public string CreateRequest(string cn, string ou, string o, string l, string s, string c, string oid, int keylength) { var objCSPs = new CCspInformations(); objCSPs.AddAvailableCsps(); var objPrivateKey = new CX509PrivateKey(); objPrivateKey.Length = keylength; objPrivateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; //http://msdn.microsoft.com/en-us/library/windows/desktop/aa379409(v=vs.85).aspx objPrivateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES; //http://msdn.microsoft.com/en-us/library/windows/desktop/aa379417(v=vs.85).aspx objPrivateKey.MachineContext = false; //http://msdn.microsoft.com/en-us/library/windows/desktop/aa379024(v=vs.85).aspx objPrivateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG; //http://msdn.microsoft.com/en-us/library/windows/desktop/aa379412(v=vs.85).aspx objPrivateKey.CspInformations = objCSPs; objPrivateKey.Create(); var objPkcs10 = new CX509CertificateRequestPkcs10(); objPkcs10.InitializeFromPrivateKey( X509CertificateEnrollmentContext.ContextUser, //http://msdn.microsoft.com/en-us/library/windows/desktop/aa379399(v=vs.85).aspx objPrivateKey, string.Empty); var objExtensionKeyUsage = new CX509ExtensionKeyUsage(); objExtensionKeyUsage.InitializeEncode( CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE | // http://msdn.microsoft.com/en-us/library/windows/desktop/aa379410(v=vs.85).aspx CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE | // http://msdn.microsoft.com/en-us/library/windows/desktop/aa379410(v=vs.85).aspx CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE | // http://msdn.microsoft.com/en-us/library/windows/desktop/aa379410(v=vs.85).aspx CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE); // http://msdn.microsoft.com/en-us/library/windows/desktop/aa379410(v=vs.85).aspx objPkcs10.X509Extensions.Add((CX509Extension)objExtensionKeyUsage); var objObjectId = new CObjectId(); var objObjectIds = new CObjectIds(); var objX509ExtensionEnhancedKeyUsage = new CX509ExtensionEnhancedKeyUsage(); //objObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.1"); objObjectId.InitializeFromValue(oid); //Some info about OIDS: http://www.alvestrand.no/objectid/1.3.6.1.5.5.7.3.html objObjectIds.Add(objObjectId); objX509ExtensionEnhancedKeyUsage.InitializeEncode(objObjectIds); objPkcs10.X509Extensions.Add((CX509Extension)objX509ExtensionEnhancedKeyUsage); // TODO: Create CERTS with SAN: http://msdn.microsoft.com/en-us/library/windows/desktop/aa378081(v=vs.85).aspx /* var test3 = new CX509ExtensionAlternativeNames(); var test4 = new CAlternativeName(); var test2 = new CAlternativeNames(); test4.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME,"CRAP.no"); test2.Add(test4); test3.InitializeEncode(test2); */ //objPkcs10.X509Extensions.Add((CX509Extension)); var objDN = new CX500DistinguishedName(); var subjectName = "CN = " + cn + ",OU = " + ou + ",O = " + o + ",L = " + l + ",S = " + s + ",C = " + c; objDN.Encode(subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE); //http://msdn.microsoft.com/en-us/library/windows/desktop/aa379394(v=vs.85).aspx objPkcs10.Subject = objDN; var objEnroll = new CX509Enrollment(); objEnroll.InitializeFromRequest(objPkcs10); var strRequest = objEnroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64); //http://msdn.microsoft.com/en-us/library/windows/desktop/aa374936(v=vs.85).aspx return strRequest; }
/// <summary> /// Submit a certificate signing request to a certificate authority, such as a server running Active Directory Certificate Services, and return the certificate or response. /// </summary> /// <param name="csr">Certificate signing request to be submitted.</param> /// <param name="friendlyName">The friendly name of the certificate.</param> /// <param name="caServer">The certificate authority server instance.</param> /// <param name="csrResponse">Response from the certificate signing request, represented as a CsrResponse enum.</param> /// <param name="dispositionMessage">Message returned when a certificate signing fails.</param> public X509Certificate2 SubmitCertificateSigningRequest(CX509CertificateRequestCertificate csr, string friendlyName, string caServer, out CsrResponse csrResponse, out string dispositionMessage) { // Convert the certificate signing request to base-64.. CX509Enrollment enrollment = new CX509Enrollment(); enrollment.InitializeFromRequest(csr); enrollment.CertificateFriendlyName = friendlyName; string csrText = enrollment.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64); // Submit the request to the certificate authority. CCertRequest certRequest = new CCertRequest(); int csrResponseCode = certRequest.Submit(CR_IN_BASE64 | CR_IN_FORMATANY, csrText, string.Empty, caServer); // React to our response response from the certificate authority. switch (csrResponseCode) { case 3: // Issued. csrResponse = CsrResponse.CR_DISP_ISSUED; dispositionMessage = ""; return new X509Certificate2(Encoding.UTF8.GetBytes(certRequest.GetCertificate(CR_OUT_BASE64 | CR_OUT_CHAIN))); case 5: // Pending. csrResponse = CsrResponse.CR_DISP_UNDER_SUBMISSION; dispositionMessage = ""; return null; default: // Failure. csrResponse = CsrResponse.CR_DISP_FAILED; dispositionMessage = certRequest.GetDispositionMessage(); return null; } }
/// <summary> /// Load the response from the CA -- just the signed certificate, not the signers. /// </summary> /// <param name="pem_response">Signed certificate</param> /// <returns>The full certificate</returns> public static X509Certificate2 LoadResponse(string pem_response, StoreLocation loc) { X509Certificate2 cert; CX509Enrollment objEnroll = new CX509Enrollment(); if (loc == StoreLocation.LocalMachine) { objEnroll.Initialize(X509CertificateEnrollmentContext.ContextMachine); } else { objEnroll.Initialize(X509CertificateEnrollmentContext.ContextUser); } objEnroll.InstallResponse( InstallResponseRestrictionFlags.AllowUntrustedRoot, pem_response, EncodingType.XCN_CRYPT_STRING_BASE64HEADER, null ); string pfx_string = objEnroll.CreatePFX("dummypw", PFXExportOptions.PFXExportEEOnly, EncodingType.XCN_CRYPT_STRING_BASE64); byte[] pfx_binary_data = System.Convert.FromBase64String(pfx_string); cert = new X509Certificate2(pfx_binary_data, "dummypw", X509KeyStorageFlags.Exportable); //CreatedCert = cert; return(cert); }
private string CreateCertificate(string publisherName) { var cert = CreateCertificateRequest(publisherName); AddKeyUsage(cert); AddExtendedKeyUsage(cert); AddBasicConstraints(cert); // Specify the hashing algorithm var hashobj = new CObjectId(); hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, "SHA256"); cert.HashAlgorithm = hashobj; cert.Encode(); // Do the final enrollment process var enrollment = new CX509Enrollment(); enrollment.InitializeFromRequest(cert); // load the certificate enrollment.CertificateFriendlyName = cert.Subject.Name; var request = enrollment.CreateRequest(); enrollment.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, request, EncodingType.XCN_CRYPT_STRING_BASE64, ""); var base64Encoded = enrollment.CreatePFX("", PFXExportOptions.PFXExportChainWithRoot); return(base64Encoded); }
/// <summary> /// Generate a self-signed certificate and add it to the Windows certificate store. /// </summary> /// <param name="subjectName">The subject name of the certificate.</param> /// <param name="friendlyName">The friendly name of the certificate.</param> /// <param name="location">Location of the certificate; either the Current User or Local Machine.</param> /// <param name="addAsTrustedRoot">Whether to add the generated certificate as a trusted root.</param> /// <param name="keyLength">Size of the key in bits.</param> /// <param name="durationYears">Duration of the certificate, specified in years.</param> /// <param name="oids">Collection of OIDs identifying certificate usage.</param> public static X509Certificate2 CreateSelfSignedCertificate(string subjectName, string friendlyName, StoreLocation location, bool addAsTrustedRoot, int keyLength, int durationYears, List <string> oids) { // Create the self-signing request. CX509CertificateRequestCertificate cert = CreateCertificateSigningRequest(subjectName, keyLength, durationYears, oids); // Enroll based on the certificate signing request. CX509Enrollment enrollment = new CX509Enrollment(); enrollment.InitializeFromRequest(cert); enrollment.CertificateFriendlyName = friendlyName; string csrText = enrollment.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64); // Install the certificate chain. Note that no password is specified. enrollment.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csrText, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // Base-64 encode the PKCS#12 certificate in order to re-import it. string pfx = enrollment.CreatePFX("", PFXExportOptions.PFXExportChainWithRoot); // Instantiate the PKCS#12 certificate. X509Certificate2 certificate = new X509Certificate2(System.Convert.FromBase64String(pfx), "", X509KeyStorageFlags.Exportable); // If specified, also install the certificate to the trusted root store. if (addAsTrustedRoot) { X509Store rootStore = new X509Store(StoreName.Root, location); rootStore.Open(OpenFlags.ReadWrite); rootStore.Add(certificate); rootStore.Close(); } return(certificate); }
static void Main() { CX509Enrollment enroll = new CX509Enrollment(); CX509PrivateKey pri = new CX509PrivateKey(); CX509CertificateRequestPkcs10 request = new CX509CertificateRequestPkcs10(); CX500DistinguishedName dn = new CX500DistinguishedName(); pri.ProviderName = "eToken Base Cryptographic Provider"; pri.Length = 2048; pri.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE; //pri.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_DECRYPT_FLAG; pri.ProviderType = X509ProviderType.XCN_PROV_RSA_FULL; pri.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_NONE; request.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextUser, pri, ""); dn.Encode("CN=KimiNoNaWa", X500NameFlags.XCN_CERT_NAME_STR_DISABLE_UTF8_DIR_STR_FLAG); request.Subject = dn; enroll.InitializeFromRequest(request); string pkcs10 = enroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64); Console.WriteLine(pkcs10); //Do Enrollment //Install certificate //enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedRoot, pkcs10, EncodingType.XCN_CRYPT_STRING_BASE64REQUESTHEADER, ""); }
/// <summary> /// Installs the certificate /// </summary> /// <returns></returns> public X509Certificate2 InstallCertficate() { CX509Enrollment objEnroll = new CX509Enrollment(); try { // Install the certificate objEnroll.InitializeFromRequest(objCertRequest); objEnroll.InstallResponse( this.InstallResponseRestrictionFlags, stringResponse, this.EncodingType, this.Password ); var base64encoded = objEnroll.CreatePFX(this.Password, PFXExportOptions.PFXExportChainWithRoot); return(new System.Security.Cryptography.X509Certificates.X509Certificate2( System.Convert.FromBase64String(base64encoded), this.Password, this.ExportableFlags)); } catch (Exception ex) { throw ex; } }
/// <summary> /// Submit a certificate signing request to a certificate authority, such as a server running Active Directory Certificate Services, and return the certificate or response. /// </summary> /// <param name="csr">Certificate signing request to be submitted.</param> /// <param name="friendlyName">The friendly name of the certificate.</param> /// <param name="caServer">The certificate authority server instance.</param> /// <param name="csrResponse">Response from the certificate signing request, represented as a CsrResponse enum.</param> /// <param name="dispositionMessage">Message returned when a certificate signing fails.</param> public X509Certificate2 SubmitCertificateSigningRequest(CX509CertificateRequestCertificate csr, string friendlyName, string caServer, out CsrResponse csrResponse, out string dispositionMessage) { // Convert the certificate signing request to base-64.. CX509Enrollment enrollment = new CX509Enrollment(); enrollment.InitializeFromRequest(csr); enrollment.CertificateFriendlyName = friendlyName; string csrText = enrollment.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64); // Submit the request to the certificate authority. CCertRequest certRequest = new CCertRequest(); int csrResponseCode = certRequest.Submit(CR_IN_BASE64 | CR_IN_FORMATANY, csrText, string.Empty, caServer); // React to our response response from the certificate authority. switch (csrResponseCode) { case 3: // Issued. csrResponse = CsrResponse.CR_DISP_ISSUED; dispositionMessage = ""; return(new X509Certificate2(Encoding.UTF8.GetBytes(certRequest.GetCertificate(CR_OUT_BASE64 | CR_OUT_CHAIN)))); case 5: // Pending. csrResponse = CsrResponse.CR_DISP_UNDER_SUBMISSION; dispositionMessage = ""; return(null); default: // Failure. csrResponse = CsrResponse.CR_DISP_FAILED; dispositionMessage = certRequest.GetDispositionMessage(); return(null); } }
private string BuildEncodedCsr(CX509CertificateRequestPkcs10 pkcs10) { CX509Enrollment enrollment = new CX509Enrollment(); enrollment.InitializeFromRequest(pkcs10); return(enrollment.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64)); }
/// <summary> /// Creates a self signed certificate given the parameters. /// </summary> /// <param name="subject"></param> /// <param name="cipher"></param> /// <param name="keysize"></param> /// <param name="api"></param> /// <returns></returns> public X509Certificate2 CreateSelfSignedCertificate(CertificateSubject subject, CipherAlgorithm cipher, int keysize, WindowsApi api) { CX509PrivateKey privateKey = CreatePrivateKey(cipher, keysize); CX509CertificateRequestCertificate pkcs10 = NewCertificateRequestCrc(subject, privateKey); pkcs10.Issuer = pkcs10.Subject; pkcs10.NotBefore = DateTime.Now.AddDays(-1); pkcs10.NotAfter = DateTime.Now.AddYears(20); var sigoid = new CObjectId(); var alg = new Oid("SHA256"); sigoid.InitializeFromValue(alg.Value); pkcs10.SignatureInformation.HashAlgorithm = sigoid; pkcs10.Encode(); CX509Enrollment enrollment = new CX509Enrollment(); enrollment.InitializeFromRequest(pkcs10); string csr = enrollment.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64); InstallResponseRestrictionFlags restrictionFlags = InstallResponseRestrictionFlags.AllowUntrustedCertificate; enrollment.InstallResponse(restrictionFlags, csr, EncodingType.XCN_CRYPT_STRING_BASE64, string.Empty); string pwd = secret.NewSecret(16); string pfx = enrollment.CreatePFX(pwd, PFXExportOptions.PFXExportChainWithRoot, EncodingType.XCN_CRYPT_STRING_BASE64); return(new X509Certificate2(Convert.FromBase64String(pfx), pwd)); }
// create a certificate for testing // https://stackoverflow.com/q/18339706 static public X509Certificate2 CreateSelfSignedCertificate(string subjectName, TimeSpan expirationLength) { // create DN for subject and issuer var dn = new CX500DistinguishedName(); dn.Encode("CN=" + subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE); CX509PrivateKey privateKey = new CX509PrivateKey { ProviderName = "Microsoft Strong Cryptographic Provider", Length = 2048, KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE, KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_DECRYPT_FLAG | X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_KEY_AGREEMENT_FLAG, MachineContext = true, ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG }; privateKey.Create(); // Use the stronger SHA512 hashing algorithm var hashobj = new CObjectId(); hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, "SHA512"); // Create the self signing request var cert = new CX509CertificateRequestCertificate(); cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, ""); cert.Subject = dn; cert.Issuer = dn; // the issuer and the subject are the same cert.NotBefore = DateTime.Now.Date; // this cert expires immediately. Change to whatever makes sense for you cert.NotAfter = cert.NotBefore + expirationLength; cert.HashAlgorithm = hashobj; // Specify the hashing algorithm cert.Encode(); // encode the certificate // Do the final enrollment process var enroll = new CX509Enrollment(); enroll.InitializeFromRequest(cert); // load the certificate enroll.CertificateFriendlyName = subjectName; // Optional: add a friendly name string csr = enroll.CreateRequest(); // Output the request in base64 // and install it back as the response enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password // output a base64 encoded PKCS#12 so we can import it back to the .Net security classes var base64encoded = enroll.CreatePFX("", // no password, this is for internal consumption PFXExportOptions.PFXExportChainWithRoot); // instantiate the target class with the PKCS#12 data (and the empty password) return(new System.Security.Cryptography.X509Certificates.X509Certificate2( System.Convert.FromBase64String(base64encoded), "", // mark the private key as exportable (this is usually what you want to do) // mark private key to go into the Machine store instead of the current users store X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet )); }
public static X509Certificate2 CreateSelfSignedCertificate(string issuer, string name) { try { // create a DN for issuer and subject var dn = new CX500DistinguishedName(); dn.Encode("CN=" + issuer, X500NameFlags.XCN_CERT_NAME_STR_NONE); // create a private key for the certificate var privateKey = new CX509PrivateKey(); privateKey.ProviderName = "Microsoft Base Cryptographic Provider v1.0"; privateKey.MachineContext = true; privateKey.Length = 2048; privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG; privateKey.Create(); // use the stronger SHA512 hashing algorithm var hashobj = new CObjectId(); hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, "SHA512"); // add extended key usage (look at MSDN for a list of possible OIDs) var oid = new CObjectId(); oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // SSL server var oidlist = new CObjectIds(); oidlist.Add(oid); var eku = new CX509ExtensionEnhancedKeyUsage(); eku.InitializeEncode(oidlist); // create the self signing request var cert = new CX509CertificateRequestCertificate(); cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, ""); cert.Issuer = dn; cert.Subject = dn; cert.NotBefore = DateTime.Now; cert.NotAfter = DateTime.Now.AddYears(1); // 1 year expiration cert.X509Extensions.Add((CX509Extension)eku); cert.HashAlgorithm = hashobj; cert.Encode(); // do the final enrollment process var enroll = new CX509Enrollment(); enroll.InitializeFromRequest(cert); enroll.CertificateFriendlyName = name; string csr = enroll.CreateRequest(); // output a base64 encoded PKCS#12 enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); var base64encoded = enroll.CreatePFX("", PFXExportOptions.PFXExportChainWithRoot); // return the certificate return(new X509Certificate2(Convert.FromBase64String(base64encoded), "", X509KeyStorageFlags.Exportable)); } catch (Exception exc) { Trace.TraceError("Failed to create a self-signed certificate ({0})", exc); throw; } }
public static X509Certificate2 CreateSelfSignedCertificate(string subjectName) { //To make a certificate was used system library from CERTENROLLLib //This lib provides methods for creation certificates in windows envinronment //Defines the subject and issuer of the cert CX500DistinguishedName dn = new CX500DistinguishedName(); dn.Encode("CN=" + subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE); //Create a new private key for the certificate //Was decided not to make them variably in this progr CX509PrivateKey privateKey = new CX509PrivateKey(); privateKey.ProviderName = "Microsoft Base Cryptographic Provider v1.0"; //issuer for a selfsigned certificate privateKey.MachineContext = true; privateKey.Length = 2048; privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; //Use is not limited privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG; privateKey.Create(); //Use trong SHA512 hashing algorithm var hashobj = new CObjectId(); hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, "SHA512"); // Create the self signing request var cert = new CX509CertificateRequestCertificate(); cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, ""); cert.Subject = dn; cert.Issuer = dn; // The issuer and the subject are the same cert.NotBefore = DateTime.Now; cert.NotAfter = new DateTime(2018, 12, 31); // I don't think that anybody cares about using this cert longer than this period cert.HashAlgorithm = hashobj; // Specify the hashing algorithm cert.Encode(); // Encode the certificate // Do the final stuff //Enroll is var enroll = new CX509Enrollment(); enroll.InitializeFromRequest(cert); // load the certificate string csr = enroll.CreateRequest(); // Output the request in base64 // and install it back as the response enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password // output a base64 encoded PKCS#12 so we can import it back to the .Net security classes var base64encoded = enroll.CreatePFX("", // password isn't possible PFXExportOptions.PFXExportChainWithRoot); // instantiate the target class with the PKCS#12 data (and the empty password) return(new X509Certificate2(Convert.FromBase64String(base64encoded), "", // mark the private key as exportable, coz we want to put it into registry X509KeyStorageFlags.Exportable)); }
public static X509Certificate2 CreateSelfSignedCertificate(string subjectName, DateTime startDate, DateTime endDate, String password) { // Create DistinguishedName for subject and issuer var name = new CX500DistinguishedName(); name.Encode("CN=" + subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE); // Create a new Private Key for the certificate CX509PrivateKey privateKey = new CX509PrivateKey(); privateKey.ProviderName = "Microsoft RSA SChannel Cryptographic Provider"; privateKey.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE; privateKey.Length = 2048; privateKey.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)"; privateKey.MachineContext = true; privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG; privateKey.Create(); // Define the hashing algorithm var serverauthoid = new CObjectId(); serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // Server Authentication var ekuoids = new CObjectIds(); ekuoids.Add(serverauthoid); var ekuext = new CX509ExtensionEnhancedKeyUsage(); ekuext.InitializeEncode(ekuoids); // Create the self signing request var cert = new CX509CertificateRequestCertificate(); cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, String.Empty); cert.Subject = name; cert.Issuer = cert.Subject; cert.NotBefore = startDate; cert.NotAfter = endDate; cert.X509Extensions.Add((CX509Extension)ekuext); cert.Encode(); // Enroll the certificate var enroll = new CX509Enrollment(); enroll.InitializeFromRequest(cert); string certData = enroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64HEADER); enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, certData, EncodingType.XCN_CRYPT_STRING_BASE64HEADER, String.Empty); var base64encoded = enroll.CreatePFX(password, PFXExportOptions.PFXExportChainWithRoot); // Instantiate the target class with the PKCS#12 data return(new X509Certificate2( System.Convert.FromBase64String(base64encoded), password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.Exportable)); }
public void InstallResponse(string strCert, string strRequest) { // Create Objects var objEnroll = new CX509Enrollment(); // Install the cert objEnroll.Initialize(X509CertificateEnrollmentContext.ContextMachine); objEnroll.InstallResponse(InstallResponseRestrictionFlags.AllowNone, strCert, EncodingType.XCN_CRYPT_STRING_BASE64, null); }
internal static Pkcs10CertificationRequest createKeyPair() { var objCSPs = new CCspInformations(); objCSPs.AddAvailableCsps(); var objPrivateKey = new CX509PrivateKey(); objPrivateKey.Length = 1024; objPrivateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; objPrivateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES; objPrivateKey.MachineContext = false; objPrivateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG; objPrivateKey.CspInformations = objCSPs; objPrivateKey.Create(); var objPkcs10 = new CX509CertificateRequestPkcs10(); objPkcs10.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextUser, objPrivateKey, string.Empty); //var objExtensionKeyUsage = new CX509ExtensionKeyUsage(); //objExtensionKeyUsage.InitializeEncode( // CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_CERT_SIGN_KEY_USAGE | // CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_CRL_SIGN_KEY_USAGE); //objPkcs10.X509Extensions.Add((CX509Extension)objExtensionKeyUsage); //var objObjectId = new CObjectId(); //var objObjectIds = new CObjectIds(); //var objX509ExtensionEnhancedKeyUsage = new CX509ExtensionEnhancedKeyUsage(); //objObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.2"); //objObjectIds.Add(objObjectId); //objX509ExtensionEnhancedKeyUsage.InitializeEncode(objObjectIds); //objPkcs10.X509Extensions.Add((CX509Extension)objX509ExtensionEnhancedKeyUsage); var objDN = new CX500DistinguishedName(); var subjectName = "CN = shaunxu.me, OU = ADCS, O = Blog, L = Beijng, S = Beijing, C = CN"; objDN.Encode(subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE); objPkcs10.Subject = objDN; var objEnroll = new CX509Enrollment(); objEnroll.InitializeFromRequest(objPkcs10); var strRequest = objEnroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64); Pkcs10CertificationRequest p10 = new Pkcs10CertificationRequest(Convert.FromBase64String(strRequest)); return(p10); }
private X509Certificate2 CreateNewCertificate(CX509CertificateRequestCertificate cert) { var enr = new CX509Enrollment { CertificateFriendlyName = FriendlyName }; enr.InitializeFromRequest(cert); string endCert = enr.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64); enr.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, endCert, EncodingType.XCN_CRYPT_STRING_BASE64, string.Empty); byte[] certBytes = Convert.FromBase64String(endCert); return(new X509Certificate2(certBytes)); }
protected static string GenerateCSR() { var objPrivateKey = new CX509PrivateKey(); objPrivateKey.MachineContext = false; objPrivateKey.Length = 2048; objPrivateKey.ProviderType = X509ProviderType.XCN_PROV_RSA_AES; objPrivateKey.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE; objPrivateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES; objPrivateKey.CspInformations = new CCspInformations(); objPrivateKey.CspInformations.AddAvailableCsps(); objPrivateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG; objPrivateKey.Create(); var cert = new CX509CertificateRequestPkcs10(); cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextUser, objPrivateKey, string.Empty); var objExtensionKeyUsage = new CX509ExtensionKeyUsage(); objExtensionKeyUsage.InitializeEncode((X509KeyUsageFlags)X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE | X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE | X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE | X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE ); cert.X509Extensions.Add((CX509Extension)objExtensionKeyUsage); var cobjectId = new CObjectId(); cobjectId.InitializeFromName(CERTENROLL_OBJECTID.XCN_OID_PKIX_KP_CLIENT_AUTH); var cobjectIds = new CObjectIds(); cobjectIds.Add(cobjectId); var pValue = cobjectIds; var cx509ExtensionEnhancedKeyUsage = new CX509ExtensionEnhancedKeyUsage(); cx509ExtensionEnhancedKeyUsage.InitializeEncode(pValue); cert.X509Extensions.Add((CX509Extension)cx509ExtensionEnhancedKeyUsage); var cx509Enrollment = new CX509Enrollment(); cx509Enrollment.InitializeFromRequest(cert); var output = cx509Enrollment.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64); return(output); }
protected static void ExportCertificate(byte[] certificateData, string outputPath, string password) { var certificateEnrollmentContext = X509CertificateEnrollmentContext.ContextUser; CX509Enrollment cx509Enrollment = new CX509Enrollment(); cx509Enrollment.Initialize(certificateEnrollmentContext); cx509Enrollment.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, Convert.ToBase64String(certificateData), EncodingType.XCN_CRYPT_STRING_BASE64, null); var pfx = cx509Enrollment.CreatePFX(password, PFXExportOptions.PFXExportChainNoRoot, EncodingType.XCN_CRYPT_STRING_BASE64); using (var fs = File.OpenWrite(outputPath)) { var decoded = Convert.FromBase64String(pfx); fs.Write(decoded, 0, decoded.Length); } }
//rennew certficiate that expired public int RenewCert(string Cert, int reqid) { int iDisposition; string CertifcateStr; string status; string HostName; CX509CertificateRequestPkcs10 objPkcs10 = new CX509CertificateRequestPkcs10(); CX509Enrollment objEnroll = new CX509Enrollment(); CCertConfig objCertConfig = new CCertConfig(); CX500DistinguishedName objDN = new CX500DistinguishedName(); CCertAdmin objCertAdmin = new CCertAdmin(); string strCAConfig; var inheritOptions = X509RequestInheritOptions.InheritPrivateKey | X509RequestInheritOptions.InheritSubjectFlag | X509RequestInheritOptions.InheritExtensionsFlag | X509RequestInheritOptions.InheritSubjectAltNameFlag; try { strCAConfig = objCertConfig.GetConfig(CC_DEFAULTCONFIG); //connect to the ca InstallCert(Cert); objPkcs10.InitializeFromCertificate(X509CertificateEnrollmentContext.ContextUser, Cert, EncodingType.XCN_CRYPT_STRING_BASE64HEADER, inheritOptions); //create new cert request from exists expired cert objDN = objPkcs10.Subject; //getting old cert subject (hostname) HostName = objDN.Name.ToString().Substring(3); objEnroll.InitializeFromRequest(objPkcs10); //create enroll rquest CertifcateStr = objEnroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64); //crearte new cert request Database db = new Database(); var cert = db.ReturnCertificateInformation(HostName); db.DeleteCertificateRecordFromDb(reqid); // revokeCert(cert.serialnumber); iDisposition = SubmitRequest(CertifcateStr, HostName); //submit cert to the ca objCertAdmin.ResubmitRequest(strCAConfig, iDisposition); //issue the Certificate if (iDisposition > 0) //if cert was created delete the old cert from the table { DeleteCertificateFromStore(objDN.Name.ToString()); return(iDisposition); } return(0); } catch (Exception ex) { status = ex.Message; Database db = new Database(); db.InsertToErrorMessageTable("", reqid, ex.Message, "RenewCert");//insert Error Message into The Error Table Log In The DataBase return(1); } }
/*Install Certificate On the Machine For future Renew Expired Certificate */ public int InstallCert(string Cert) { // Create all the objects that will be required CX509Enrollment objEnroll = new CX509Enrollment(); try { // Install the certificate objEnroll.Initialize(X509CertificateEnrollmentContext.ContextUser); objEnroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedRoot, Cert, EncodingType.XCN_CRYPT_STRING_BASE64HEADER, null); return(0); } catch (Exception ex) { Console.Write(ex.Message); return(1); } }
public void InstallAndDownload(string certText, string password, string friendlyName) { var enroll = new CX509Enrollment(); enroll.Initialize(X509CertificateEnrollmentContext.ContextUser); enroll.CertificateFriendlyName = friendlyName; enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedRoot, certText, EncodingType.XCN_CRYPT_STRING_BASE64REQUESTHEADER, password ); var dir = Directory.GetParent(Assembly.GetExecutingAssembly().Location).ToString(); var pfx = enroll.CreatePFX(password, PFXExportOptions.PFXExportChainWithRoot); var fileName = "cert.pfx"; var filePath = $@"{dir}\{fileName}"; Download(filePath, pfx); Install(filePath, password); }
public virtual string CreateRequest() { Trace.TraceInformation(Resources.CertificateCreateRequest); if (Request == null) { Trace.TraceError(Resources.CertificateCreateRequestNull); throw new InvalidOperationException(Resources.CertificateCreateRequestNull); } var enrollment = new CX509Enrollment(); enrollment.InitializeFromRequest(Request); var request = enrollment.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64REQUESTHEADER); return(request); }
/*Install Certificate On the Machine For future Renew Expired Certificate */ public int InstallCert(string Cert) { // Create all the objects that will be required CX509Enrollment objEnroll = new CX509Enrollment(); try { // Install the certificate objEnroll.Initialize(X509CertificateEnrollmentContext.ContextUser); objEnroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedRoot, Cert, EncodingType.XCN_CRYPT_STRING_BASE64HEADER, null); return(0); } catch (Exception ex) { Database db = new Database(); db.InsertToErrorMessageTable("", 0, ex.Message, "InstallCert");//insert Error Message into The Error Table Log In The DataBase return(1); } }
public string CreateTemplateRequest(string cn, string ou, string o, string l, string s, string c, int keyLength, string templateName) { var csp = new CCspInformations(); csp.AddAvailableCsps(); var privateKey = new CX509PrivateKey(); privateKey.Length = keyLength; privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; privateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES; privateKey.MachineContext = false; privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG; privateKey.CspInformations = csp; privateKey.Create(); var pkcs10 = new CX509CertificateRequestPkcs10(); pkcs10.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextUser, privateKey, templateName); var san = GetSAN(cn); pkcs10.X509Extensions.Add((CX509Extension)san); var distinguishedName = new CX500DistinguishedName(); var subjectName = $"{cn},OU = {ou},O = {o} ,L = {l},S = {s},C = {c}"; distinguishedName.Encode(subjectName); pkcs10.Subject = distinguishedName; var enroll = new CX509Enrollment(); enroll.InitializeFromRequest(pkcs10); var strRequest = enroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64HEADER); return(strRequest); }
// enroll a certificate based on given template name public static void EnrollCert( string templateName, string subjectName, string friendlyName) { // create a CX509Enrollment object // either from CX509EnrollmentClass or CX509Enrollment should work //CX509EnrollmentClass objEnroll = new CX509EnrollmentClass(); CX509Enrollment objEnroll = new CX509Enrollment(); // initialize the CX509Enrollment object objEnroll.InitializeFromTemplateName( X509CertificateEnrollmentContext.ContextUser, templateName); // set up the subject name // // first get the request IX509CertificateRequest iRequest = objEnroll.Request; // then get the inner PKCS10 request IX509CertificateRequest iInnerRequest = iRequest.GetInnerRequest(InnerRequestLevel.LevelInnermost); IX509CertificateRequestPkcs10 iRequestPkcs10 = iInnerRequest as IX509CertificateRequestPkcs10; // create CX500DistinguishedName CX500DistinguishedName objName = new CX500DistinguishedName(); objName.Encode(subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE); // set up the subject name iRequestPkcs10.Subject = objName; // set up friendly name objEnroll.CertificateFriendlyName = friendlyName; // enroll for the certificate, which should install the certficate // in MY store if the certificate is successfully issued by CA objEnroll.Enroll(); }
public static Certificate InstallResponse(string response) { Trace.TraceInformation(Resources.CertificateInstallResponce); if (String.IsNullOrWhiteSpace(response)) { Trace.TraceError(Resources.CertificateResponseNull); throw new ArgumentNullException(Resources.CertificateResponseNull); } var enrollment = new CX509Enrollment(); enrollment.Initialize(X509CertificateEnrollmentContext.ContextMachine); enrollment.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, response, EncodingType.XCN_CRYPT_STRING_BASE64_ANY, null); var cerificateData = Convert.FromBase64String(enrollment.Certificate); return(new Certificate(cerificateData)); }
public SSLCertificate InstallCertificate(SSLCertificate cert, WebSite website) { CX509Enrollment response = Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX509Enrollment", true)) as CX509Enrollment; try { response.Initialize(X509CertificateEnrollmentContext.ContextMachine); response.InstallResponse( InstallResponseRestrictionFlags.AllowUntrustedRoot, cert.Certificate, EncodingType.XCN_CRYPT_STRING_BASE64HEADER, null ); SSLCertificate servercert = (from c in GetServerCertificates() where c.FriendlyName == cert.FriendlyName select c).Single(); cert.SerialNumber = servercert.SerialNumber; cert.ValidFrom = servercert.ValidFrom; cert.ExpiryDate = servercert.ExpiryDate; cert.Hash = servercert.Hash; cert.DistinguishedName = servercert.DistinguishedName; if (cert.IsRenewal && CheckCertificate(website)) { DeleteCertificate(GetCurrentSiteCertificate(website), website); } AddBinding(cert, website); } catch (Exception ex) { Log.WriteError("Error adding SSL certificate", ex); cert.Success = false; } return(cert); }
/// <summary> /// The create active directory certificate request. /// </summary> /// <param name="templateName"> /// The template name. /// </param> /// <returns> /// The <see cref="string"/>. /// </returns> public string CreateActiveDirectoryCertificateRequest(string templateName) { //// https://blogs.msdn.microsoft.com/alejacma/2008/09/05/how-to-create-a-certificate-request-with-certenroll-and-net-c/ //// http://geekswithblogs.net/shaunxu/archive/2012/01/13/working-with-active-directory-certificate-service-via-c.aspx this.LastError.Clear(); try { var cspInformations = new CCspInformations(); cspInformations.AddAvailableCsps(); var privateKey = new CX509PrivateKey // Создали приватный ключ { Length = 2048, KeySpec = X509KeySpec.XCN_AT_SIGNATURE, KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES, MachineContext = false, ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG, CspInformations = cspInformations }; privateKey.Create(); var objPkcs10 = new CX509CertificateRequestPkcs10(); objPkcs10.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextUser, privateKey, templateName); var objEnroll = new CX509Enrollment(); objEnroll.InitializeFromRequest(objPkcs10); var strRequest = objEnroll.CreateRequest(); // Значение по уолчанию: EncodingType.XCN_CRYPT_STRING_BASE64 return(strRequest); } catch (Exception ex) { this.LastError.Add(ex.Message); return(string.Empty); } }
/// <summary> /// Generates a certificate signing request for use with Xbox Live. /// </summary> public string GenerateCertRequest() { this.EnsureAdmin(); CX509CertificateRequestCertificate certRequest = new CX509CertificateRequestCertificate(); certRequest.Initialize(X509CertificateEnrollmentContext.ContextMachine); certRequest.PrivateKey.Length = 2048; certRequest.PrivateKey.ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider"; certRequest.PrivateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG; CX500DistinguishedName subject = new CX500DistinguishedName(); subject.Encode("CN=NOT USED"); certRequest.Subject = subject; CX509Enrollment enroll = new CX509Enrollment(); enroll.InitializeFromRequest(certRequest); enroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64HEADER); this.privateKey = certRequest.PrivateKey.Export("PRIVATEBLOB", EncodingType.XCN_CRYPT_STRING_BASE64).ToSecureString(); return(certRequest.PrivateKey.Export("PUBLICBLOB", EncodingType.XCN_CRYPT_STRING_BASE64 | EncodingType.XCN_CRYPT_STRING_NOCRLF)); }
public string CreateTemplateRequest(string cn, string ou, string o, string l, string s, string c, int keylength, string template) { var objCSPs = new CCspInformations(); objCSPs.AddAvailableCsps(); var objPrivateKey = new CX509PrivateKey(); objPrivateKey.Length = keylength; objPrivateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; objPrivateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES; objPrivateKey.MachineContext = false; objPrivateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG; objPrivateKey.CspInformations = objCSPs; objPrivateKey.Create(); var objPkcs10 = new CX509CertificateRequestPkcs10(); objPkcs10.InitializeFromPrivateKey( X509CertificateEnrollmentContext.ContextUser, objPrivateKey, template); var objDN = new CX500DistinguishedName(); var subjectName = "CN = " + cn + ",OU = " + ou + ",O = " + o + ",L = " + l + ",S = " + s + ",C = " + c; objDN.Encode(subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE); objPkcs10.Subject = objDN; var objEnroll = new CX509Enrollment(); objEnroll.InitializeFromRequest(objPkcs10); var strRequest = objEnroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64); return strRequest; }
/* * http://stackoverflow.com/questions/13806299/how-to-create-a-self-signed-certificate-using-c * This implementation uses the CX509CertificateRequestCertificate COM object (and friends - MSDN doc) from certenroll.dll to create a self signed certificate request and sign it. */ public static X509Certificate2 CreateSelfSignedCertificateCOM(string subjectName) { // create DN for subject and issuer var dn = new CX500DistinguishedName(); dn.Encode("CN=" + subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE); // create a new private key for the certificate CX509PrivateKey privateKey = new CX509PrivateKey(); privateKey.ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider"; privateKey.MachineContext = true; privateKey.Length = 2048; privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; // use is not limited privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG; privateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_SIGNING_FLAG; privateKey.Create(); var hashobj = new CObjectId(); hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, "SHA256"); // add extended key usage if you want - look at MSDN for a list of possible OIDs //var oid = new CObjectId(); //oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // SSL server //var oidlist = new CObjectIds(); //oidlist.Add(oid); //var eku = new CX509ExtensionEnhancedKeyUsage(); //eku.InitializeEncode(oidlist); // Create the self signing request var cert = new CX509CertificateRequestCertificate(); cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, ""); cert.Subject = dn; cert.Issuer = dn; // the issuer and the subject are the same cert.NotBefore = DateTime.Now.Subtract(new TimeSpan(1, 0, 0, 0)); cert.NotAfter = DateTime.Now.Add(new TimeSpan(30,0,0,0)); //cert.X509Extensions.Add((CX509Extension)eku); // add the EKU cert.HashAlgorithm = hashobj; // Specify the hashing algorithm cert.Encode(); // encode the certificate // Do the final enrollment process var enroll = new CX509Enrollment(); enroll.InitializeFromRequest(cert); // load the certificate enroll.CertificateFriendlyName = subjectName; // Optional: add a friendly name string csr = enroll.CreateRequest(); // Output the request in base64 // and install it back as the response enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password // output a base64 encoded PKCS#12 so we can import it back to the .Net security classes var base64encoded = enroll.CreatePFX("", // no password, this is for internal consumption PFXExportOptions.PFXExportChainWithRoot); // instantiate the target class with the PKCS#12 data (and the empty password) return new System.Security.Cryptography.X509Certificates.X509Certificate2( System.Convert.FromBase64String(base64encoded), "", // mark the private key as exportable (this is usually what you want to do) System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.Exportable ); }
/// <summary> /// Certificate constructor to intialize objects and values required to create a certificate /// </summary> public Certificate() { try { // Create objects required objCertRequest = new CX509CertificateRequestCertificate(); objCSP = new CCspInformation(); objCSPs = new CCspInformations(); objDN = new CX500DistinguishedName(); objEnroll = new CX509Enrollment(); objObjectId = new CObjectId(); objPrivateKey = (IX509PrivateKey)Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX509PrivateKey")); // Friendly name this.FriendlyName = ""; // Set default values. Refer to https://msdn.microsoft.com/en-us/library/windows/desktop/aa374846(v=vs.85).aspx this.CryptographicProviderName = "Microsoft Enhanced Cryptographic Provider v1.0"; this.KeySize = 2048; // Use key for encryption this.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE; // The key can be used for decryption this.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_DECRYPT_FLAG; // Create for user and not machine this.MachineContext = false; // Default to expire in 1 year this.ExpirationLengthInDays = 365; // Let th private key be exported in plain text this.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG; // This is intended for a computer this.EnrollmentContextMachine = X509CertificateEnrollmentContext.ContextUser; // Use a hasing algorithm this.ObjectIdGroupId = ObjectIdGroupId. XCN_CRYPT_HASH_ALG_OID_GROUP_ID; this.ObjectIdPublicKeyFlags = ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY; this.AlgorithmFlags = AlgorithmFlags.AlgorithmFlagsNone; // Use SHA-2 with 512 bits this.AlgorithmName = "SHA512"; this.EncodingType = EncodingType.XCN_CRYPT_STRING_BASE64; // Allow untrusted certificate to be installed this.InstallResponseRestrictionFlags = InstallResponseRestrictionFlags.AllowUntrustedCertificate; // No password set this.Password = null; // Enable key to be exported, keep the machine set, and persist the key set // https://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509keystorageflags(v=vs.110).aspx this.ExportableFlags = X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet; } catch (Exception ex) { throw ex; } }
/// <summary> /// Installs the certificate /// </summary> /// <returns></returns> public X509Certificate2 InstallCertficate() { CX509Enrollment objEnroll = new CX509Enrollment(); try { // Install the certificate objEnroll.InitializeFromRequest(objCertRequest); objEnroll.InstallResponse( this.InstallResponseRestrictionFlags, stringResponse, this.EncodingType, this.Password ); var base64encoded = objEnroll.CreatePFX(this.Password, PFXExportOptions.PFXExportChainWithRoot); return new System.Security.Cryptography.X509Certificates.X509Certificate2( System.Convert.FromBase64String(base64encoded), this.Password, this.ExportableFlags); } catch (Exception ex) { throw ex; } }
public bool enrollWithIX509EnrollmentHelper() { bool bRet = true; try { IX509EnrollmentPolicyServer objPolicyServer = null; IX509CertificateTemplates objTemplates = null; IX509CertificateTemplate objTemplate = null; IX509EnrollmentHelper objEnrollHelper = null; IX509Enrollment2 objEnroll2 = null; objPolicyServer = new CX509EnrollmentPolicyWebService(); objPolicyServer.Initialize( m_strPolicyServerUrl, null, m_PolicyServerAuthType, true, m_context); //This call sets authentication type and authentication credential //to policy server to the object referenced by objPolicyServer. //This call is necessary even for Kerberos authentication type. objPolicyServer.SetCredential( 0, m_PolicyServerAuthType, m_strPolicyServerUsername, m_strPolicyServerPassword); objPolicyServer.LoadPolicy(X509EnrollmentPolicyLoadOption.LoadOptionDefault); objTemplates = objPolicyServer.GetTemplates(); objTemplate = objTemplates.get_ItemByName(m_strTemplateName); //There is no need to cache credential for Kerberos authentication type if (m_EnrollmentServerAuthType == X509EnrollmentAuthFlags.X509AuthUsername) { objEnrollHelper = new CX509EnrollmentHelper(); objEnrollHelper.Initialize(m_context); //This call caches the authentication credential to //enrollment server in Windows vault objEnrollHelper.AddEnrollmentServer( m_strEnrollmentServerUrl, m_EnrollmentServerAuthType, m_strEnrollmentServerUsername, m_strEnrollmentServerPassword); } objEnroll2 = new CX509Enrollment(); objEnroll2.InitializeFromTemplate( m_context, objPolicyServer, objTemplate); //This call reads authentication cache to //enrollment server from Windows vault objEnroll2.Enroll(); } catch (Exception e) { bRet = false; Console.WriteLine("Error: {0}", e.Message); } if (bRet) Console.WriteLine("Certificate enrollment succeeded."); else Console.WriteLine("Certificate enrollment failed."); return bRet; }
// create the certifcate request public string CreateCertifcate(string hostName) { // Create all the objects that will be required CX509CertificateRequestPkcs10 objPkcs10 = new CX509CertificateRequestPkcs10(); CX509PrivateKey objPrivateKey = new CX509PrivateKey(); CCspInformation objCSP = new CCspInformation(); CCspInformations objCSPs = new CCspInformations(); CX500DistinguishedName objDN = new CX500DistinguishedName(); CX509Enrollment objEnroll = new CX509Enrollment(); CObjectIds objObjectIds = new CObjectIds(); CObjectId objObjectId = new CObjectId(); CX509ExtensionKeyUsage objExtensionKeyUsage = new CX509ExtensionKeyUsage(); CX509ExtensionEnhancedKeyUsage objX509ExtensionEnhancedKeyUsage = new CX509ExtensionEnhancedKeyUsage(); string CertifcateStr; try { Database db = new Database(); /*Check if there is allready request for the hostname so we dont need to create new one*/ if (db.CheckIfCertificateExists(hostName) == 1) { return("Exsits"); } if (db.CheckIfCertificateExists(hostName) == 2) { return("Issued"); } //create the private key (CX509CertificateRequestPkcs10 will initilizae from the private key) objCSP.InitializeFromName("Microsoft Enhanced Cryptographic Provider v1.0"); objCSPs.Add(objCSP); objPrivateKey.Length = 1024; objPrivateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; objPrivateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES; objPrivateKey.MachineContext = false; objPrivateKey.CspInformations = objCSPs; objPrivateKey.Create(); //create pkc10 object from the privaet key objPkcs10.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextUser, objPrivateKey, ""); objExtensionKeyUsage.InitializeEncode(CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE); // objPkcs10.X509Extensions.Add((CX509Extension)objExtensionKeyUsage); // objObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.2"); // objObjectIds.Add(objObjectId); // objX509ExtensionEnhancedKeyUsage.InitializeEncode(objObjectIds); // objPkcs10.X509Extensions.Add((CX509Extension)objX509ExtensionEnhancedKeyUsage); objDN.Encode("CN=" + hostName, X500NameFlags.XCN_CERT_NAME_STR_NONE); //create DistinguishedName objPkcs10.Subject = objDN; //initial the DistinguishedName objEnroll.InitializeFromRequest(objPkcs10); //init enrollement request CertifcateStr = objEnroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64); //Certifcate Request return(CertifcateStr); } catch (Exception ex) { Database db = new Database(); db.InsertToErrorMessageTable(hostName, 0, ex.Message, "CreateCertifcate");//insert Error Message into The Error Table Log In The DataBase return("Error" + ex.Message); } }
private static string CreateCertContent(string cn, TimeSpan expirationLength, string pwd) { var base64encoded = string.Empty; var dn = new CX500DistinguishedName(); dn.Encode("CN=" + cn, X500NameFlags.XCN_CERT_NAME_STR_NONE); var privateKey = new CX509PrivateKey(); privateKey.ProviderName = "Microsoft Strong Cryptographic Provider"; privateKey.Length = 2048; privateKey.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE; privateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_DECRYPT_FLAG | X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_KEY_AGREEMENT_FLAG; privateKey.MachineContext = true; privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG; privateKey.Create(); // Use the stronger SHA512 hashing algorithm var hashobj = new CObjectId(); hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, "SHA256"); // Create the self signing request var cert = new CX509CertificateRequestCertificate(); cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, ""); cert.Subject = dn; cert.Issuer = dn; // the issuer and the subject are the same cert.NotBefore = DateTime.Now.Date; // this cert expires immediately. Change to whatever makes sense for you cert.NotAfter = cert.NotBefore + expirationLength; cert.HashAlgorithm = hashobj; // Specify the hashing algorithm cert.Encode(); // encode the certificate // Do the final enrollment process var enroll = new CX509Enrollment(); enroll.InitializeFromRequest(cert); // load the certificate enroll.CertificateFriendlyName = cn; // Optional: add a friendly name var csr = enroll.CreateRequest(); // Output the request in base64 // and install it back as the response enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, pwd); // no password // output a base64 encoded PKCS#12 so we can import it back to the .Net security classes base64encoded = enroll.CreatePFX(pwd, // no password, this is for internal consumption PFXExportOptions.PFXExportChainWithRoot); return base64encoded; }
public void GenerateCsr(SSLCertificate cert) { // Create all the objects that will be required CX509CertificateRequestPkcs10 pkcs10 = new CX509CertificateRequestPkcs10(); CX509PrivateKey privateKey = new CX509PrivateKey(); CCspInformation csp = new CCspInformation(); CCspInformations csPs = new CCspInformations(); CX500DistinguishedName dn = new CX500DistinguishedName(); CX509Enrollment enroll = new CX509Enrollment(); CObjectIds objectIds = new CObjectIds(); CObjectId clientObjectId = new CObjectId(); CObjectId serverObjectId = new CObjectId(); CX509ExtensionKeyUsage extensionKeyUsage = new CX509ExtensionKeyUsage(); CX509ExtensionEnhancedKeyUsage x509ExtensionEnhancedKeyUsage = new CX509ExtensionEnhancedKeyUsage(); try { // Initialize the csp object using the desired Cryptograhic Service Provider (CSP) csp.InitializeFromName("Microsoft RSA SChannel Cryptographic Provider"); // Add this CSP object to the CSP collection object csPs.Add(csp); // Provide key container name, key length and key spec to the private key object //objPrivateKey.ContainerName = "AlejaCMa"; privateKey.Length = cert.CSRLength; privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; privateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES; privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG | X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG; privateKey.MachineContext = true; // Provide the CSP collection object (in this case containing only 1 CSP object) // to the private key object privateKey.CspInformations = csPs; // Create the actual key pair privateKey.Create(); // Initialize the PKCS#10 certificate request object based on the private key. // Using the context, indicate that this is a user certificate request and don't // provide a template name pkcs10.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, ""); cert.PrivateKey = privateKey.ToString(); // Key Usage Extension extensionKeyUsage.InitializeEncode( CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE ); pkcs10.X509Extensions.Add((CX509Extension)extensionKeyUsage); // Enhanced Key Usage Extension clientObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.2"); objectIds.Add(clientObjectId); serverObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.1"); objectIds.Add(serverObjectId); x509ExtensionEnhancedKeyUsage.InitializeEncode(objectIds); pkcs10.X509Extensions.Add((CX509Extension)x509ExtensionEnhancedKeyUsage); // Encode the name in using the Distinguished Name object string request = String.Format(@"CN={0}, O={1}, OU={2}, L={3}, S={4}, C={5}", cert.Hostname, cert.Organisation, cert.OrganisationUnit, cert.City, cert.State, cert.Country); dn.Encode(request, X500NameFlags.XCN_CERT_NAME_STR_NONE); // Assing the subject name by using the Distinguished Name object initialized above pkcs10.Subject = dn; // Create enrollment request enroll.InitializeFromRequest(pkcs10); enroll.CertificateFriendlyName = cert.FriendlyName; cert.CSR = enroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64REQUESTHEADER); } catch (Exception ex) { Log.WriteError("Error creating CSR", ex); } }
/// <summary> /// Generate a self-signed certificate and add it to the Windows certificate store. /// </summary> /// <param name="subjectName">The subject name of the certificate.</param> /// <param name="friendlyName">The friendly name of the certificate.</param> /// <param name="location">Location of the certificate; either the Current User or Local Machine.</param> /// <param name="addAsTrustedRoot">Whether to add the generated certificate as a trusted root.</param> /// <param name="keyLength">Size of the key in bits.</param> /// <param name="durationYears">Duration of the certificate, specified in years.</param> /// <param name="oids">Collection of OIDs identifying certificate usage.</param> public static X509Certificate2 CreateSelfSignedCertificate(string subjectName, string friendlyName, StoreLocation location, bool addAsTrustedRoot, int keyLength, int durationYears, List<string> oids) { // Create the self-signing request. CX509CertificateRequestCertificate cert = CreateCertificateSigningRequest(subjectName, keyLength, durationYears, oids); // Enroll based on the certificate signing request. CX509Enrollment enrollment = new CX509Enrollment(); enrollment.InitializeFromRequest(cert); enrollment.CertificateFriendlyName = friendlyName; string csrText = enrollment.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64); // Install the certificate chain. Note that no password is specified. enrollment.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csrText, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // Base-64 encode the PKCS#12 certificate in order to re-import it. string pfx = enrollment.CreatePFX("", PFXExportOptions.PFXExportChainWithRoot); // Instantiate the PKCS#12 certificate. X509Certificate2 certificate = new X509Certificate2(System.Convert.FromBase64String(pfx), "", X509KeyStorageFlags.Exportable); // If specified, also install the certificate to the trusted root store. if (addAsTrustedRoot) { X509Store rootStore = new X509Store(StoreName.Root, location); rootStore.Open(OpenFlags.ReadWrite); rootStore.Add(certificate); rootStore.Close(); } return certificate; }
/// <summary> /// CreateSelfSignedCertificate method implementation /// </summary> private static string InternalCreateSelfSignedCertificate(string subjectName, int years) { var dn = new CX500DistinguishedName(); var neos = new CX500DistinguishedName(); dn.Encode("CN=" + subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE); neos.Encode("CN=MFA RSA Keys Certificate", X500NameFlags.XCN_CERT_NAME_STR_NONE); CX509PrivateKey privateKey = new CX509PrivateKey(); privateKey.ProviderName = "Microsoft RSA SChannel Cryptographic Provider"; privateKey.MachineContext = true; privateKey.Length = 2048; privateKey.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE; // use is not limited privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG | X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG | X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_ARCHIVING_FLAG | X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_ARCHIVING_FLAG; privateKey.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)"; privateKey.Create(); var hashobj = new CObjectId(); hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, "SHA256"); var oid = new CObjectId(); oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // SSL server var oidlist = new CObjectIds(); oidlist.Add(oid); var coid = new CObjectId(); coid.InitializeFromValue("1.3.6.1.5.5.7.3.2"); // Client auth oidlist.Add(coid); var eku = new CX509ExtensionEnhancedKeyUsage(); eku.InitializeEncode(oidlist); // Create the self signing request var cert = new CX509CertificateRequestCertificate(); cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextAdministratorForceMachine, privateKey, ""); cert.Subject = dn; cert.Issuer = neos; cert.NotBefore = DateTime.Now.AddDays(-10); cert.NotAfter = DateTime.Now.AddYears(years); cert.X509Extensions.Add((CX509Extension)eku); // add the EKU cert.HashAlgorithm = hashobj; // Specify the hashing algorithm cert.Encode(); // encode the certificate // Do the final enrollment process var enroll = new CX509Enrollment(); enroll.InitializeFromRequest(cert); // load the certificate enroll.CertificateFriendlyName = subjectName; // Optional: add a friendly name string csr = enroll.CreateRequest(); // Output the request in base64 // and install it back as the response enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password // output a base64 encoded PKCS#12 so we can import it back to the .Net security classes var base64encoded = enroll.CreatePFX("", PFXExportOptions.PFXExportChainWithRoot); return(base64encoded); }
public SSLCertificate InstallCertificate(SSLCertificate cert, WebSite website) { CX509Enrollment response = new CX509Enrollment(); try { response.Initialize(X509CertificateEnrollmentContext.ContextMachine); response.InstallResponse( InstallResponseRestrictionFlags.AllowUntrustedRoot, cert.Certificate, EncodingType.XCN_CRYPT_STRING_BASE64HEADER, null ); SSLCertificate servercert = (from c in GetServerCertificates() where c.FriendlyName == cert.FriendlyName select c).Single(); cert.SerialNumber = servercert.SerialNumber; cert.ValidFrom = servercert.ValidFrom; cert.ExpiryDate = servercert.ExpiryDate; cert.Hash = servercert.Hash; cert.DistinguishedName = servercert.DistinguishedName; if (cert.IsRenewal && CheckCertificate(website)) { DeleteCertificate(GetCurrentSiteCertificate(website), website); } AddBinding(cert, website); } catch (Exception ex) { Log.WriteError("Error adding SSL certificate", ex); cert.Success = false; } return cert; }