializeFromPrivateKey(crt.MachineContext ? X509CertificateEnrollmentContext.ContextMachine : X509CertificateEnrollmentContext.ContextUser, privateKey, "");
cereq.Subject = dn;
cereq.Issuer = dn;
cereq.NotBefore = DateTime.UtcNow.AddDays(-1);
cereq.NotAfter = DateTime.UtcNow.AddDays(crt.Lifetime.Value);
if (crt.SignByCertificateAuthority)
{
var issuer = MyCurrentUserX509Store.Certificates
.Find(X509FindType.FindByThumbprint, crt.CertificateAuthority, false)
.OfType <X509Certificate2>()
.Where(c => c.HasPrivateKey).FirstOrDefault() ?? throw new Exception("Issuer not found: " + crt.CertificateAuthority);
cereq.SignerCertificate = new CSignerCertificate();
cereq.SignerCertificate.Initialize(false, X509PrivateKeyVerify.VerifyNone, EncodingType.XCN_CRYPT_STRING_HEX, issuer.GetRawCertDataString());
cereq.Issuer = new CX500DistinguishedName();
cereq.Issuer.Encode(issuer.Subject, X500NameFlags.XCN_CERT_NAME_STR_NONE);
}
cereq.X509Extensions.Add((CX509Extension)keyUsage);
if (eku != null)
{
cereq.X509Extensions.Add((CX509Extension)eku); // EnhancedKeyUsage
}
if (bc != null)
{
cereq.X509Extensions.Add((CX509Extension)bc); // ExtensionBasicConstraints
}
if (san != null)
{
cereq.X509Extensions.Add((CX509Extension)san); // SAN
}
cereq.HashAlgorithm = hashobj; // Specify the hashing algorithm
cereq.Encode(); // encode the certificate
// Do the final enrollment process
var enroll = new CX509Enrollment();
enroll.InitializeFromRequest(cereq); // load the certificate
//enroll.CertificateFriendlyName = subjectName; // Optional: add a friendly name
string csr = enroll.CreateRequest(); // Output the request in base64
// and install it back as the response
enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password
// output a base64 encoded PKCS#12 so we can import it back to the .Net security classes
var base64encoded = enroll.CreatePFX("", // no password, this is for internal consumption
PFXExportOptions.PFXExportChainWithRoot);
// instantiate the target class with the PKCS#12 data (and the empty password)
var x509Certificate2 = new X509Certificate2(
Convert.FromBase64String(base64encoded), "",
X509KeyStorageFlags.Exportable); // mark the private key as exportable (this is usually what you want to do)
if (isCA)
{
X509Store rootStore = null;
try
{
rootStore = new X509Store(StoreName.Root, crt.MachineContext ? StoreLocation.LocalMachine : StoreLocation.CurrentUser);
rootStore.Open(OpenFlags.ReadWrite);
// install to CA store
var crtPub = new X509Certificate2(x509Certificate2)
{
PrivateKey = null
};
rootStore.Add(crtPub);
crtPub.Reset();
}
catch
{
// ignore when adding to trust root failed
}
finally
{
rootStore?.Close();
}
}
crt.Value = x509Certificate2;
return(x509Certificate2);
}
// https://github.com/asafga-gsr-it/CertIntegration/blob/master/CertificateAdmin/CertificateAdmin/obj/Release/Package/PackageTmp/Certificate.cs
// https://www.sysadmins.lv/blog-en/introducing-to-certificate-enrollment-apis-part-2-creating-offline-requests.aspx
/*
* public static X509Certificate2 CreateSelfSignedCA(string subjectName, DateTime notAfterUtc, bool machineContext)
* {
* // create DN for subject and issuer
* var dn = new CX500DistinguishedName();
* dn.Encode("CN=" + EscapeDNComponent(subjectName), X500NameFlags.XCN_CERT_NAME_STR_NONE);
*
* // create a new private key for the certificate
* CX509PrivateKey privateKey = new CX509PrivateKey();
* privateKey.ProviderName = "Microsoft Base Cryptographic Provider v1.0";
* privateKey.MachineContext = machineContext;
* privateKey.Length = 2048;
* privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; // use is not limited
* privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
* privateKey.Create();
*
* var hashobj = new CObjectId();
* hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
* ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY,
* AlgorithmFlags.AlgorithmFlagsNone, "SHA256"); // https://docs.microsoft.com/en-us/windows/win32/seccng/cng-algorithm-identifiers
*
* CX509ExtensionKeyUsage keyUsage = new CX509ExtensionKeyUsage();
* keyUsage.InitializeEncode(
* CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE |
* CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_CERT_SIGN_KEY_USAGE |
* CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_CRL_SIGN_KEY_USAGE |
* CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_OFFLINE_CRL_SIGN_KEY_USAGE);
*
* CX509ExtensionBasicConstraints bc = new CX509ExtensionBasicConstraints();
* bc.InitializeEncode(true, -1); // None
* bc.Critical = true;
*
* // add extended key usage if you want - look at MSDN for a list of possible OIDs
* var oid = new CObjectId();
* oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // Server Authentication
* var oidlist = new CObjectIds();
* oidlist.Add(oid);
* var eku = new CX509ExtensionEnhancedKeyUsage();
* eku.InitializeEncode(oidlist);
*
* // Create the self signing request
* var cert = new CX509CertificateRequestCertificate();
*
* cert.InitializeFromPrivateKey(machineContext ? X509CertificateEnrollmentContext.ContextMachine: X509CertificateEnrollmentContext.ContextUser, privateKey, "");
* cert.Subject = cert.Issuer = dn; // the issuer and the subject are the same
* cert.NotBefore = DateTime.UtcNow.AddDays(-1);
* cert.NotAfter = notAfterUtc;
* cert.X509Extensions.Add((CX509Extension)keyUsage);
* cert.X509Extensions.Add((CX509Extension)eku); // add the EKU
* cert.X509Extensions.Add((CX509Extension)bc);
* cert.HashAlgorithm = hashobj; // Specify the hashing algorithm
* cert.Encode(); // encode the certificate
*
* // Do the final enrollment process
* var enroll = new CX509Enrollment();
* enroll.InitializeFromRequest(cert); // load the certificate
* enroll.CertificateFriendlyName = subjectName; // Optional: add a friendly name
* string csr = enroll.CreateRequest(); // Output the request in base64
*
* // install to MY store
* enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password
*
* // output a base64 encoded PKCS#12 so we can import it back to the .Net security classes
* var base64encoded = enroll.CreatePFX("", // no password, this is for internal consumption
* PFXExportOptions.PFXExportChainWithRoot);
*
* // instantiate the target class with the PKCS#12 data (and the empty password)
* var x509Certificate2 = new X509Certificate2(
* System.Convert.FromBase64String(base64encoded), "",
* // mark the private key as exportable (this is usually what you want to do)
* X509KeyStorageFlags.Exportable
* );
*
* X509Store rootStore = null;
* try
* {
* rootStore = new X509Store(StoreName.Root, machineContext ? StoreLocation.LocalMachine : StoreLocation.CurrentUser);
* rootStore.Open(OpenFlags.ReadWrite);
* // install to CA store
* var crtPub = new X509Certificate2(x509Certificate2) { PrivateKey = null };
* rootStore.Add(crtPub);
* crtPub.Reset();
* }
* catch
* {
* // ignore when adding to trust root failed
* }
* finally
* {
* rootStore?.Close();
* }
*
* return x509Certificate2;
* }
*/
public static X509Certificate2 CreateCertificate(string subjectName, string hostname, DateTime notAfterUtc, X509Certificate issuer, bool machineContext)
{
CSignerCertificate signerCertificate = new CSignerCertificate();
signerCertificate.Initialize(false, X509PrivateKeyVerify.VerifyNone, EncodingType.XCN_CRYPT_STRING_HEX, issuer.GetRawCertDataString());
// create DN for subject and issuer
var dn = new CX500DistinguishedName();
dn.Encode("CN=" + EscapeDNComponent(subjectName), X500NameFlags.XCN_CERT_NAME_STR_NONE);
// create a new private key for the certificate
CX509PrivateKey privateKey = new CX509PrivateKey();
privateKey.ProviderName = "Microsoft Base Cryptographic Provider v1.0";
privateKey.MachineContext = machineContext;
privateKey.Length = 2048;
privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; // use is not limited
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
privateKey.Create();
var hashobj = new CObjectId();
hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY,
AlgorithmFlags.AlgorithmFlagsNone, "SHA256");
CX509ExtensionKeyUsage keyUsage = new CX509ExtensionKeyUsage();
keyUsage.InitializeEncode(
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE |
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE |
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE);
CX509ExtensionBasicConstraints bc = new CX509ExtensionBasicConstraints();
bc.InitializeEncode(false, 0);
bc.Critical = false;
// SAN
CX509ExtensionAlternativeNames san = null;
if (!string.IsNullOrEmpty(hostname))
{
CAlternativeNames ians;
if (IPAddress.TryParse(hostname, out var ip))
{
var ian = new CAlternativeName();
ian.InitializeFromRawData(AlternativeNameType.XCN_CERT_ALT_NAME_IP_ADDRESS, EncodingType.XCN_CRYPT_STRING_BASE64, Convert.ToBase64String(ip.GetAddressBytes()));
ians = new CAlternativeNames {
ian
};
}
else
{
var ian = new CAlternativeName();
ian.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME, hostname);
var ianStar = new CAlternativeName();
ianStar.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME, "*." + hostname); // wildcard
ians = new CAlternativeNames {
ian, ianStar
};
}
san = new CX509ExtensionAlternativeNames();
san.InitializeEncode(ians);
}
// add extended key usage if you want - look at MSDN for a list of possible OIDs
var oid = new CObjectId();
oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // SSL server
var oidlist = new CObjectIds();
oidlist.Add(oid);
var eku = new CX509ExtensionEnhancedKeyUsage();
eku.InitializeEncode(oidlist);
var dnIssuer = new CX500DistinguishedName();
dnIssuer.Encode(issuer.Subject, X500NameFlags.XCN_CERT_NAME_STR_NONE);
// Create the self signing request
var cert = new CX509CertificateRequestCertificate();
cert.InitializeFromPrivateKey(machineContext ? X509CertificateEnrollmentContext.ContextMachine : X509CertificateEnrollmentContext.ContextUser, privateKey, "");
cert.Subject = dn;
cert.Issuer = dnIssuer;
cert.SignerCertificate = signerCertificate;
cert.NotBefore = DateTime.UtcNow.AddDays(-1);
cert.NotAfter = notAfterUtc;
cert.X509Extensions.Add((CX509Extension)keyUsage);
cert.X509Extensions.Add((CX509Extension)eku); // EnhancedKeyUsage
cert.X509Extensions.Add((CX509Extension)bc); // ExtensionBasicConstraints
if (san != null)
{
cert.X509Extensions.Add((CX509Extension)san); // SAN
}
cert.HashAlgorithm = hashobj; // Specify the hashing algorithm
cert.Encode(); // encode the certificate
// Do the final enrollment process
var enroll = new CX509Enrollment();
enroll.InitializeFromRequest(cert); // load the certificate
//enroll.CertificateFriendlyName = subjectName; // Optional: add a friendly name
string csr = enroll.CreateRequest(); // Output the request in base64
// and install it back as the response
enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password
// output a base64 encoded PKCS#12 so we can import it back to the .Net security classes
var base64encoded = enroll.CreatePFX("", // no password, this is for internal consumption
PFXExportOptions.PFXExportChainWithRoot);
// instantiate the target class with the PKCS#12 data (and the empty password)
var x509Certificate2 = new X509Certificate2(
Convert.FromBase64String(base64encoded), "",
X509KeyStorageFlags.Exportable); // mark the private key as exportable (this is usually what you want to do)
return(x509Certificate2);
}
// create the certifcate request
public string CreateCertifcate(string hostName)
{
// Create all the objects that will be required
CX509CertificateRequestPkcs10 objPkcs10 = new CX509CertificateRequestPkcs10();
CX509PrivateKey objPrivateKey = new CX509PrivateKey();
CCspInformation objCSP = new CCspInformation();
CCspInformations objCSPs = new CCspInformations();
CX500DistinguishedName objDN = new CX500DistinguishedName();
CX509Enrollment objEnroll = new CX509Enrollment();
CObjectIds objObjectIds = new CObjectIds();
CObjectId objObjectId = new CObjectId();
CX509ExtensionKeyUsage objExtensionKeyUsage = new CX509ExtensionKeyUsage();
CX509ExtensionEnhancedKeyUsage objX509ExtensionEnhancedKeyUsage = new CX509ExtensionEnhancedKeyUsage();
string CertifcateStr;
try
{
Database db = new Database();
/*Check if there is allready request for the hostname so we dont need to create new one*/
if (db.CheckIfCertificateExists(hostName) == 1)
{
return("Exsits");
}
if (db.CheckIfCertificateExists(hostName) == 2)
{
return("Issued");
}
//create the private key (CX509CertificateRequestPkcs10 will initilizae from the private key)
objCSP.InitializeFromName("Microsoft Enhanced Cryptographic Provider v1.0");
objCSPs.Add(objCSP);
objPrivateKey.Length = 1024;
objPrivateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE;
objPrivateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES;
objPrivateKey.MachineContext = false;
objPrivateKey.CspInformations = objCSPs;
objPrivateKey.Create();
//create pkc10 object from the privaet key
objPkcs10.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextUser, objPrivateKey, "");
objExtensionKeyUsage.InitializeEncode(CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE |
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE);
// objPkcs10.X509Extensions.Add((CX509Extension)objExtensionKeyUsage);
// objObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.2");
// objObjectIds.Add(objObjectId);
// objX509ExtensionEnhancedKeyUsage.InitializeEncode(objObjectIds);
// objPkcs10.X509Extensions.Add((CX509Extension)objX509ExtensionEnhancedKeyUsage);
objDN.Encode("CN=" + hostName, X500NameFlags.XCN_CERT_NAME_STR_NONE); //create DistinguishedName
objPkcs10.Subject = objDN; //initial the DistinguishedName
objEnroll.InitializeFromRequest(objPkcs10); //init enrollement request
CertifcateStr = objEnroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64); //Certifcate Request
return(CertifcateStr);
}
catch (Exception ex)
{
Database db = new Database();
db.InsertToErrorMessageTable(hostName, 0, ex.Message, "CreateCertifcate");//insert Error Message into The Error Table Log In The DataBase
return("Error" + ex.Message);
}
}
public void GenerateCsr(SSLCertificate cert)
{
// Create all the objects that will be required
CX509CertificateRequestPkcs10 pkcs10 = Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX509CertificateRequestPkcs10", true)) as CX509CertificateRequestPkcs10;
CX509PrivateKey privateKey = Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX509PrivateKey", true)) as CX509PrivateKey;
CCspInformation csp = Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CCspInformation", true)) as CCspInformation;
CCspInformations csPs = Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CCspInformations", true)) as CCspInformations;
CX500DistinguishedName dn = Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX500DistinguishedName", true)) as CX500DistinguishedName;
CX509Enrollment enroll = Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX509Enrollment", true)) as CX509Enrollment;
CObjectIds objectIds = Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CObjectIds", true)) as CObjectIds;
CObjectId objectId = Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CObjectId", true)) as CObjectId;
CX509ExtensionKeyUsage extensionKeyUsage = Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX509ExtensionKeyUsage", true)) as CX509ExtensionKeyUsage;
CX509ExtensionEnhancedKeyUsage x509ExtensionEnhancedKeyUsage = Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX509ExtensionEnhancedKeyUsage", true)) as CX509ExtensionEnhancedKeyUsage;
try
{
// Initialize the csp object using the desired Cryptograhic Service Provider (CSP)
csp.InitializeFromName("Microsoft RSA SChannel Cryptographic Provider");
// Add this CSP object to the CSP collection object
csPs.Add(csp);
// Provide key container name, key length and key spec to the private key object
privateKey.Length = cert.CSRLength;
privateKey.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE;
privateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES;
privateKey.ExportPolicy =
X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG
| X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_ARCHIVING_FLAG
| X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_ARCHIVING_FLAG
| X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG;
privateKey.MachineContext = true;
// Provide the CSP collection object (in this case containing only 1 CSP object)
// to the private key object
privateKey.CspInformations = csPs;
// Create the actual key pair
privateKey.Create();
// Initialize the PKCS#10 certificate request object based on the private key.
// Using the context, indicate that this is a user certificate request and don't
// provide a template name
pkcs10.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, "");
cert.PrivateKey = privateKey.ToString();
// Key Usage Extension
extensionKeyUsage.InitializeEncode(
CertEnrollInterop.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE |
CertEnrollInterop.X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE |
CertEnrollInterop.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE |
CertEnrollInterop.X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE
);
pkcs10.X509Extensions.Add((CX509Extension)extensionKeyUsage);
// Enhanced Key Usage Extension
objectId.InitializeFromName(CertEnrollInterop.CERTENROLL_OBJECTID.XCN_OID_PKIX_KP_SERVER_AUTH);
objectIds.Add(objectId);
x509ExtensionEnhancedKeyUsage.InitializeEncode(objectIds);
pkcs10.X509Extensions.Add((CX509Extension)x509ExtensionEnhancedKeyUsage);
// Encode the name in using the Distinguished Name object
string request = String.Format(@"CN={0}, O={1}, OU={2}, L={3}, S={4}, C={5}", cert.Hostname, cert.Organisation, cert.OrganisationUnit, cert.City, cert.State, cert.Country);
dn.Encode(request, X500NameFlags.XCN_CERT_NAME_STR_NONE);
// enable SMIME capabilities
pkcs10.SmimeCapabilities = true;
// Assing the subject name by using the Distinguished Name object initialized above
pkcs10.Subject = dn;
// Create enrollment request
enroll.InitializeFromRequest(pkcs10);
enroll.CertificateFriendlyName = cert.FriendlyName;
cert.CSR = enroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64REQUESTHEADER);
}
catch (Exception ex)
{
Log.WriteError("Error creating CSR", ex);
}
}
/// <summary>
/// Create a certificate signing request.
/// </summary>
/// <param name="subjectName">The subject name of the certificate.</param>
/// <param name="keyLength">Size of the key in bits.</param>
/// <param name="durationYears">Duration of the certificate, specified in years.</param>
/// <param name="oids">Collection of OIDs identifying certificate usage.</param>
public static CX509CertificateRequestCertificate CreateCertificateSigningRequest(string subjectName, int keyLength, int durationYears, List <string> oids)
{
// Prepend the subject name with CN= if it doesn't begin with CN=, E=, etc..
if (subjectName.IndexOf("=") < 0)
{
subjectName = "CN=" + subjectName;
}
// Generate a distinguished name.
CX500DistinguishedName distinguishedName = new CX500DistinguishedName();
distinguishedName.Encode(subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);
// Generate a private key.
CX509PrivateKey privateKey = new CX509PrivateKey();
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE;
privateKey.Length = keyLength;
privateKey.MachineContext = true;
privateKey.ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0";
privateKey.Create();
// Use the SHA-512 hashing algorithm.
CObjectId hashAlgorithm = new CObjectId();
hashAlgorithm.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, "SHA512");
// Load the OIDs passed in and specify enhanced key usages.
CObjectIds oidCollection = new CObjectIds();
foreach (string oidID in oids)
{
CObjectId oid = new CObjectId();
oid.InitializeFromValue(oidID);
oidCollection.Add(oid);
}
CX509ExtensionKeyUsage keyUsage = new CX509ExtensionKeyUsage();
keyUsage.InitializeEncode(CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE);
CX509ExtensionEnhancedKeyUsage enhancedKeyUsages = new CX509ExtensionEnhancedKeyUsage();
enhancedKeyUsages.InitializeEncode(oidCollection);
string sanSubjectName = subjectName.Substring(subjectName.IndexOf("=") + 1);
CAlternativeName sanAlternateName = new CAlternativeName();
sanAlternateName.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_RFC822_NAME, sanSubjectName);
CAlternativeNames sanAlternativeNames = new CAlternativeNames();
sanAlternativeNames.Add(sanAlternateName);
CX509ExtensionAlternativeNames alternativeNamesExtension = new CX509ExtensionAlternativeNames();
alternativeNamesExtension.InitializeEncode(sanAlternativeNames);
CX509ExtensionSmimeCapabilities smimeCapabilities = new CX509ExtensionSmimeCapabilities();
smimeCapabilities.SmimeCapabilities.AddAvailableSmimeCapabilities(false);
// Create the self-signing request.
CX509CertificateRequestCertificate cert = new CX509CertificateRequestCertificate();
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, "");
cert.Subject = distinguishedName;
cert.Issuer = distinguishedName;
cert.NotBefore = DateTime.Now;
cert.NotAfter = DateTime.Now.AddYears(1);
cert.X509Extensions.Add((CX509Extension)keyUsage);
cert.X509Extensions.Add((CX509Extension)enhancedKeyUsages);
cert.X509Extensions.Add((CX509Extension)alternativeNamesExtension);
cert.X509Extensions.Add((CX509Extension)smimeCapabilities);
cert.HashAlgorithm = hashAlgorithm;
cert.Encode();
return(cert);
}
public string CreateRequest()
{
// Create all the objects that will be required
var objPkcs10 = new CX509CertificateRequestPkcs10();
var objPrivKey = new CX509PrivateKey();
var objCSP = new CCspInformation();
var objCSPs = new CCspInformations();
var objDN = new CX500DistinguishedName();
var objEnroll = new CX509Enrollment();
var objObjIds = new CObjectIds();
var objObjId = new CObjectId();
var objExtKeyUsage = new CX509ExtensionKeyUsage();
var objExtEnhKeyUsage = new CX509ExtensionEnhancedKeyUsage();
string strRequest;
//objCSP.InitializeFromName(provName);
//objCSPs.Add(objCSP);
//objPrivKey.Length = 2048;
//objPrivKey.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE;
//objPrivKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES;
//objPrivKey.MachineContext = true;
//objPrivKey.CspInformations = objCSPs;
//objPrivKey.Create();
var strTemplateName = "1.3.6.1.4.1.311.21.8.12017375.10856495.934812.8687423.15807460.10.5731641.6795722"; // RDP All Names
objPkcs10.InitializeFromTemplateName(X509CertificateEnrollmentContext.ContextMachine, strTemplateName);
// Encode the name in using the DN object
objDN.Encode("CN=" + Environment.GetEnvironmentVariable("COMPUTERNAME"),
X500NameFlags.XCN_CERT_NAME_STR_NONE);
// Adding the subject name by using the DN object initialized above
objPkcs10.Subject = objDN;
var dnsDom = Environment.GetEnvironmentVariable("USERDNSDOMAIN").ToLower();
var altName = new CAlternativeName();
var objAlternateNames = new CAlternativeNames();
var objExtAltNames = new CX509ExtensionAlternativeNames();
altName.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME,
Environment.GetEnvironmentVariable("COMPUTERNAME") + "." + dnsDom);
var altName2 = new CAlternativeName();
altName2.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME,
Environment.GetEnvironmentVariable("COMPUTERNAME"));
objAlternateNames.Add(altName2);
objAlternateNames.Add(altName);
objExtAltNames.InitializeEncode(objAlternateNames);
objPkcs10.X509Extensions.Add((CX509Extension)objExtAltNames);
// Create the enrollment request
objEnroll.InitializeFromRequest(objPkcs10);
strRequest = objEnroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64);
return(strRequest);
}
/// <summary>
/// Certificate constructor to intialize objects and values required to create a certificate
/// </summary>
public Certificate()
{
try
{
// Create objects required
objCertRequest = new CX509CertificateRequestCertificate();
objCSP = new CCspInformation();
objCSPs = new CCspInformations();
objDN = new CX500DistinguishedName();
objEnroll = new CX509Enrollment();
objObjectId = new CObjectId();
objPrivateKey = (CX509PrivateKey)Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX509PrivateKey"));
// Friendly name
this.FriendlyName = "";
// Set default values. Refer to https://msdn.microsoft.com/en-us/library/windows/desktop/aa374846(v=vs.85).aspx
this.CryptographicProviderName = "Microsoft Enhanced Cryptographic Provider v1.0";
this.KeySize = 2048;
// Use key for encryption
this.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE;
// The key can be used for decryption
this.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_DECRYPT_FLAG;
// Create for user and not machine
this.MachineContext = false;
// Default to expire in 1 year
this.ExpirationLengthInDays = 365;
// Let th private key be exported in plain text
this.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
// This is intended for a computer
this.EnrollmentContextMachine = X509CertificateEnrollmentContext.ContextUser;
// Use a hasing algorithm
this.ObjectIdGroupId = ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID;
this.ObjectIdPublicKeyFlags = ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY;
this.AlgorithmFlags = AlgorithmFlags.AlgorithmFlagsNone;
// Use SHA-2 with 512 bits
this.AlgorithmName = "SHA512";
this.EncodingType = EncodingType.XCN_CRYPT_STRING_BASE64;
// Allow untrusted certificate to be installed
this.InstallResponseRestrictionFlags = InstallResponseRestrictionFlags.AllowUntrustedCertificate;
// No password set
this.Password = null;
// Enable key to be exported, keep the machine set, and persist the key set
// https://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509keystorageflags(v=vs.110).aspx
this.ExportableFlags = X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet;
}
catch (Exception ex)
{
throw ex;
}
}
public static X509Certificate2 CreateSelfSignedCertificateOldImplementationNetFramework(
string subjectName,
string friendlyName,
ILoggerInterface logger,
int expirationDays = 90)
{
// create DN for subject
var dn = new CX500DistinguishedName();
dn.Encode("CN=" + subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);
// create DN for the issuer
var issuer = new CX500DistinguishedName();
issuer.Encode("CN=ChefCertificate", X500NameFlags.XCN_CERT_NAME_STR_NONE);
// create a new private key for the certificate
CX509PrivateKey privateKey = new CX509PrivateKey();
privateKey.ProviderName = "Microsoft Base Cryptographic Provider v1.0";
privateKey.MachineContext = true;
privateKey.Length = 2048;
privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; // use is not limited
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
privateKey.Create();
// Use the stronger SHA512 hashing algorithm
var hashobj = new CObjectId();
hashobj.InitializeFromAlgorithmName(
ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY,
AlgorithmFlags.AlgorithmFlagsNone,
"SHA512");
// add extended key usage if you want - look at MSDN for a list of possible OIDs
var oid = new CObjectId();
oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // SSL server
var oidlist = new CObjectIds();
oidlist.Add(oid);
var eku = new CX509ExtensionEnhancedKeyUsage();
eku.InitializeEncode(oidlist);
// Create the self signing request
var cert = new CX509CertificateRequestCertificate();
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, string.Empty);
cert.Subject = dn;
cert.Issuer = issuer;
cert.NotBefore = DateTime.Now;
// this cert expires immediately. Change to whatever makes sense for you
cert.NotAfter = DateTime.Now.AddDays(expirationDays);
cert.X509Extensions.Add((CX509Extension)eku); // add the EKU
cert.HashAlgorithm = hashobj; // Specify the hashing algorithm
cert.Encode(); // encode the certificate
// Do the final enrollment process
var enroll = new CX509Enrollment();
enroll.InitializeFromRequest(cert); // load the certificate
enroll.CertificateFriendlyName = friendlyName; // Optional: add a friendly name
string csr = enroll.CreateRequest(); // Output the request in base64
// and install it back as the response
enroll.InstallResponse(
InstallResponseRestrictionFlags.AllowUntrustedCertificate,
csr,
EncodingType.XCN_CRYPT_STRING_BASE64,
string.Empty); // no password
// output a base64 encoded PKCS#12 so we can import it back to the .Net security classes
var base64Encoded = enroll.CreatePFX(
string.Empty, // no password, this is for internal consumption
PFXExportOptions.PFXExportChainWithRoot);
// Delete the key
var storePath = UtilsCertificate.FindKeyStoragePath(privateKey.UniqueContainerName);
if (string.IsNullOrWhiteSpace(storePath))
{
logger.LogWarning(false, $"Unable to determine private key store path for key with UCN '{privateKey.UniqueContainerName}', keys will build up in disk storage.");
}
else
{
File.Delete(storePath);
}
// instantiate the target class with the PKCS#12 data (and the empty password)
var crt = new X509Certificate2(
Convert.FromBase64String(base64Encoded),
string.Empty,
// mark the private key as exportable (this is usually what you want to do)
X509KeyStorageFlags.EphemeralKeySet | X509KeyStorageFlags.Exportable);
// Remove the locally signed certificate from the local store, as we are only interested in
// the exported PFX file
UtilsCertificate.RemoveCertificateFromLocalStoreByThumbprint(crt.Thumbprint);
return(crt);
}
/// <summary>
/// CreateSelfSignedCertificate method implementation
/// </summary>
private static string InternalCreateSelfSignedCertificate(string subjectName, int years)
{
var dn = new CX500DistinguishedName();
var neos = new CX500DistinguishedName();
dn.Encode("CN=" + subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);
neos.Encode("CN=MFA RSA Keys Certificate", X500NameFlags.XCN_CERT_NAME_STR_NONE);
CX509PrivateKey privateKey = new CX509PrivateKey();
privateKey.ProviderName = "Microsoft RSA SChannel Cryptographic Provider";
privateKey.MachineContext = true;
privateKey.Length = 2048;
privateKey.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE; // use is not limited
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG | X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG | X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_ARCHIVING_FLAG | X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_ARCHIVING_FLAG;
privateKey.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)";
privateKey.Create();
var hashobj = new CObjectId();
hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY,
AlgorithmFlags.AlgorithmFlagsNone, "SHA256");
var oid = new CObjectId();
oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // SSL server
var oidlist = new CObjectIds();
oidlist.Add(oid);
var coid = new CObjectId();
coid.InitializeFromValue("1.3.6.1.5.5.7.3.2"); // Client auth
oidlist.Add(coid);
var eku = new CX509ExtensionEnhancedKeyUsage();
eku.InitializeEncode(oidlist);
// Create the self signing request
var cert = new CX509CertificateRequestCertificate();
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextAdministratorForceMachine, privateKey, "");
cert.Subject = dn;
cert.Issuer = neos;
cert.NotBefore = DateTime.Now.AddDays(-10);
cert.NotAfter = DateTime.Now.AddYears(years);
cert.X509Extensions.Add((CX509Extension)eku); // add the EKU
cert.HashAlgorithm = hashobj; // Specify the hashing algorithm
cert.Encode(); // encode the certificate
// Do the final enrollment process
var enroll = new CX509Enrollment();
enroll.InitializeFromRequest(cert); // load the certificate
enroll.CertificateFriendlyName = subjectName; // Optional: add a friendly name
string csr = enroll.CreateRequest(); // Output the request in base64
// and install it back as the response
enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password
// output a base64 encoded PKCS#12 so we can import it back to the .Net security classes
var base64encoded = enroll.CreatePFX("", PFXExportOptions.PFXExportChainWithRoot);
return(base64encoded);
}
public void GenerateCsr(SSLCertificate cert)
{
// Create all the objects that will be required
CX509CertificateRequestPkcs10 pkcs10 = new CX509CertificateRequestPkcs10();
CX509PrivateKey privateKey = new CX509PrivateKey();
CCspInformation csp = new CCspInformation();
CCspInformations csPs = new CCspInformations();
CX500DistinguishedName dn = new CX500DistinguishedName();
CX509Enrollment enroll = new CX509Enrollment();
CObjectIds objectIds = new CObjectIds();
CObjectId clientObjectId = new CObjectId();
CObjectId serverObjectId = new CObjectId();
CX509ExtensionKeyUsage extensionKeyUsage = new CX509ExtensionKeyUsage();
CX509ExtensionEnhancedKeyUsage x509ExtensionEnhancedKeyUsage = new CX509ExtensionEnhancedKeyUsage();
try
{
// Initialize the csp object using the desired Cryptograhic Service Provider (CSP)
csp.InitializeFromName("Microsoft RSA SChannel Cryptographic Provider");
// Add this CSP object to the CSP collection object
csPs.Add(csp);
// Provide key container name, key length and key spec to the private key object
//objPrivateKey.ContainerName = "AlejaCMa";
privateKey.Length = cert.CSRLength;
privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE;
privateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES;
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG | X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG;
privateKey.MachineContext = true;
// Provide the CSP collection object (in this case containing only 1 CSP object)
// to the private key object
privateKey.CspInformations = csPs;
// Create the actual key pair
privateKey.Create();
// Initialize the PKCS#10 certificate request object based on the private key.
// Using the context, indicate that this is a user certificate request and don't
// provide a template name
pkcs10.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, "");
cert.PrivateKey = privateKey.ToString();
// Key Usage Extension
extensionKeyUsage.InitializeEncode(
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE |
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE |
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE |
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE
);
pkcs10.X509Extensions.Add((CX509Extension)extensionKeyUsage);
// Enhanced Key Usage Extension
clientObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.2");
objectIds.Add(clientObjectId);
serverObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.1");
objectIds.Add(serverObjectId);
x509ExtensionEnhancedKeyUsage.InitializeEncode(objectIds);
pkcs10.X509Extensions.Add((CX509Extension)x509ExtensionEnhancedKeyUsage);
// Encode the name in using the Distinguished Name object
string request = String.Format(@"CN={0}, O={1}, OU={2}, L={3}, S={4}, C={5}", cert.Hostname, cert.Organisation, cert.OrganisationUnit, cert.City, cert.State, cert.Country);
dn.Encode(request, X500NameFlags.XCN_CERT_NAME_STR_NONE);
// Assing the subject name by using the Distinguished Name object initialized above
pkcs10.Subject = dn;
// Create enrollment request
enroll.InitializeFromRequest(pkcs10);
enroll.CertificateFriendlyName = cert.FriendlyName;
cert.CSR = enroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64REQUESTHEADER);
}
catch (Exception ex)
{
Log.WriteError("Error creating CSR", ex);
}
}
