/// <summary>
/// Submit a certificate signing request to a certificate authority, such as a server running Active Directory Certificate Services, and return the certificate or response.
/// </summary>
/// <param name="csr">Certificate signing request to be submitted.</param>
/// <param name="friendlyName">The friendly name of the certificate.</param>
/// <param name="caServer">The certificate authority server instance.</param>
/// <param name="csrResponse">Response from the certificate signing request, represented as a CsrResponse enum.</param>
/// <param name="dispositionMessage">Message returned when a certificate signing fails.</param>
public X509Certificate2 SubmitCertificateSigningRequest(CX509CertificateRequestCertificate csr, string friendlyName, string caServer, out CsrResponse csrResponse, out string dispositionMessage)
{
// Convert the certificate signing request to base-64..
CX509Enrollment enrollment = new CX509Enrollment();
enrollment.InitializeFromRequest(csr);
enrollment.CertificateFriendlyName = friendlyName;
string csrText = enrollment.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64);
// Submit the request to the certificate authority.
CCertRequest certRequest = new CCertRequest();
int csrResponseCode = certRequest.Submit(CR_IN_BASE64 | CR_IN_FORMATANY, csrText, string.Empty, caServer);
// React to our response response from the certificate authority.
switch (csrResponseCode)
{
case 3: // Issued.
csrResponse = CsrResponse.CR_DISP_ISSUED;
dispositionMessage = "";
return new X509Certificate2(Encoding.UTF8.GetBytes(certRequest.GetCertificate(CR_OUT_BASE64 | CR_OUT_CHAIN)));
case 5: // Pending.
csrResponse = CsrResponse.CR_DISP_UNDER_SUBMISSION;
dispositionMessage = "";
return null;
default: // Failure.
csrResponse = CsrResponse.CR_DISP_FAILED;
dispositionMessage = certRequest.GetDispositionMessage();
return null;
}
}
// create a certificate for testing
// https://stackoverflow.com/q/18339706
static public X509Certificate2 CreateSelfSignedCertificate(string subjectName, TimeSpan expirationLength)
{
// create DN for subject and issuer
var dn = new CX500DistinguishedName();
dn.Encode("CN=" + subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);
CX509PrivateKey privateKey = new CX509PrivateKey
{
ProviderName = "Microsoft Strong Cryptographic Provider",
Length = 2048,
KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE,
KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_DECRYPT_FLAG | X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_KEY_AGREEMENT_FLAG,
MachineContext = true,
ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG
};
privateKey.Create();
// Use the stronger SHA512 hashing algorithm
var hashobj = new CObjectId();
hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY,
AlgorithmFlags.AlgorithmFlagsNone, "SHA512");
// Create the self signing request
var cert = new CX509CertificateRequestCertificate();
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, "");
cert.Subject = dn;
cert.Issuer = dn; // the issuer and the subject are the same
cert.NotBefore = DateTime.Now.Date;
// this cert expires immediately. Change to whatever makes sense for you
cert.NotAfter = cert.NotBefore + expirationLength;
cert.HashAlgorithm = hashobj; // Specify the hashing algorithm
cert.Encode(); // encode the certificate
// Do the final enrollment process
var enroll = new CX509Enrollment();
enroll.InitializeFromRequest(cert); // load the certificate
enroll.CertificateFriendlyName = subjectName; // Optional: add a friendly name
string csr = enroll.CreateRequest(); // Output the request in base64
// and install it back as the response
enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate,
csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password
// output a base64 encoded PKCS#12 so we can import it back to the .Net security classes
var base64encoded = enroll.CreatePFX("", // no password, this is for internal consumption
PFXExportOptions.PFXExportChainWithRoot);
// instantiate the target class with the PKCS#12 data (and the empty password)
return(new System.Security.Cryptography.X509Certificates.X509Certificate2(
System.Convert.FromBase64String(base64encoded), "",
// mark the private key as exportable (this is usually what you want to do)
// mark private key to go into the Machine store instead of the current users store
X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet
));
}
// http://stackoverflow.com/questions/13806299/how-to-create-a-self-signed-certificate-using-c
private static X509Certificate2 CreateSelfSignedCertificate(string subjectName)
{
// create DN for subject and issuer
var dn = new CX500DistinguishedName();
dn.Encode("CN=" + subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);
// create a new private key for the certificate
CX509PrivateKey privateKey = new CX509PrivateKey();
privateKey.ProviderName = "Microsoft Base Cryptographic Provider v1.0";
privateKey.MachineContext = true;
privateKey.Length = 2048;
privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; // use is not limited
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
privateKey.Create();
// Use the stronger SHA512 hashing algorithm
var hashobj = new CObjectId();
hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY,
AlgorithmFlags.AlgorithmFlagsNone, "SHA512");
// add extended key usage if you want - look at MSDN for a list of possible OIDs
var oid = new CObjectId();
oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // SSL server
var oidlist = new CObjectIds();
oidlist.Add(oid);
var eku = new CX509ExtensionEnhancedKeyUsage();
eku.InitializeEncode(oidlist);
// Create the self signing request
var cert = new CX509CertificateRequestCertificate();
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, "");
cert.Subject = dn;
cert.Issuer = dn; // the issuer and the subject are the same
cert.NotBefore = DateTime.Now;
// this cert expires immediately. Change to whatever makes sense for you
cert.NotAfter = DateTime.Now;
cert.X509Extensions.Add((CX509Extension)eku); // add the EKU
cert.HashAlgorithm = hashobj; // Specify the hashing algorithm
cert.Encode(); // encode the certificate
// Do the final enrollment process
var enroll = new CX509Enrollment();
enroll.InitializeFromRequest(cert); // load the certificate
enroll.CertificateFriendlyName = subjectName; // Optional: add a friendly name
string csr = enroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64); // Output the request in base64
// and install it back as the response
enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate,
csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password
// output a base64 encoded PKCS#12 so we can import it back to the .Net security classes
var base64encoded = enroll.CreatePFX("", // no password, this is for internal consumption
PFXExportOptions.PFXExportChainWithRoot, EncodingType.XCN_CRYPT_STRING_BASE64);
// instantiate the target class with the PKCS#12 data (and the empty password)
return new System.Security.Cryptography.X509Certificates.X509Certificate2(
System.Convert.FromBase64String(base64encoded), "",
// mark the private key as exportable (this is usually what you want to do)
System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.Exportable
);
}
private CX509CertificateRequestCertificate CreateCertificateRequest(string publisherName)
{
// create DN for subject and issuer
var dn = new CX500DistinguishedName();
dn.Encode("CN=" + publisherName);
// create a new private key for the certificate
var privateKey = (IX509PrivateKey)Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX509PrivateKey"));
privateKey.ProviderName = "Microsoft Base Cryptographic Provider v1.0";
privateKey.MachineContext = false;
privateKey.Length = 2048;
privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE;
privateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_SIGNING_FLAG;
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
privateKey.Create();
// Create the self signing request
var cert = new CX509CertificateRequestCertificate();
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextUser, privateKey, "");
cert.Subject = dn;
cert.Issuer = dn;
cert.NotBefore = DateTime.Now.Date.AddDays(-1);
cert.NotAfter = DateTime.Now.Date.AddYears(1);
return(cert);
}
private CX509CertificateRequestCertificate FinalizeRequest(CX509CertificateRequestCertificate cert)
{
var subDN = new CX500DistinguishedName();
subDN.Encode("CN=" + SubjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);
cert.Subject = subDN;
cert.Issuer = cert.Subject;
cert.NotBefore = DateTime.Now;
cert.NotAfter = ValidUntil;
for (int i = 0; i < ExtensionsToAdd.Count; i++)
{
var ext = ExtensionsToAdd[i];
cert.X509Extensions.Add(ext);
}
var sigId = new CObjectId();
var hash = Oid.FromFriendlyName(Algorithm, OidGroup.HashAlgorithm);
sigId.InitializeFromValue(hash.Value);
cert.SignatureInformation.HashAlgorithm = sigId;
// Complete it
cert.Encode();
ExtensionsToAdd.Clear();
return(cert);
}
/// <summary>
/// Generate a self-signed certificate and add it to the Windows certificate store.
/// </summary>
/// <param name="subjectName">The subject name of the certificate.</param>
/// <param name="friendlyName">The friendly name of the certificate.</param>
/// <param name="location">Location of the certificate; either the Current User or Local Machine.</param>
/// <param name="addAsTrustedRoot">Whether to add the generated certificate as a trusted root.</param>
/// <param name="keyLength">Size of the key in bits.</param>
/// <param name="durationYears">Duration of the certificate, specified in years.</param>
/// <param name="oids">Collection of OIDs identifying certificate usage.</param>
public static X509Certificate2 CreateSelfSignedCertificate(string subjectName, string friendlyName, StoreLocation location, bool addAsTrustedRoot, int keyLength, int durationYears, List <string> oids)
{
// Create the self-signing request.
CX509CertificateRequestCertificate cert = CreateCertificateSigningRequest(subjectName, keyLength, durationYears, oids);
// Enroll based on the certificate signing request.
CX509Enrollment enrollment = new CX509Enrollment();
enrollment.InitializeFromRequest(cert);
enrollment.CertificateFriendlyName = friendlyName;
string csrText = enrollment.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64);
// Install the certificate chain. Note that no password is specified.
enrollment.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csrText, EncodingType.XCN_CRYPT_STRING_BASE64, "");
// Base-64 encode the PKCS#12 certificate in order to re-import it.
string pfx = enrollment.CreatePFX("", PFXExportOptions.PFXExportChainWithRoot);
// Instantiate the PKCS#12 certificate.
X509Certificate2 certificate = new X509Certificate2(System.Convert.FromBase64String(pfx), "", X509KeyStorageFlags.Exportable);
// If specified, also install the certificate to the trusted root store.
if (addAsTrustedRoot)
{
X509Store rootStore = new X509Store(StoreName.Root, location);
rootStore.Open(OpenFlags.ReadWrite);
rootStore.Add(certificate);
rootStore.Close();
}
return(certificate);
}
/// <summary>
/// Submit a certificate signing request to a certificate authority, such as a server running Active Directory Certificate Services, and return the certificate or response.
/// </summary>
/// <param name="csr">Certificate signing request to be submitted.</param>
/// <param name="friendlyName">The friendly name of the certificate.</param>
/// <param name="caServer">The certificate authority server instance.</param>
/// <param name="csrResponse">Response from the certificate signing request, represented as a CsrResponse enum.</param>
/// <param name="dispositionMessage">Message returned when a certificate signing fails.</param>
public X509Certificate2 SubmitCertificateSigningRequest(CX509CertificateRequestCertificate csr, string friendlyName, string caServer, out CsrResponse csrResponse, out string dispositionMessage)
{
// Convert the certificate signing request to base-64..
CX509Enrollment enrollment = new CX509Enrollment();
enrollment.InitializeFromRequest(csr);
enrollment.CertificateFriendlyName = friendlyName;
string csrText = enrollment.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64);
// Submit the request to the certificate authority.
CCertRequest certRequest = new CCertRequest();
int csrResponseCode = certRequest.Submit(CR_IN_BASE64 | CR_IN_FORMATANY, csrText, string.Empty, caServer);
// React to our response response from the certificate authority.
switch (csrResponseCode)
{
case 3: // Issued.
csrResponse = CsrResponse.CR_DISP_ISSUED;
dispositionMessage = "";
return(new X509Certificate2(Encoding.UTF8.GetBytes(certRequest.GetCertificate(CR_OUT_BASE64 | CR_OUT_CHAIN))));
case 5: // Pending.
csrResponse = CsrResponse.CR_DISP_UNDER_SUBMISSION;
dispositionMessage = "";
return(null);
default: // Failure.
csrResponse = CsrResponse.CR_DISP_FAILED;
dispositionMessage = certRequest.GetDispositionMessage();
return(null);
}
}
/// <summary>
/// Creates a self signed certificate given the parameters.
/// </summary>
/// <param name="subject"></param>
/// <param name="cipher"></param>
/// <param name="keysize"></param>
/// <param name="api"></param>
/// <returns></returns>
public X509Certificate2 CreateSelfSignedCertificate(CertificateSubject subject, CipherAlgorithm cipher, int keysize, WindowsApi api)
{
CX509PrivateKey privateKey = CreatePrivateKey(cipher, keysize);
CX509CertificateRequestCertificate pkcs10 = NewCertificateRequestCrc(subject, privateKey);
pkcs10.Issuer = pkcs10.Subject;
pkcs10.NotBefore = DateTime.Now.AddDays(-1);
pkcs10.NotAfter = DateTime.Now.AddYears(20);
var sigoid = new CObjectId();
var alg = new Oid("SHA256");
sigoid.InitializeFromValue(alg.Value);
pkcs10.SignatureInformation.HashAlgorithm = sigoid;
pkcs10.Encode();
CX509Enrollment enrollment = new CX509Enrollment();
enrollment.InitializeFromRequest(pkcs10);
string csr = enrollment.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64);
InstallResponseRestrictionFlags restrictionFlags = InstallResponseRestrictionFlags.AllowUntrustedCertificate;
enrollment.InstallResponse(restrictionFlags, csr, EncodingType.XCN_CRYPT_STRING_BASE64, string.Empty);
string pwd = secret.NewSecret(16);
string pfx = enrollment.CreatePFX(pwd, PFXExportOptions.PFXExportChainWithRoot, EncodingType.XCN_CRYPT_STRING_BASE64);
return(new X509Certificate2(Convert.FromBase64String(pfx), pwd));
}
public static X509Certificate2 CreateSelfSignedCertificate(string subjectName)
{
//To make a certificate was used system library from CERTENROLLLib
//This lib provides methods for creation certificates in windows envinronment
//Defines the subject and issuer of the cert
CX500DistinguishedName dn = new CX500DistinguishedName();
dn.Encode("CN=" + subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);
//Create a new private key for the certificate
//Was decided not to make them variably in this progr
CX509PrivateKey privateKey = new CX509PrivateKey();
privateKey.ProviderName = "Microsoft Base Cryptographic Provider v1.0"; //issuer for a selfsigned certificate
privateKey.MachineContext = true;
privateKey.Length = 2048;
privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; //Use is not limited
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
privateKey.Create();
//Use trong SHA512 hashing algorithm
var hashobj = new CObjectId();
hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY,
AlgorithmFlags.AlgorithmFlagsNone, "SHA512");
// Create the self signing request
var cert = new CX509CertificateRequestCertificate();
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, "");
cert.Subject = dn;
cert.Issuer = dn; // The issuer and the subject are the same
cert.NotBefore = DateTime.Now;
cert.NotAfter = new DateTime(2018, 12, 31); // I don't think that anybody cares about using this cert longer than this period
cert.HashAlgorithm = hashobj; // Specify the hashing algorithm
cert.Encode(); // Encode the certificate
// Do the final stuff
//Enroll is
var enroll = new CX509Enrollment();
enroll.InitializeFromRequest(cert); // load the certificate
string csr = enroll.CreateRequest(); // Output the request in base64
// and install it back as the response
enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate,
csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password
// output a base64 encoded PKCS#12 so we can import it back to the .Net security classes
var base64encoded = enroll.CreatePFX("", // password isn't possible
PFXExportOptions.PFXExportChainWithRoot);
// instantiate the target class with the PKCS#12 data (and the empty password)
return(new X509Certificate2(Convert.FromBase64String(base64encoded), "",
// mark the private key as exportable, coz we want to put it into registry
X509KeyStorageFlags.Exportable));
}
public static X509Certificate2 CreateSelfSignedCertificate(string issuer, string name)
{
try
{
// create a DN for issuer and subject
var dn = new CX500DistinguishedName();
dn.Encode("CN=" + issuer, X500NameFlags.XCN_CERT_NAME_STR_NONE);
// create a private key for the certificate
var privateKey = new CX509PrivateKey();
privateKey.ProviderName = "Microsoft Base Cryptographic Provider v1.0";
privateKey.MachineContext = true;
privateKey.Length = 2048;
privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE;
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
privateKey.Create();
// use the stronger SHA512 hashing algorithm
var hashobj = new CObjectId();
hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, "SHA512");
// add extended key usage (look at MSDN for a list of possible OIDs)
var oid = new CObjectId();
oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // SSL server
var oidlist = new CObjectIds();
oidlist.Add(oid);
var eku = new CX509ExtensionEnhancedKeyUsage();
eku.InitializeEncode(oidlist);
// create the self signing request
var cert = new CX509CertificateRequestCertificate();
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, "");
cert.Issuer = dn;
cert.Subject = dn;
cert.NotBefore = DateTime.Now;
cert.NotAfter = DateTime.Now.AddYears(1); // 1 year expiration
cert.X509Extensions.Add((CX509Extension)eku);
cert.HashAlgorithm = hashobj;
cert.Encode();
// do the final enrollment process
var enroll = new CX509Enrollment();
enroll.InitializeFromRequest(cert);
enroll.CertificateFriendlyName = name;
string csr = enroll.CreateRequest();
// output a base64 encoded PKCS#12
enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, "");
var base64encoded = enroll.CreatePFX("", PFXExportOptions.PFXExportChainWithRoot);
// return the certificate
return(new X509Certificate2(Convert.FromBase64String(base64encoded), "", X509KeyStorageFlags.Exportable));
}
catch (Exception exc)
{
Trace.TraceError("Failed to create a self-signed certificate ({0})", exc);
throw;
}
}
public static X509Certificate2 CreateSelfSignedCertificate(string subjectName, DateTime startDate, DateTime endDate, String password)
{
// Create DistinguishedName for subject and issuer
var name = new CX500DistinguishedName();
name.Encode("CN=" + subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);
// Create a new Private Key for the certificate
CX509PrivateKey privateKey = new CX509PrivateKey();
privateKey.ProviderName = "Microsoft RSA SChannel Cryptographic Provider";
privateKey.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE;
privateKey.Length = 2048;
privateKey.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)";
privateKey.MachineContext = true;
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG;
privateKey.Create();
// Define the hashing algorithm
var serverauthoid = new CObjectId();
serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // Server Authentication
var ekuoids = new CObjectIds();
ekuoids.Add(serverauthoid);
var ekuext = new CX509ExtensionEnhancedKeyUsage();
ekuext.InitializeEncode(ekuoids);
// Create the self signing request
var cert = new CX509CertificateRequestCertificate();
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, String.Empty);
cert.Subject = name;
cert.Issuer = cert.Subject;
cert.NotBefore = startDate;
cert.NotAfter = endDate;
cert.X509Extensions.Add((CX509Extension)ekuext);
cert.Encode();
// Enroll the certificate
var enroll = new CX509Enrollment();
enroll.InitializeFromRequest(cert);
string certData = enroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64HEADER);
enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate,
certData, EncodingType.XCN_CRYPT_STRING_BASE64HEADER, String.Empty);
var base64encoded = enroll.CreatePFX(password, PFXExportOptions.PFXExportChainWithRoot);
// Instantiate the target class with the PKCS#12 data
return(new X509Certificate2(
System.Convert.FromBase64String(base64encoded), password,
System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.Exportable));
}
private void AddBasicConstraints(CX509CertificateRequestCertificate cert)
{
// Add basic constraints
var bc = new CX509ExtensionBasicConstraints();
bc.InitializeEncode(false, 0);
bc.Critical = true;
cert.X509Extensions.Add((CX509Extension)bc);
}
private void AddKeyUsage(CX509CertificateRequestCertificate cert)
{
// Add key usage
var ku = new CX509ExtensionKeyUsage();
ku.InitializeEncode(CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE);
ku.Critical = false;
cert.X509Extensions.Add((CX509Extension)ku);
}
public X509Certificate2 GenerateCertificate()
{
SetEnhancedUsages();
SetKeyUsages();
SetBasicConstraints();
CX509CertificateRequestCertificate certReq = CreateRequest();
certReq = FinalizeRequest(certReq);
X509Certificate2 cert = CreateNewCertificate(certReq);
return(cert);
}
private X509Certificate2 CreateNewCertificate(CX509CertificateRequestCertificate cert)
{
var enr = new CX509Enrollment
{
CertificateFriendlyName = FriendlyName
};
enr.InitializeFromRequest(cert);
string endCert = enr.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64);
enr.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, endCert, EncodingType.XCN_CRYPT_STRING_BASE64, string.Empty);
byte[] certBytes = Convert.FromBase64String(endCert);
return(new X509Certificate2(certBytes));
}
private void AddExtendedKeyUsage(CX509CertificateRequestCertificate cert)
{
// Add extended key usage
var eku = new CX509ExtensionEnhancedKeyUsage();
var oid = new CObjectId();
oid.InitializeFromValue("1.3.6.1.5.5.7.3.3");
eku.InitializeEncode(new CObjectIds()
{
oid
});
eku.Critical = true;
cert.X509Extensions.Add((CX509Extension)eku);
}
private CX509CertificateRequestCertificate NewCertificateRequestCrc(CertificateSubject subject, CX509PrivateKey privateKey)
{
CX509CertificateRequestCertificate crc = new CX509CertificateRequestCertificate();
crc.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, "");
crc.X509Extensions.Add(GetQualifiedSan(subject.SubjectAlternativeName));
crc.X509Extensions.Add(GetKeyUsage());
crc.Subject = GetEncodedSubject(subject);
return(crc);
}
public X509Certificate2 GenerateNewCert(string subject, string friendlyName, DateTime validUntil,
Algorithm hash, int keyLength)
{
if (ExtensionsToAdd == null)
{
ExtensionsToAdd = new List <CX509Extension>();
}
SetEnhancedUsages();
SetKeyUsages();
SetBasicConstraints();
CX509CertificateRequestCertificate certReq = CreateRequest((KeyLengths)keyLength);
certReq = FinalizeRequest(certReq, subject, validUntil, hash);
X509Certificate2 cert = CreateNewCertificate(certReq, friendlyName);
ExtensionsToAdd.Clear();
return(cert);
}
private CX509CertificateRequestCertificate CreateRequest(KeyLengths keyLength)
{
var pk = new CX509PrivateKey
{
ProviderName = provName
};
var algId = new CObjectId();
var algVal = Oid.FromFriendlyName("RSA", OidGroup.PublicKeyAlgorithm);
algId.InitializeFromValue(algVal.Value);
pk.Algorithm = algId;
pk.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE; // If this value is anything other KEYEXCHANGE, the certificate cannot be used for decrypting content.
pk.Length = (int)keyLength;
pk.MachineContext = true;
pk.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_NONE;
pk.Create();
var req = new CX509CertificateRequestCertificate();
var useCtx = (X509CertificateEnrollmentContext)StoreLocation.LocalMachine;
req.InitializeFromPrivateKey(useCtx, pk, string.Empty);
return(req);
}
private CX509CertificateRequestCertificate CreateRequest()
{
var pk = new CX509PrivateKey
{
ProviderName = provName
};
var algId = new CObjectId();
var algVal = Oid.FromFriendlyName("RSA", OidGroup.PublicKeyAlgorithm);
algId.InitializeFromValue(algVal.Value);
pk.Algorithm = algId;
pk.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE;
pk.Length = KeyLength;
pk.MachineContext = MachineContext;
pk.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG;
pk.Create();
var req = new CX509CertificateRequestCertificate();
var useCtx = (X509CertificateEnrollmentContext)Store;
req.InitializeFromPrivateKey(useCtx, pk, string.Empty);
return(req);
}
/// <summary>
/// Generates a certificate signing request for use with Xbox Live.
/// </summary>
public string GenerateCertRequest()
{
this.EnsureAdmin();
CX509CertificateRequestCertificate certRequest = new CX509CertificateRequestCertificate();
certRequest.Initialize(X509CertificateEnrollmentContext.ContextMachine);
certRequest.PrivateKey.Length = 2048;
certRequest.PrivateKey.ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider";
certRequest.PrivateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
CX500DistinguishedName subject = new CX500DistinguishedName();
subject.Encode("CN=NOT USED");
certRequest.Subject = subject;
CX509Enrollment enroll = new CX509Enrollment();
enroll.InitializeFromRequest(certRequest);
enroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64HEADER);
this.privateKey = certRequest.PrivateKey.Export("PRIVATEBLOB", EncodingType.XCN_CRYPT_STRING_BASE64).ToSecureString();
return(certRequest.PrivateKey.Export("PUBLICBLOB", EncodingType.XCN_CRYPT_STRING_BASE64 | EncodingType.XCN_CRYPT_STRING_NOCRLF));
}
/// <summary>
/// Certificate constructor to intialize objects and values required to create a certificate
/// </summary>
public Certificate()
{
try
{
// Create objects required
objCertRequest = new CX509CertificateRequestCertificate();
objCSP = new CCspInformation();
objCSPs = new CCspInformations();
objDN = new CX500DistinguishedName();
objEnroll = new CX509Enrollment();
objObjectId = new CObjectId();
objPrivateKey = (IX509PrivateKey)Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX509PrivateKey"));
// Friendly name
this.FriendlyName = "";
// Set default values. Refer to https://msdn.microsoft.com/en-us/library/windows/desktop/aa374846(v=vs.85).aspx
this.CryptographicProviderName = "Microsoft Enhanced Cryptographic Provider v1.0";
this.KeySize = 2048;
// Use key for encryption
this.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE;
// The key can be used for decryption
this.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_DECRYPT_FLAG;
// Create for user and not machine
this.MachineContext = false;
// Default to expire in 1 year
this.ExpirationLengthInDays = 365;
// Let th private key be exported in plain text
this.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
// This is intended for a computer
this.EnrollmentContextMachine = X509CertificateEnrollmentContext.ContextUser;
// Use a hasing algorithm
this.ObjectIdGroupId = ObjectIdGroupId. XCN_CRYPT_HASH_ALG_OID_GROUP_ID;
this.ObjectIdPublicKeyFlags = ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY;
this.AlgorithmFlags = AlgorithmFlags.AlgorithmFlagsNone;
// Use SHA-2 with 512 bits
this.AlgorithmName = "SHA512";
this.EncodingType = EncodingType.XCN_CRYPT_STRING_BASE64;
// Allow untrusted certificate to be installed
this.InstallResponseRestrictionFlags = InstallResponseRestrictionFlags.AllowUntrustedCertificate;
// No password set
this.Password = null;
// Enable key to be exported, keep the machine set, and persist the key set
// https://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509keystorageflags(v=vs.110).aspx
this.ExportableFlags = X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet;
}
catch (Exception ex)
{
throw ex;
}
}
/// <summary>
/// Create a certificate signing request.
/// </summary>
/// <param name="subjectName">The subject name of the certificate.</param>
/// <param name="keyLength">Size of the key in bits.</param>
/// <param name="durationYears">Duration of the certificate, specified in years.</param>
/// <param name="oids">Collection of OIDs identifying certificate usage.</param>
public static CX509CertificateRequestCertificate CreateCertificateSigningRequest(string subjectName, int keyLength, int durationYears, List <string> oids)
{
// Prepend the subject name with CN= if it doesn't begin with CN=, E=, etc..
if (subjectName.IndexOf("=") < 0)
{
subjectName = "CN=" + subjectName;
}
// Generate a distinguished name.
CX500DistinguishedName distinguishedName = new CX500DistinguishedName();
distinguishedName.Encode(subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);
// Generate a private key.
CX509PrivateKey privateKey = new CX509PrivateKey();
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE;
privateKey.Length = keyLength;
privateKey.MachineContext = true;
privateKey.ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0";
privateKey.Create();
// Use the SHA-512 hashing algorithm.
CObjectId hashAlgorithm = new CObjectId();
hashAlgorithm.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, "SHA512");
// Load the OIDs passed in and specify enhanced key usages.
CObjectIds oidCollection = new CObjectIds();
foreach (string oidID in oids)
{
CObjectId oid = new CObjectId();
oid.InitializeFromValue(oidID);
oidCollection.Add(oid);
}
CX509ExtensionKeyUsage keyUsage = new CX509ExtensionKeyUsage();
keyUsage.InitializeEncode(CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE);
CX509ExtensionEnhancedKeyUsage enhancedKeyUsages = new CX509ExtensionEnhancedKeyUsage();
enhancedKeyUsages.InitializeEncode(oidCollection);
string sanSubjectName = subjectName.Substring(subjectName.IndexOf("=") + 1);
CAlternativeName sanAlternateName = new CAlternativeName();
sanAlternateName.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_RFC822_NAME, sanSubjectName);
CAlternativeNames sanAlternativeNames = new CAlternativeNames();
sanAlternativeNames.Add(sanAlternateName);
CX509ExtensionAlternativeNames alternativeNamesExtension = new CX509ExtensionAlternativeNames();
alternativeNamesExtension.InitializeEncode(sanAlternativeNames);
CX509ExtensionSmimeCapabilities smimeCapabilities = new CX509ExtensionSmimeCapabilities();
smimeCapabilities.SmimeCapabilities.AddAvailableSmimeCapabilities(false);
// Create the self-signing request.
CX509CertificateRequestCertificate cert = new CX509CertificateRequestCertificate();
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, "");
cert.Subject = distinguishedName;
cert.Issuer = distinguishedName;
cert.NotBefore = DateTime.Now;
cert.NotAfter = DateTime.Now.AddYears(1);
cert.X509Extensions.Add((CX509Extension)keyUsage);
cert.X509Extensions.Add((CX509Extension)enhancedKeyUsages);
cert.X509Extensions.Add((CX509Extension)alternativeNamesExtension);
cert.X509Extensions.Add((CX509Extension)smimeCapabilities);
cert.HashAlgorithm = hashAlgorithm;
cert.Encode();
return(cert);
}
/// <summary>
/// Create a certificate signing request.
/// </summary>
/// <param name="subjectName">The subject name of the certificate.</param>
/// <param name="keyLength">Size of the key in bits.</param>
/// <param name="durationYears">Duration of the certificate, specified in years.</param>
/// <param name="oids">Collection of OIDs identifying certificate usage.</param>
public static CX509CertificateRequestCertificate CreateCertificateSigningRequest(string subjectName, int keyLength, int durationYears, List<string> oids)
{
// Prepend the subject name with CN= if it doesn't begin with CN=, E=, etc..
if (subjectName.IndexOf("=") < 0)
subjectName = "CN=" + subjectName;
// Generate a distinguished name.
CX500DistinguishedName distinguishedName = new CX500DistinguishedName();
distinguishedName.Encode(subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);
// Generate a private key.
CX509PrivateKey privateKey = new CX509PrivateKey();
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE;
privateKey.Length = keyLength;
privateKey.MachineContext = true;
privateKey.ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0";
privateKey.Create();
// Use the SHA-512 hashing algorithm.
CObjectId hashAlgorithm = new CObjectId();
hashAlgorithm.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, "SHA512");
// Load the OIDs passed in and specify enhanced key usages.
CObjectIds oidCollection = new CObjectIds();
foreach (string oidID in oids)
{
CObjectId oid = new CObjectId();
oid.InitializeFromValue(oidID);
oidCollection.Add(oid);
}
CX509ExtensionKeyUsage keyUsage = new CX509ExtensionKeyUsage();
keyUsage.InitializeEncode(CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE);
CX509ExtensionEnhancedKeyUsage enhancedKeyUsages = new CX509ExtensionEnhancedKeyUsage();
enhancedKeyUsages.InitializeEncode(oidCollection);
string sanSubjectName = subjectName.Substring(subjectName.IndexOf("=") + 1);
CAlternativeName sanAlternateName = new CAlternativeName();
sanAlternateName.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_RFC822_NAME, sanSubjectName);
CAlternativeNames sanAlternativeNames = new CAlternativeNames();
sanAlternativeNames.Add(sanAlternateName);
CX509ExtensionAlternativeNames alternativeNamesExtension = new CX509ExtensionAlternativeNames();
alternativeNamesExtension.InitializeEncode(sanAlternativeNames);
CX509ExtensionSmimeCapabilities smimeCapabilities = new CX509ExtensionSmimeCapabilities();
smimeCapabilities.SmimeCapabilities.AddAvailableSmimeCapabilities(false);
// Create the self-signing request.
CX509CertificateRequestCertificate cert = new CX509CertificateRequestCertificate();
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, "");
cert.Subject = distinguishedName;
cert.Issuer = distinguishedName;
cert.NotBefore = DateTime.Now;
cert.NotAfter = DateTime.Now.AddYears(1);
cert.X509Extensions.Add((CX509Extension)keyUsage);
cert.X509Extensions.Add((CX509Extension)enhancedKeyUsages);
cert.X509Extensions.Add((CX509Extension)alternativeNamesExtension);
cert.X509Extensions.Add((CX509Extension)smimeCapabilities);
cert.HashAlgorithm = hashAlgorithm;
cert.Encode();
return cert;
}
private static string CreateCertContent(string cn, TimeSpan expirationLength, string pwd)
{
var base64encoded = string.Empty;
var dn = new CX500DistinguishedName();
dn.Encode("CN=" + cn, X500NameFlags.XCN_CERT_NAME_STR_NONE);
var privateKey = new CX509PrivateKey();
privateKey.ProviderName = "Microsoft Strong Cryptographic Provider";
privateKey.Length = 2048;
privateKey.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE;
privateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_DECRYPT_FLAG |
X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_KEY_AGREEMENT_FLAG;
privateKey.MachineContext = true;
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
privateKey.Create();
// Use the stronger SHA512 hashing algorithm
var hashobj = new CObjectId();
hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY,
AlgorithmFlags.AlgorithmFlagsNone, "SHA256");
// Create the self signing request
var cert = new CX509CertificateRequestCertificate();
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, "");
cert.Subject = dn;
cert.Issuer = dn; // the issuer and the subject are the same
cert.NotBefore = DateTime.Now.Date;
// this cert expires immediately. Change to whatever makes sense for you
cert.NotAfter = cert.NotBefore + expirationLength;
cert.HashAlgorithm = hashobj; // Specify the hashing algorithm
cert.Encode(); // encode the certificate
// Do the final enrollment process
var enroll = new CX509Enrollment();
enroll.InitializeFromRequest(cert); // load the certificate
enroll.CertificateFriendlyName = cn; // Optional: add a friendly name
var csr = enroll.CreateRequest(); // Output the request in base64
// and install it back as the response
enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate,
csr, EncodingType.XCN_CRYPT_STRING_BASE64, pwd); // no password
// output a base64 encoded PKCS#12 so we can import it back to the .Net security classes
base64encoded = enroll.CreatePFX(pwd, // no password, this is for internal consumption
PFXExportOptions.PFXExportChainWithRoot);
return base64encoded;
}
public static X509Certificate2 CreateCertificate(string certSubject, bool isCA)
{
string CAsubject = certSubject;
CX500DistinguishedName dn = new CX500DistinguishedName();
dn.Encode("CN=" + CAsubject, X500NameFlags.XCN_CERT_NAME_STR_NONE);
string strRfc822Name = certSubject;
CAlternativeName objRfc822Name = new CAlternativeName();
CAlternativeNames objAlternativeNames = new CAlternativeNames();
CX509ExtensionAlternativeNames objExtensionAlternativeNames = new CX509ExtensionAlternativeNames();
// Set Alternative RFC822 Name
objRfc822Name.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME, strRfc822Name);
// Set Alternative Names
objAlternativeNames.Add(objRfc822Name);
objExtensionAlternativeNames.InitializeEncode(objAlternativeNames);
//objPkcs10.X509Extensions.Add((CX509Extension)objExtensionAlternativeNames);
//Issuer Property for cleanup
string issuer = "__Interceptor_Trusted_Root";
CX500DistinguishedName issuerdn = new CX500DistinguishedName();
issuerdn.Encode("CN=" + issuer, X500NameFlags.XCN_CERT_NAME_STR_NONE);
// Create a new Private Key
CX509PrivateKey key = new CX509PrivateKey();
key.ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider"; //"Microsoft Enhanced Cryptographic Provider v1.0"
// Set CAcert to 1 to be used for Signature
if (isCA)
{
key.KeySpec = X509KeySpec.XCN_AT_SIGNATURE;
}
else
{
key.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE;
}
key.Length = 2048;
key.MachineContext = true;
key.Create();
// Create Attributes
//var serverauthoid = new X509Enrollment.CObjectId();
CObjectId serverauthoid = new CObjectId();
serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1");
CObjectIds ekuoids = new CObjectIds();
ekuoids.Add(serverauthoid);
CX509ExtensionEnhancedKeyUsage ekuext = new CX509ExtensionEnhancedKeyUsage();
ekuext.InitializeEncode(ekuoids);
CX509CertificateRequestCertificate cert = new CX509CertificateRequestCertificate();
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, key, "");
cert.Subject = dn;
cert.Issuer = issuerdn;
cert.NotBefore = (DateTime.Now).AddDays(-1); //Backup One day to Avoid Timing Issues
cert.NotAfter = cert.NotBefore.AddDays(90); //Arbitrary... Change to persist longer...
//Use Sha256
CObjectId hashAlgorithmObject = new CObjectId();
hashAlgorithmObject.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, 0, 0, "SHA256");
cert.HashAlgorithm = hashAlgorithmObject;
cert.X509Extensions.Add((CX509Extension)ekuext);
cert.X509Extensions.Add((CX509Extension)objExtensionAlternativeNames);
//https://blogs.msdn.microsoft.com/alejacma/2011/11/07/how-to-add-subject-alternative-name-to-your-certificate-requests-c/
if (isCA)
{
CX509ExtensionBasicConstraints basicConst = new CX509ExtensionBasicConstraints();
basicConst.InitializeEncode(true, 1);
cert.X509Extensions.Add((CX509Extension)basicConst);
}
else
{
var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection signer = store.Certificates.Find(X509FindType.FindBySubjectName, "__Interceptor_Trusted_Root", false);
CSignerCertificate signerCertificate = new CSignerCertificate();
signerCertificate.Initialize(true, 0, EncodingType.XCN_CRYPT_STRING_HEX, signer[0].Thumbprint);
cert.SignerCertificate = signerCertificate;
}
cert.Encode();
CX509Enrollment enrollment = new CX509Enrollment();
enrollment.InitializeFromRequest(cert);
string certdata = enrollment.CreateRequest(0);
enrollment.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, certdata, 0, "");
if (isCA)
{
//Install CA Root Certificate
X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certList = store.Certificates.Find(X509FindType.FindBySubjectName, "__Interceptor_Trusted_Root", false);
store.Close();
X509Store rootStore = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
rootStore.Open(OpenFlags.ReadWrite);
X509Certificate2Collection rootcertList = rootStore.Certificates.Find(X509FindType.FindBySubjectName, "__Interceptor_Trusted_Root", false);
rootStore.Add(certList[0]);
rootStore.Close();
return(certList[0]);
}
else
{
//Return Per Domain Cert
X509Store xstore = new X509Store(StoreName.My, StoreLocation.LocalMachine);
xstore.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certList = xstore.Certificates.Find(X509FindType.FindBySubjectName, certSubject, false);
xstore.Close();
return(certList[0]);
}
}
// https://github.com/asafga-gsr-it/CertIntegration/blob/master/CertificateAdmin/CertificateAdmin/obj/Release/Package/PackageTmp/Certificate.cs
// https://www.sysadmins.lv/blog-en/introducing-to-certificate-enrollment-apis-part-2-creating-offline-requests.aspx
/*
* public static X509Certificate2 CreateSelfSignedCA(string subjectName, DateTime notAfterUtc, bool machineContext)
* {
* // create DN for subject and issuer
* var dn = new CX500DistinguishedName();
* dn.Encode("CN=" + EscapeDNComponent(subjectName), X500NameFlags.XCN_CERT_NAME_STR_NONE);
*
* // create a new private key for the certificate
* CX509PrivateKey privateKey = new CX509PrivateKey();
* privateKey.ProviderName = "Microsoft Base Cryptographic Provider v1.0";
* privateKey.MachineContext = machineContext;
* privateKey.Length = 2048;
* privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; // use is not limited
* privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
* privateKey.Create();
*
* var hashobj = new CObjectId();
* hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
* ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY,
* AlgorithmFlags.AlgorithmFlagsNone, "SHA256"); // https://docs.microsoft.com/en-us/windows/win32/seccng/cng-algorithm-identifiers
*
* CX509ExtensionKeyUsage keyUsage = new CX509ExtensionKeyUsage();
* keyUsage.InitializeEncode(
* CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE |
* CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_CERT_SIGN_KEY_USAGE |
* CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_CRL_SIGN_KEY_USAGE |
* CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_OFFLINE_CRL_SIGN_KEY_USAGE);
*
* CX509ExtensionBasicConstraints bc = new CX509ExtensionBasicConstraints();
* bc.InitializeEncode(true, -1); // None
* bc.Critical = true;
*
* // add extended key usage if you want - look at MSDN for a list of possible OIDs
* var oid = new CObjectId();
* oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // Server Authentication
* var oidlist = new CObjectIds();
* oidlist.Add(oid);
* var eku = new CX509ExtensionEnhancedKeyUsage();
* eku.InitializeEncode(oidlist);
*
* // Create the self signing request
* var cert = new CX509CertificateRequestCertificate();
*
* cert.InitializeFromPrivateKey(machineContext ? X509CertificateEnrollmentContext.ContextMachine: X509CertificateEnrollmentContext.ContextUser, privateKey, "");
* cert.Subject = cert.Issuer = dn; // the issuer and the subject are the same
* cert.NotBefore = DateTime.UtcNow.AddDays(-1);
* cert.NotAfter = notAfterUtc;
* cert.X509Extensions.Add((CX509Extension)keyUsage);
* cert.X509Extensions.Add((CX509Extension)eku); // add the EKU
* cert.X509Extensions.Add((CX509Extension)bc);
* cert.HashAlgorithm = hashobj; // Specify the hashing algorithm
* cert.Encode(); // encode the certificate
*
* // Do the final enrollment process
* var enroll = new CX509Enrollment();
* enroll.InitializeFromRequest(cert); // load the certificate
* enroll.CertificateFriendlyName = subjectName; // Optional: add a friendly name
* string csr = enroll.CreateRequest(); // Output the request in base64
*
* // install to MY store
* enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password
*
* // output a base64 encoded PKCS#12 so we can import it back to the .Net security classes
* var base64encoded = enroll.CreatePFX("", // no password, this is for internal consumption
* PFXExportOptions.PFXExportChainWithRoot);
*
* // instantiate the target class with the PKCS#12 data (and the empty password)
* var x509Certificate2 = new X509Certificate2(
* System.Convert.FromBase64String(base64encoded), "",
* // mark the private key as exportable (this is usually what you want to do)
* X509KeyStorageFlags.Exportable
* );
*
* X509Store rootStore = null;
* try
* {
* rootStore = new X509Store(StoreName.Root, machineContext ? StoreLocation.LocalMachine : StoreLocation.CurrentUser);
* rootStore.Open(OpenFlags.ReadWrite);
* // install to CA store
* var crtPub = new X509Certificate2(x509Certificate2) { PrivateKey = null };
* rootStore.Add(crtPub);
* crtPub.Reset();
* }
* catch
* {
* // ignore when adding to trust root failed
* }
* finally
* {
* rootStore?.Close();
* }
*
* return x509Certificate2;
* }
*/
public static X509Certificate2 CreateCertificate(string subjectName, string hostname, DateTime notAfterUtc, X509Certificate issuer, bool machineContext)
{
CSignerCertificate signerCertificate = new CSignerCertificate();
signerCertificate.Initialize(false, X509PrivateKeyVerify.VerifyNone, EncodingType.XCN_CRYPT_STRING_HEX, issuer.GetRawCertDataString());
// create DN for subject and issuer
var dn = new CX500DistinguishedName();
dn.Encode("CN=" + EscapeDNComponent(subjectName), X500NameFlags.XCN_CERT_NAME_STR_NONE);
// create a new private key for the certificate
CX509PrivateKey privateKey = new CX509PrivateKey();
privateKey.ProviderName = "Microsoft Base Cryptographic Provider v1.0";
privateKey.MachineContext = machineContext;
privateKey.Length = 2048;
privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; // use is not limited
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
privateKey.Create();
var hashobj = new CObjectId();
hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY,
AlgorithmFlags.AlgorithmFlagsNone, "SHA256");
CX509ExtensionKeyUsage keyUsage = new CX509ExtensionKeyUsage();
keyUsage.InitializeEncode(
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE |
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE |
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE);
CX509ExtensionBasicConstraints bc = new CX509ExtensionBasicConstraints();
bc.InitializeEncode(false, 0);
bc.Critical = false;
// SAN
CX509ExtensionAlternativeNames san = null;
if (!string.IsNullOrEmpty(hostname))
{
CAlternativeNames ians;
if (IPAddress.TryParse(hostname, out var ip))
{
var ian = new CAlternativeName();
ian.InitializeFromRawData(AlternativeNameType.XCN_CERT_ALT_NAME_IP_ADDRESS, EncodingType.XCN_CRYPT_STRING_BASE64, Convert.ToBase64String(ip.GetAddressBytes()));
ians = new CAlternativeNames {
ian
};
}
else
{
var ian = new CAlternativeName();
ian.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME, hostname);
var ianStar = new CAlternativeName();
ianStar.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME, "*." + hostname); // wildcard
ians = new CAlternativeNames {
ian, ianStar
};
}
san = new CX509ExtensionAlternativeNames();
san.InitializeEncode(ians);
}
// add extended key usage if you want - look at MSDN for a list of possible OIDs
var oid = new CObjectId();
oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // SSL server
var oidlist = new CObjectIds();
oidlist.Add(oid);
var eku = new CX509ExtensionEnhancedKeyUsage();
eku.InitializeEncode(oidlist);
var dnIssuer = new CX500DistinguishedName();
dnIssuer.Encode(issuer.Subject, X500NameFlags.XCN_CERT_NAME_STR_NONE);
// Create the self signing request
var cert = new CX509CertificateRequestCertificate();
cert.InitializeFromPrivateKey(machineContext ? X509CertificateEnrollmentContext.ContextMachine : X509CertificateEnrollmentContext.ContextUser, privateKey, "");
cert.Subject = dn;
cert.Issuer = dnIssuer;
cert.SignerCertificate = signerCertificate;
cert.NotBefore = DateTime.UtcNow.AddDays(-1);
cert.NotAfter = notAfterUtc;
cert.X509Extensions.Add((CX509Extension)keyUsage);
cert.X509Extensions.Add((CX509Extension)eku); // EnhancedKeyUsage
cert.X509Extensions.Add((CX509Extension)bc); // ExtensionBasicConstraints
if (san != null)
{
cert.X509Extensions.Add((CX509Extension)san); // SAN
}
cert.HashAlgorithm = hashobj; // Specify the hashing algorithm
cert.Encode(); // encode the certificate
// Do the final enrollment process
var enroll = new CX509Enrollment();
enroll.InitializeFromRequest(cert); // load the certificate
//enroll.CertificateFriendlyName = subjectName; // Optional: add a friendly name
string csr = enroll.CreateRequest(); // Output the request in base64
// and install it back as the response
enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password
// output a base64 encoded PKCS#12 so we can import it back to the .Net security classes
var base64encoded = enroll.CreatePFX("", // no password, this is for internal consumption
PFXExportOptions.PFXExportChainWithRoot);
// instantiate the target class with the PKCS#12 data (and the empty password)
var x509Certificate2 = new X509Certificate2(
Convert.FromBase64String(base64encoded), "",
X509KeyStorageFlags.Exportable); // mark the private key as exportable (this is usually what you want to do)
return(x509Certificate2);
}
/// <summary>
/// Add Reference: COM > TypeLibraries > CertEnroll 1.0 Type Library
/// </summary>
/// <param name="subjectName"></param>
/// <returns></returns>
public static X509Certificate2 CreateSelfSignedCertificate(string subjectName, TimeSpan expiresIn)
{
// create DN for subject and issuer
var dn = new CX500DistinguishedName();
dn.Encode("CN=" + subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);
// create a new private key for the certificate
CX509PrivateKey privateKey = new CX509PrivateKey();
privateKey.ProviderName = "Microsoft Base Cryptographic Provider v1.0";
privateKey.MachineContext = true;
privateKey.Length = 2048;
privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; // use is not limited
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
privateKey.Create();
// Use the stronger SHA512 hashing algorithm
var hashobj = new CObjectId();
hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY,
AlgorithmFlags.AlgorithmFlagsNone, "SHA512");
// add extended key usage if you want - look at MSDN for a list of possible OIDs
var oid = new CObjectId();
oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // SSL server
var oidlist = new CObjectIds();
oidlist.Add(oid);
var eku = new CX509ExtensionEnhancedKeyUsage();
eku.InitializeEncode(oidlist);
// Create the self signing request
var cert = new CX509CertificateRequestCertificate();
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, "");
cert.Subject = dn;
cert.Issuer = dn; // the issuer and the subject are the same
cert.NotBefore = DateTime.Now;
// this cert expires immediately. Change to whatever makes sense for you
cert.NotAfter = DateTime.Now.Add(expiresIn);
cert.X509Extensions.Add((CX509Extension)eku); // add the EKU
cert.HashAlgorithm = hashobj; // Specify the hashing algorithm
cert.Encode(); // encode the certificate
// Do the final enrollment process
var enroll = new CX509Enrollment();
enroll.InitializeFromRequest(cert); // load the certificate
enroll.CertificateFriendlyName = subjectName; // Optional: add a friendly name
string csr = enroll.CreateRequest(); // Output the request in base64
// and install it back as the response
enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate,
csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password
// output a base64 encoded PKCS#12 so we can import it back to the .Net security classes
var base64encoded = enroll.CreatePFX("", // no password, this is for internal consumption
PFXExportOptions.PFXExportChainWithRoot);
// instantiate the target class with the PKCS#12 data (and the empty password)
return(new System.Security.Cryptography.X509Certificates.X509Certificate2(
System.Convert.FromBase64String(base64encoded), "",
// mark the private key as exportable (this is usually what you want to do)
System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.Exportable
));
}
public static X509Certificate2 CreateCertificate(Certificate crt)
{
bool isCA = !crt.SignByCertificateAuthority;
// create DN for subject and issuer
var dn = new CX500DistinguishedName();
dn.Encode(GetEncodedDistinguishedName(crt), X500NameFlags.XCN_CERT_NAME_STR_NONE);
// create a new private key for the certificate
CX509PrivateKey privateKey = new CX509PrivateKey
{
ProviderName = "Microsoft Base Cryptographic Provider v1.0",
MachineContext = crt.MachineContext,
Length = crt.KeyLength,
KeySpec = X509KeySpec.XCN_AT_SIGNATURE, // use is not limited
ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG
};
privateKey.Create();
var hashobj = new CObjectId();
hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY,
AlgorithmFlags.AlgorithmFlagsNone, crt.DigestAlgorithm);
CERTENROLLLib.X509KeyUsageFlags x509KeyUsageFlags;
CX509ExtensionBasicConstraints bc = new CX509ExtensionBasicConstraints();
if (isCA)
{
x509KeyUsageFlags =
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE |
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_CERT_SIGN_KEY_USAGE |
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_CRL_SIGN_KEY_USAGE |
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_OFFLINE_CRL_SIGN_KEY_USAGE;
bc.InitializeEncode(true, -1);
bc.Critical = true;
}
else
{
x509KeyUsageFlags =
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE |
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE;
if (crt.CertificateType == CertificateType.ClientCertificate)
{
x509KeyUsageFlags |= CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE;
}
if (crt.CertificateType == CertificateType.ServerCertificate)
{
x509KeyUsageFlags |= CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE;
}
bc.InitializeEncode(false, -1);
bc.Critical = false;
}
CX509ExtensionKeyUsage keyUsage = new CX509ExtensionKeyUsage();
keyUsage.InitializeEncode(x509KeyUsageFlags);
keyUsage.Critical = false;
// SAN
var canList = new List <CAlternativeName>();
foreach (var sanItem in crt.SANList)
{
if (!string.IsNullOrWhiteSpace(sanItem.Value))
{
var can = new CAlternativeName();
switch (sanItem.Type)
{
case Certificate.SANType.DNS:
can.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME, sanItem.Value);
break;
case Certificate.SANType.IP:
can.InitializeFromRawData(AlternativeNameType.XCN_CERT_ALT_NAME_IP_ADDRESS, EncodingType.XCN_CRYPT_STRING_BASE64,
Convert.ToBase64String(IPAddress.Parse(sanItem.Value).GetAddressBytes()));
break;
case Certificate.SANType.URI:
can.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_URL, sanItem.Value);
break;
case Certificate.SANType.email:
can.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_RFC822_NAME, sanItem.Value);
break;
}
canList.Add(can);
}
}
CX509ExtensionAlternativeNames san = null;
if (canList.Any())
{
san = new CX509ExtensionAlternativeNames();
var cans = new CAlternativeNames();
foreach (var item in canList)
{
cans.Add(item);
}
san.InitializeEncode(cans);
}
CX509ExtensionEnhancedKeyUsage eku = null;
if (crt.CertificateType != CertificateType.None)
{
const string XCN_OID_PKIX_KP_SERVER_AUTH = "1.3.6.1.5.5.7.3.1";
const string XCN_OID_PKIX_KP_CLIENT_AUTH = "1.3.6.1.5.5.7.3.2";
var oid = new CObjectId();
if (crt.CertificateType == CertificateType.ServerCertificate)
{
oid.InitializeFromValue(XCN_OID_PKIX_KP_SERVER_AUTH);
}
if (crt.CertificateType == CertificateType.ClientCertificate)
{
oid.InitializeFromValue(XCN_OID_PKIX_KP_CLIENT_AUTH);
}
var oidlist = new CObjectIds();
oidlist.Add(oid);
eku = new CX509ExtensionEnhancedKeyUsage();
eku.InitializeEncode(oidlist);
}
// Create the self signing request
var cereq = new CX509CertificateRequestCertificate();
cereq.InitializeFromPrivateKey(crt.MachineContext ? X509CertificateEnrollmentContext.ContextMachine : X509CertificateEnrollmentContext.ContextUser, privateKey, "");
cereq.Subject = dn;
cereq.Issuer = dn;
cereq.NotBefore = DateTime.UtcNow.AddDays(-1);
cereq.NotAfter = DateTime.UtcNow.AddDays(crt.Lifetime.Value);
if (crt.SignByCertificateAuthority)
{
var issuer = MyCurrentUserX509Store.Certificates
.Find(X509FindType.FindByThumbprint, crt.CertificateAuthority, false)
.OfType <X509Certificate2>()
.Where(c => c.HasPrivateKey).FirstOrDefault() ?? throw new Exception("Issuer not found: " + crt.CertificateAuthority);
cereq.SignerCertificate = new CSignerCertificate();
cereq.SignerCertificate.Initialize(false, X509PrivateKeyVerify.VerifyNone, EncodingType.XCN_CRYPT_STRING_HEX, issuer.GetRawCertDataString());
cereq.Issuer = new CX500DistinguishedName();
cereq.Issuer.Encode(issuer.Subject, X500NameFlags.XCN_CERT_NAME_STR_NONE);
}
cereq.X509Extensions.Add((CX509Extension)keyUsage);
if (eku != null)
{
cereq.X509Extensions.Add((CX509Extension)eku); // EnhancedKeyUsage
}
if (bc != null)
{
cereq.X509Extensions.Add((CX509Extension)bc); // ExtensionBasicConstraints
}
if (san != null)
{
cereq.X509Extensions.Add((CX509Extension)san); // SAN
}
cereq.HashAlgorithm = hashobj; // Specify the hashing algorithm
cereq.Encode(); // encode the certificate
// Do the final enrollment process
var enroll = new CX509Enrollment();
enroll.InitializeFromRequest(cereq); // load the certificate
//enroll.CertificateFriendlyName = subjectName; // Optional: add a friendly name
string csr = enroll.CreateRequest(); // Output the request in base64
// and install it back as the response
enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password
// output a base64 encoded PKCS#12 so we can import it back to the .Net security classes
var base64encoded = enroll.CreatePFX("", // no password, this is for internal consumption
PFXExportOptions.PFXExportChainWithRoot);
// instantiate the target class with the PKCS#12 data (and the empty password)
var x509Certificate2 = new X509Certificate2(
Convert.FromBase64String(base64encoded), "",
X509KeyStorageFlags.Exportable); // mark the private key as exportable (this is usually what you want to do)
if (isCA)
{
X509Store rootStore = null;
try
{
rootStore = new X509Store(StoreName.Root, crt.MachineContext ? StoreLocation.LocalMachine : StoreLocation.CurrentUser);
rootStore.Open(OpenFlags.ReadWrite);
// install to CA store
var crtPub = new X509Certificate2(x509Certificate2)
{
PrivateKey = null
};
rootStore.Add(crtPub);
crtPub.Reset();
}
catch
{
// ignore when adding to trust root failed
}
finally
{
rootStore?.Close();
}
}
crt.Value = x509Certificate2;
return(x509Certificate2);
}
/// <summary>
/// Certificate constructor to intialize objects and values required to create a certificate
/// </summary>
public Certificate()
{
try
{
// Create objects required
objCertRequest = new CX509CertificateRequestCertificate();
objCSP = new CCspInformation();
objCSPs = new CCspInformations();
objDN = new CX500DistinguishedName();
objEnroll = new CX509Enrollment();
objObjectId = new CObjectId();
objPrivateKey = (CX509PrivateKey)Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX509PrivateKey"));
// Friendly name
this.FriendlyName = "";
// Set default values. Refer to https://msdn.microsoft.com/en-us/library/windows/desktop/aa374846(v=vs.85).aspx
this.CryptographicProviderName = "Microsoft Enhanced Cryptographic Provider v1.0";
this.KeySize = 2048;
// Use key for encryption
this.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE;
// The key can be used for decryption
this.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_DECRYPT_FLAG;
// Create for user and not machine
this.MachineContext = false;
// Default to expire in 1 year
this.ExpirationLengthInDays = 365;
// Let th private key be exported in plain text
this.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
// This is intended for a computer
this.EnrollmentContextMachine = X509CertificateEnrollmentContext.ContextUser;
// Use a hasing algorithm
this.ObjectIdGroupId = ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID;
this.ObjectIdPublicKeyFlags = ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY;
this.AlgorithmFlags = AlgorithmFlags.AlgorithmFlagsNone;
// Use SHA-2 with 512 bits
this.AlgorithmName = "SHA512";
this.EncodingType = EncodingType.XCN_CRYPT_STRING_BASE64;
// Allow untrusted certificate to be installed
this.InstallResponseRestrictionFlags = InstallResponseRestrictionFlags.AllowUntrustedCertificate;
// No password set
this.Password = null;
// Enable key to be exported, keep the machine set, and persist the key set
// https://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509keystorageflags(v=vs.110).aspx
this.ExportableFlags = X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet;
}
catch (Exception ex)
{
throw ex;
}
}
private static string CreateCertContent(string cn, TimeSpan expirationLength, string pwd)
{
string base64encoded = string.Empty;
var dn = new CERTENROLLLib.CX500DistinguishedName();
dn.Encode("CN=" + cn, X500NameFlags.XCN_CERT_NAME_STR_NONE);
CX509PrivateKey privateKey = new CX509PrivateKey();
privateKey.ProviderName = "Microsoft Strong Cryptographic Provider";
privateKey.Length = 2048;
privateKey.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE;
privateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_DECRYPT_FLAG |
X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_KEY_AGREEMENT_FLAG;
privateKey.MachineContext = true;
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
privateKey.Create();
// Use the stronger SHA512 hashing algorithm
var hashobj = new CObjectId();
hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY,
AlgorithmFlags.AlgorithmFlagsNone, "SHA512");
// Create the self signing request
var cert = new CX509CertificateRequestCertificate();
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, "");
cert.Subject = dn;
cert.Issuer = dn; // the issuer and the subject are the same
cert.NotBefore = DateTime.Now.Date;
var objExtensionAlternativeNames = new CX509ExtensionAlternativeNames();
{
var altNames = new CAlternativeNames();
//var dnsHostname = new CAlternativeName();
//dnsHostname.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME, Environment.MachineName);
//altNames.Add(dnsHostname);
//foreach (var ipAddress in Dns.GetHostAddresses(Dns.GetHostName()))
//{
// if ((ipAddress.AddressFamily == AddressFamily.InterNetwork ||
// ipAddress.AddressFamily == AddressFamily.InterNetworkV6) && !IPAddress.IsLoopback(ipAddress))
// {
// var dns = new CAlternativeName();
// dns.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME, ipAddress.ToString());
// altNames.Add(dns);
// }
//}
var dns1 = new CAlternativeName();
dns1.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME, "localhost");
altNames.Add(dns1);
objExtensionAlternativeNames.InitializeEncode(altNames);
}
cert.X509Extensions.Add((CX509Extension)objExtensionAlternativeNames);
// this cert expires immediately. Change to whatever makes sense for you
cert.NotAfter = cert.NotBefore + expirationLength;
cert.HashAlgorithm = hashobj; // Specify the hashing algorithm
cert.Encode(); // encode the certificate
// Do the final enrollment process
var enroll = new CX509Enrollment();
enroll.InitializeFromRequest(cert); // load the certificate
enroll.CertificateFriendlyName = cn; // Optional: add a friendly name
string csr = enroll.CreateRequest(); // Output the request in base64
// and install it back as the response
enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate,
csr, EncodingType.XCN_CRYPT_STRING_BASE64, pwd); // no password
// output a base64 encoded PKCS#12 so we can import it back to the .Net security classes
base64encoded = enroll.CreatePFX(pwd, // no password, this is for internal consumption
PFXExportOptions.PFXExportChainWithRoot);
return(base64encoded);
}
public SelfSignedCertificateRequest()
{
Request =
new CX509CertificateRequestCertificate();
}
public static X509Certificate2 CreateSelfSignedCertificate(string subjectName)
{
var distinguishedName = new CX500DistinguishedName();
distinguishedName.Encode(
"CN=" + subjectName,
X500NameFlags.XCN_CERT_NAME_STR_NONE);
CCspInformations objCSPs = new CCspInformations();
CCspInformation objCSP = new CCspInformation();
objCSP.InitializeFromName(
"Microsoft Enhanced RSA and AES Cryptographic Provider");
objCSPs.Add(objCSP);
// Build the private key
CX509PrivateKey privateKey = new CX509PrivateKey();
privateKey.MachineContext = false;
privateKey.Length = 2048;
privateKey.CspInformations = objCSPs;
privateKey.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE;
privateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES;
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
// Create the private key in the CSP's protected storage
privateKey.Create();
// Build the algorithm identifier
var hashobj = new CObjectId();
hashobj.InitializeFromAlgorithmName(
ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY,
AlgorithmFlags.AlgorithmFlagsNone,
"SHA256");
// Create the self-signing request from the private key
var certificateRequest = new CX509CertificateRequestCertificate();
certificateRequest.InitializeFromPrivateKey(
X509CertificateEnrollmentContext.ContextUser,
privateKey,
string.Empty);
certificateRequest.Subject = distinguishedName;
certificateRequest.Issuer = distinguishedName;
certificateRequest.NotBefore = DateTime.Now.AddDays(-1);
certificateRequest.NotAfter = DateTime.Now.AddYears(100);
certificateRequest.HashAlgorithm = hashobj;
certificateRequest.Encode();
var enrollment = new CX509Enrollment();
// Load the certificate request
enrollment.InitializeFromRequest(certificateRequest);
enrollment.CertificateFriendlyName = subjectName;
// Output the request in base64 and install it back as the response
string csr = enrollment.CreateRequest();
// Install the response
enrollment.InstallResponse(
InstallResponseRestrictionFlags.AllowUntrustedCertificate,
csr,
EncodingType.XCN_CRYPT_STRING_BASE64,
string.Empty);
// Get the new certificate without the private key
byte[] certificateData = Convert.FromBase64String(enrollment.Certificate);
return(new X509Certificate2(certificateData));
}
/// <summary>
/// CreateSelfSignedCertificate method implementation
/// </summary>
private static string InternalCreateSelfSignedCertificate(string subjectName, int years)
{
var dn = new CX500DistinguishedName();
var neos = new CX500DistinguishedName();
dn.Encode("CN=" + subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);
neos.Encode("CN=MFA RSA Keys Certificate", X500NameFlags.XCN_CERT_NAME_STR_NONE);
CX509PrivateKey privateKey = new CX509PrivateKey();
privateKey.ProviderName = "Microsoft RSA SChannel Cryptographic Provider";
privateKey.MachineContext = true;
privateKey.Length = 2048;
privateKey.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE; // use is not limited
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG | X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG | X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_ARCHIVING_FLAG | X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_ARCHIVING_FLAG;
privateKey.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)";
privateKey.Create();
var hashobj = new CObjectId();
hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY,
AlgorithmFlags.AlgorithmFlagsNone, "SHA256");
var oid = new CObjectId();
oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // SSL server
var oidlist = new CObjectIds();
oidlist.Add(oid);
var coid = new CObjectId();
coid.InitializeFromValue("1.3.6.1.5.5.7.3.2"); // Client auth
oidlist.Add(coid);
var eku = new CX509ExtensionEnhancedKeyUsage();
eku.InitializeEncode(oidlist);
// Create the self signing request
var cert = new CX509CertificateRequestCertificate();
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextAdministratorForceMachine, privateKey, "");
cert.Subject = dn;
cert.Issuer = neos;
cert.NotBefore = DateTime.Now.AddDays(-10);
cert.NotAfter = DateTime.Now.AddYears(years);
cert.X509Extensions.Add((CX509Extension)eku); // add the EKU
cert.HashAlgorithm = hashobj; // Specify the hashing algorithm
cert.Encode(); // encode the certificate
// Do the final enrollment process
var enroll = new CX509Enrollment();
enroll.InitializeFromRequest(cert); // load the certificate
enroll.CertificateFriendlyName = subjectName; // Optional: add a friendly name
string csr = enroll.CreateRequest(); // Output the request in base64
// and install it back as the response
enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password
// output a base64 encoded PKCS#12 so we can import it back to the .Net security classes
var base64encoded = enroll.CreatePFX("", PFXExportOptions.PFXExportChainWithRoot);
return(base64encoded);
}
private static StoreName store = StoreName.My; // Store as a personal certificate
private static X509Certificate2 CreateSelfSignedCertificate(string Operator, string SiteId, int SeqNo, bool isServerCert, string SAN)
{
// Create a custom subject name & friendly name
string distName = $"CN={FriendlyName.ToLower()}_{SiteId}_{SeqNo}, OU={Operator}_{SiteId}, O={Operator}, C=GB";
// create DN for subject and issuer
// var dn = new X500DistinguishedName(distName);
// dn.Encode(distName, X500NameFlags.XCN_CERT_NAME_STR_NONE);
var dn = new CX500DistinguishedName();
dn.Encode(distName, X500NameFlags.XCN_CERT_NAME_STR_NONE);
// create a new private key for the certificate
//CX509PrivateKey privateKey = new CX509PrivateKey();
//var privateKey = new CX509PrivateKey();
var typeName = "X509Enrollment.CX509PrivateKey";
var type = Type.GetTypeFromProgID(typeName);
if (type == null)
{
throw new Exception(typeName + " is not available on your system: 0x80040154 (REGDB_E_CLASSNOTREG)");
}
var privateKey = Activator.CreateInstance(type) as IX509PrivateKey;
if (privateKey == null)
{
throw new Exception("Your certlib does not know an implementation of " + typeName +
" (in HKLM:\\SOFTWARE\\Classes\\Interface\\)!");
}
privateKey.ProviderName = "Microsoft Base Cryptographic Provider v1.0";
privateKey.MachineContext = true;
privateKey.Length = 2048;
privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; // use is not limited
// privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG;
privateKey.Create();
// Use the stronger SHA512 hashing algorithm
var hashobj = new CObjectId();
hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY,
AlgorithmFlags.AlgorithmFlagsNone, "SHA512");
// add extended key usage if you want - look at MSDN for a list of possible OIDs
var oid = new CObjectId();
// oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // SSL server
if (isServerCert)
{
oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // SSL Server
}
else
{
oid.InitializeFromValue("1.3.6.1.5.5.7.3.2"); // SSL client
}
var oidlist = new CObjectIds();
oidlist.Add(oid);
var eku = new CX509ExtensionEnhancedKeyUsage();
eku.InitializeEncode(oidlist);
// Create the self signing request
var cert = new CX509CertificateRequestCertificate();
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, "");
if (!string.IsNullOrEmpty(SAN))
{
CAlternativeName objRfc822Name = new CAlternativeName();
CAlternativeNames objAlternativeNames = new CAlternativeNames();
CX509ExtensionAlternativeNames objExtensionAlternativeNames = new CX509ExtensionAlternativeNames();
// Set Alternative RFC822 Name
objRfc822Name.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME, SAN);
// Set Alternative Names
objAlternativeNames.Add(objRfc822Name);
objExtensionAlternativeNames.InitializeEncode(objAlternativeNames);
cert.X509Extensions.Add((CX509Extension)objExtensionAlternativeNames);
}
cert.Subject = dn;
cert.Issuer = dn; // the issuer and the subject are the same
cert.NotBefore = DateTime.Today;
cert.NotAfter = DateTime.Today.AddYears(10); // expire in 10 years time
cert.X509Extensions.Add((CX509Extension)eku); // add the EKU
cert.HashAlgorithm = hashobj; // Specify the hashing algorithm
cert.Encode(); // encode the certificate
// Do the final enrollment process
var enroll = new CX509Enrollment();
enroll.InitializeFromRequest(cert); // load the certificate
enroll.CertificateFriendlyName = FriendlyName; // Optional: add a friendly name
string csr = enroll.CreateRequest(); // Output the request in base64
// and install it back as the response
enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate,
csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password
// output a base64 encoded PKCS#12 so we can import it back to the .Net security classes
var base64encoded = enroll.CreatePFX("", // no password, this is for internal consumption
PFXExportOptions.PFXExportChainWithRoot);
// instantiate the target class with the PKCS#12 data (and the empty password)
X509Certificate2 newCert = new X509Certificate2(System.Convert.FromBase64String(base64encoded), "",
// mark the private key as exportable (this is usually what you want to do)
System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.Exportable
// Ensure the machine key is created and retained
// http://stackoverflow.com/questions/425688/how-to-set-read-permission-on-the-private-key-file-of-x-509-certificate-from-ne
| X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet);
return(newCert);
}
