/// <summary>
/// Build a self signed certificate for use in SSL communication
/// </summary>
/// <param name="certName">Name of certificate</param>
/// <param name="password">Password for certificate</param>
/// <returns></returns>
public static X509Certificate2 BuildSelfSignedCertificate(string certName, string password = "")
{
SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddIpAddress(IPAddress.Loopback);
sanBuilder.AddIpAddress(IPAddress.IPv6Loopback);
sanBuilder.AddDnsName("localhost");
sanBuilder.AddDnsName(Environment.MachineName);
X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN={certName}");
using (RSA rsa = RSA.Create(2048))
{
var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(
new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false));
request.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(
new OidCollection {
new Oid("1.3.6.1.5.5.7.3.1")
}, false));
request.CertificateExtensions.Add(sanBuilder.Build());
var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(3650)));
certificate.FriendlyName = certName;
return(new X509Certificate2(certificate.Export(X509ContentType.Pfx, password), password, X509KeyStorageFlags.MachineKeySet));
}
}
public static void CreateCertificate(string ip)
{
try
{
var cr = new CertificateRequest(new X500DistinguishedName("cn=ispy-local"), RSA.Create(), HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
SubjectAlternativeNameBuilder subjectAlternativeNameBuilder = new SubjectAlternativeNameBuilder();
subjectAlternativeNameBuilder.AddIpAddress(IPAddress.Parse(ip));
var locals = MainForm.AddressListIPv4;
foreach (var lip in locals)
{
subjectAlternativeNameBuilder.AddIpAddress(lip);
}
cr.CertificateExtensions.Add(subjectAlternativeNameBuilder.Build());
string pw = "123abc!!D";
var cert = cr.CreateSelfSigned(DateTime.UtcNow.AddDays(-1), DateTime.UtcNow.AddYears(+1));
var cert2 = new X509Certificate2(cert.Export(X509ContentType.Pfx, pw), pw);
X509Store store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadWrite);
X509Certificate2Collection col = store.Certificates.Find(X509FindType.FindBySubjectName, "ispy-local", false);
if (col.Count > 0)
{
store.RemoveRange(col);
}
store.Add(cert2);
store.Close();
_sslCertificate = cert2;
}
catch (Exception ex)
{
Logger.LogException(ex, "X509 Create");
}
}
private static X509Certificate2 Create()
{
var sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddIpAddress(IPAddress.Loopback);
sanBuilder.AddIpAddress(IPAddress.IPv6Loopback);
sanBuilder.AddDnsName("localhost");
sanBuilder.AddDnsName("127.0.0.1");
sanBuilder.AddDnsName(Environment.MachineName);
var distinguishedName = new X500DistinguishedName($"CN={CertificateName}");
using var rsa = RSA.Create(2048);
var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(
new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false));
request.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(
new OidCollection {
new Oid(OidServerAuthentication)
}, false));
request.CertificateExtensions.Add(sanBuilder.Build());
X509Certificate2 certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddYears(100)));
certificate.FriendlyName = CertificateName;
return(new X509Certificate2(certificate.Export(X509ContentType.Pfx, CertificatePass), CertificatePass, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable));
}
public static async Task Generate_Fake_Apple_Pay_Merchant_Certificate()
{
// Arrange
string certificateName = "applepay.local";
string certificatePassword = "******";
string certificateFileName = "CHANGE_ME";
var builder = new SubjectAlternativeNameBuilder();
builder.AddIpAddress(IPAddress.Loopback);
builder.AddIpAddress(IPAddress.IPv6Loopback);
builder.AddDnsName("localhost");
var distinguishedName = new X500DistinguishedName($"CN={certificateName}");
using var key = RSA.Create(2048);
var request = new CertificateRequest(distinguishedName, key, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.KeyAgreement | X509KeyUsageFlags.KeyEncipherment, false));
request.CertificateExtensions.Add(new X509Extension("1.2.840.113635.100.6.32", Guid.NewGuid().ToByteArray(), false));
request.CertificateExtensions.Add(builder.Build());
var utcNow = DateTimeOffset.UtcNow;
X509Certificate2 certificate = request.CreateSelfSigned(utcNow.AddDays(-1), utcNow.AddDays(3650));
certificate.FriendlyName = certificateName;
byte[] pfxBytes = certificate.Export(X509ContentType.Pfx, certificatePassword);
File.Delete(certificateFileName);
await File.WriteAllBytesAsync(certificateFileName, pfxBytes);
}
private X509Certificate2 BuildSelfSignedServerCertificate()
{
SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddIpAddress(IPAddress.Loopback);
sanBuilder.AddIpAddress(IPAddress.IPv6Loopback);
sanBuilder.AddDnsName("localhost");
sanBuilder.AddDnsName(Environment.MachineName);
X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN=https://issuer.com");
using RSA rsa = RSA.Create(2048);
var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(
new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false));
request.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(
new OidCollection {
new Oid("1.3.6.1.5.5.7.3.1")
}, false));
request.CertificateExtensions.Add(sanBuilder.Build());
var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(3650)));
return(certificate);
}
private static byte[] BuildSelfSignedCertificate(string password)
{
var sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddIpAddress(IPAddress.Loopback);
sanBuilder.AddIpAddress(IPAddress.IPv6Loopback);
sanBuilder.AddDnsName("localhost");
sanBuilder.AddDnsName(Environment.MachineName);
var distinguishedName = new X500DistinguishedName($"CN=SSNCert1");
using (var rsa = RSA.Create(2048))
{
var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(
new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyCertSign, false));
request.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(
new OidCollection {
new Oid("1.3.6.1.5.5.7.3.1")
}, false));
request.CertificateExtensions.Add(new X509BasicConstraintsExtension(true, false, 0, true));
request.CertificateExtensions.Add(sanBuilder.Build());
var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(3650)));
certificate.FriendlyName = "SSNCert1";
return(certificate.Export(X509ContentType.Pfx, password));
}
}
public static X509Certificate2 GenerateServerNodeCertificate(string nodeName, string password)
{
using (var rsa = RSA.Create(4096))
{
var request = new CertificateRequest($"CN={nodeName}", rsa, HashAlgorithmName.SHA512, RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false));
request.CertificateExtensions.Add(new X509EnhancedKeyUsageExtension(new OidCollection {
new Oid("1.3.6.1.5.5.7.3.1")
}, false));
var sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddIpAddress(IPAddress.Loopback);
sanBuilder.AddIpAddress(IPAddress.IPv6Loopback);
sanBuilder.AddDnsName("localhost");
sanBuilder.AddDnsName(Environment.MachineName);
request.CertificateExtensions.Add(sanBuilder.Build());
var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(3650)));
certificate.FriendlyName = "VanguardServerManagerNodeCertificate";
return(new X509Certificate2(certificate.Export(X509ContentType.Pfx, password), password, X509KeyStorageFlags.MachineKeySet));
}
}
public static void EnumerateDnsNames(LoadMode loadMode)
{
SubjectAlternativeNameBuilder builder = new SubjectAlternativeNameBuilder();
builder.AddDnsName("foo");
builder.AddIpAddress(IPAddress.Loopback);
builder.AddUserPrincipalName("*****@*****.**");
builder.AddIpAddress(IPAddress.IPv6Loopback);
builder.AddDnsName("*.foo");
X509Extension built = builder.Build(true);
X509SubjectAlternativeNameExtension ext;
switch (loadMode)
{
case LoadMode.CopyFrom:
ext = new X509SubjectAlternativeNameExtension();
ext.CopyFrom(built);
break;
case LoadMode.Array:
ext = new X509SubjectAlternativeNameExtension(built.RawData);
break;
case LoadMode.Span:
byte[] tmp = new byte[built.RawData.Length + 2];
built.RawData.AsSpan().CopyTo(tmp.AsSpan(1));
ext = new X509SubjectAlternativeNameExtension(tmp.AsSpan()[1..^ 1]);
public static X509Certificate2 Create(CertificateOptions options)
{
SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddIpAddress(IPAddress.Loopback);
sanBuilder.AddIpAddress(IPAddress.IPv6Loopback);
sanBuilder.AddDnsName("localhost");
sanBuilder.AddDnsName(options.Issuer);
X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN=" + options.Issuer);
var csp = new CspParameters
{
Flags = CspProviderFlags.UseArchivableKey | CspProviderFlags.UseMachineKeyStore
};
using (RSA rsa = new RSACryptoServiceProvider(2048, csp))
{
CertificateRequest req = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
req.CertificateExtensions.Add(sanBuilder.Build());
req.CertificateExtensions.Add(
new X509BasicConstraintsExtension(false, false, 0, false));
req.CertificateExtensions.Add(
new X509KeyUsageExtension(X509KeyUsageFlags.KeyAgreement | X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment, false));
req.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(new OidCollection {
new Oid("1.3.6.1.5.5.7.3.1")
}, true));
req.CertificateExtensions.Add(
new X509SubjectKeyIdentifierExtension(req.PublicKey, false));
X509Certificate2 CA = CreateCA(options);
X509Certificate2 cert = req.Create(
CA,
CA.NotBefore,
CA.NotAfter,
CertHelper.SerialNumber.ToByteArray());
X509Certificate2 certWithPK = cert.CopyWithPrivateKey(rsa);
certWithPK.FriendlyName = options.FriendlyName;
X509Certificate2 certificate = new X509Certificate2(certWithPK.Export(X509ContentType.Pfx, options.Password), options.Password, X509KeyStorageFlags.MachineKeySet);
CertHelper.AddToMyStore(certificate);
return(certificate);
}
}
private static X509Extension LocalSubjectAlternativeName()
{
var builder = new SubjectAlternativeNameBuilder();
builder.AddIpAddress(IPAddress.Loopback);
builder.AddIpAddress(IPAddress.IPv6Loopback);
builder.AddDnsName("localhost");
builder.AddDnsName(Environment.MachineName);
return(builder.Build());
}
private X509Certificate2 GenerateSelfSignedServerCert(string certificateName)
{
var certPassword = Configuration["MPY:IdentityServer:X509CertToken:Password"];
if (string.IsNullOrEmpty(certPassword))
{
throw new ArgumentNullException("Token Signing Certificate Password needs to be set");
}
var dnsName = Configuration["MPY:IdentityServer:X509CertToken:DNSName"];
if (string.IsNullOrEmpty(dnsName))
{
throw new ArgumentNullException("Token Signing DNS Name needs to be set.");
}
SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddIpAddress(IPAddress.Loopback);
sanBuilder.AddIpAddress(IPAddress.IPv6Loopback);
sanBuilder.AddDnsName(dnsName);
sanBuilder.AddDnsName(System.Environment.MachineName);
X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN={certificateName}");
using (RSA rsa = RSA.Create(2048))
{
var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(
new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false));
request.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(
new OidCollection {
new Oid("1.3.6.1.5.5.7.3.1")
}, false));
request.CertificateExtensions.Add(sanBuilder.Build());
//var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(365)));
var yesterday = DateTime.Today.AddDays(-1).ToUniversalTime();
var future = DateTime.Today.AddDays(365).ToUniversalTime();
var certificate = request.CreateSelfSigned(new DateTimeOffset(yesterday), new DateTimeOffset(future));
certificate.FriendlyName = certificateName;
return(new X509Certificate2(certificate.Export(X509ContentType.Pfx, certPassword), certPassword, X509KeyStorageFlags.MachineKeySet));
}
}
/// <summary>
/// Create a self signed certificate, optionally providing a locally existente CA certificate
/// </summary>
/// <param name="subjectName"></param>
/// <param name="organization"></param>
/// <param name="country"></param>
/// <param name="authority">Optional authority cert to sign this one against.</param>
/// <param name="expirationDays"></param>
/// <returns></returns>
public static X509Certificate2 GenerateSelfSignedCertificate(
string subjectName,
string organization,
string country,
X509Certificate2 authority = null,
int expirationDays = 90)
{
// Have this certificate work with localhost, etc..
SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddIpAddress(IPAddress.Loopback);
sanBuilder.AddIpAddress(IPAddress.IPv6Loopback);
sanBuilder.AddDnsName("localhost");
sanBuilder.AddDnsName(Environment.MachineName);
X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN={subjectName}, O={organization}, C={country}");
using (RSA rsa = RSA.Create(2048))
{
var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(
new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false));
request.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(
new OidCollection {
new Oid("1.3.6.1.5.5.7.3.1")
}, false));
request.CertificateExtensions.Add(sanBuilder.Build());
DateTimeOffset notBefore = DateTimeOffset.UtcNow;
DateTimeOffset notAfter = notBefore.AddDays(expirationDays);
X509Certificate2 certWithPrivateKey;
if (authority == null)
{
certWithPrivateKey = request.CreateSelfSigned(notBefore, notAfter);
}
else
{
byte[] serialnumber = Encoding.ASCII.GetBytes(DateTime.UtcNow.ToString("MMMMddyyyyHHmmss"));
certWithPrivateKey = request.Create(authority, notBefore, notAfter, serialnumber);
}
return(certWithPrivateKey);
}
}
/// <summary>
/// Build the Subject Alternative name extension
/// </summary>
/// <param name="uris">The Uris</param>
/// <param name="addresses">The domain names.
/// DNS Hostnames, IPv4 or IPv6 addresses</param>
/// <param name="critical"></param>
public static X509Extension BuildSubjectAlternativeName(
IEnumerable <string> uris, IEnumerable <string> addresses, bool critical)
{
var sanBuilder = new SubjectAlternativeNameBuilder();
foreach (var uri in uris)
{
sanBuilder.AddUri(new Uri(uri));
}
foreach (var domainName in addresses)
{
if (string.IsNullOrWhiteSpace(domainName))
{
continue;
}
if (IPAddress.TryParse(domainName, out var ipAddr))
{
sanBuilder.AddIpAddress(ipAddr);
}
else
{
sanBuilder.AddDnsName(domainName);
}
}
return(sanBuilder.Build(critical));
}
protected X509Extension BuildSubjectAlternativeName()
{
var subjectAlternativeNameBuilder = new SubjectAlternativeNameBuilder();
subjectAlternativeNameBuilder.AddIpAddress(IPAddress.Loopback);
subjectAlternativeNameBuilder.AddIpAddress(IPAddress.IPv6Loopback);
foreach (var dnsName in _certificateBuilderConfiguration.DnsNames)
{
subjectAlternativeNameBuilder.AddDnsName(dnsName);
}
subjectAlternativeNameBuilder.AddDnsName(Environment.MachineName);
return(subjectAlternativeNameBuilder.Build());
}
public static void SanWithNoDnsMeansDoCommonNameFallback()
{
using (ECDsa key = ECDsa.Create())
{
CertificateRequest req = new CertificateRequest(
"CN=zalzalak.fruit.example",
key,
HashAlgorithmName.SHA256);
SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddIpAddress(IPAddress.Loopback);
sanBuilder.AddEmailAddress("*****@*****.**");
req.CertificateExtensions.Add(sanBuilder.Build());
DateTimeOffset now = DateTimeOffset.UtcNow;
DateTimeOffset notBefore = now.AddMinutes(-1);
DateTimeOffset notAfter = now.AddMinutes(1);
using (X509Certificate2 cert = req.CreateSelfSigned(notBefore, notAfter))
{
AssertMatch(false, cert, "yumberry.fruit.example");
AssertMatch(true, cert, "127.0.0.1");
// Since the SAN contains no dNSName values, we fall back to the CN.
AssertMatch(true, cert, "zalzalak.fruit.example");
AssertMatch(false, cert, "zalzalak.fruit.example", allowCommonName: false);
}
}
}
private static X509ExtensionCollection BuildTlsCertExtensions(string targetName, bool serverCertificate)
{
X509ExtensionCollection extensions = new X509ExtensionCollection();
SubjectAlternativeNameBuilder builder = new SubjectAlternativeNameBuilder();
builder.AddDnsName(targetName);
builder.AddIpAddress(IPAddress.Loopback);
builder.AddIpAddress(IPAddress.IPv6Loopback);
extensions.Add(builder.Build());
extensions.Add(s_eeConstraints);
extensions.Add(s_eeKeyUsage);
extensions.Add(serverCertificate ? s_tlsServerEku : s_tlsClientEku);
return(extensions);
}
public static X509Certificate2 BuildSelfSignedCertificate(string dns, string ipaddr, string issuer, string password)
{
SubjectAlternativeNameBuilder sanb = new SubjectAlternativeNameBuilder();
sanb.AddIpAddress(IPAddress.Parse(ipaddr));
sanb.AddDnsName(dns);
X500DistinguishedName subject = new X500DistinguishedName($"CN={issuer}");
using (RSA rsa = RSA.Create(2048))
{
var request = new CertificateRequest(subject, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(
new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false));
request.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(new OidCollection {
new Oid("1.3.6.1.5.5.7.3.1")
}, false));
request.CertificateExtensions.Add(sanb.Build());
var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(3650)));
certificate.FriendlyName = issuer;
return(new X509Certificate2(certificate.Export(X509ContentType.Pfx, password), password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable));
}
}
/// <summary>
/// Generate a new 2048 bit RSA key and cert bundle and self sign the public key with the private key
/// https://stackoverflow.com/a/50138133/6620171
/// </summary>
/// <param name="CommonName"></param>
/// <returns></returns>
private static X509Certificate2 BuildSelfSignedServerCertificate(string CommonName, int daysUntilExpire)
{
SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddIpAddress(IPAddress.Loopback);
sanBuilder.AddDnsName("localhost");
sanBuilder.AddDnsName(Environment.MachineName);
X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN={CommonName}");
using (RSA rsa = RSA.Create(2048))
{
CertificateRequest request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA512, RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(
new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false));
request.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(
new OidCollection {
new Oid("1.3.6.1.5.5.7.3.1")
}, false));
request.CertificateExtensions.Add(sanBuilder.Build());
X509Certificate2 certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(daysUntilExpire)));
//certificate.FriendlyName = CommonName; // Linux: System.PlatformNotSupportedException: The FriendlyName value cannot be set on Unix.
return(new X509Certificate2(certificate.Export(X509ContentType.Pfx, "WeNeedASaf3rPassword"), "WeNeedASaf3rPassword", X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable));
}
}
public static void SanWithIPAddressMeansNoCommonNameFallback()
{
using (ECDsa key = ECDsa.Create())
{
CertificateRequest req = new CertificateRequest(
"CN=10.0.0.1",
key,
HashAlgorithmName.SHA256);
SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddIpAddress(IPAddress.Loopback);
sanBuilder.AddIpAddress(IPAddress.IPv6Loopback);
sanBuilder.AddIpAddress(IPAddress.Parse("[fe80::1]"));
sanBuilder.AddEmailAddress("*****@*****.**");
req.CertificateExtensions.Add(sanBuilder.Build());
DateTimeOffset now = DateTimeOffset.UtcNow;
DateTimeOffset notBefore = now.AddMinutes(-1);
DateTimeOffset notAfter = now.AddMinutes(1);
using (X509Certificate2 cert = req.CreateSelfSigned(notBefore, notAfter))
{
AssertMatch(true, cert, "127.0.0.1");
// Various text forms of IPv6Loopback
AssertMatch(true, cert, "[::1]");
AssertMatch(true, cert, "::1");
AssertMatch(true, cert, "[::01]");
AssertMatch(true, cert, "[0000::1]");
// Various text forms of fe80::1
AssertMatch(true, cert, "[fe80::1]");
AssertMatch(true, cert, "[FE80::1]");
AssertMatch(true, cert, "fe80::1");
AssertMatch(true, cert, "[fe80:0000::1]");
AssertMatch(true, cert, "[fe80:0000::01]");
// Various text forms of fe80::
AssertMatch(false, cert, "[fe80::]");
AssertMatch(false, cert, "fe80::");
AssertMatch(false, cert, "[fe80::0]");
AssertMatch(false, cert, "[fe80:0000::]");
// Since the SAN has an iPAddress value, we do not fall back to the CN.
AssertMatch(false, cert, "10.0.0.1");
}
}
}
/// <summary>
/// 生成CA,TODO 2 如何通过根证书生成接下来的证书
/// </summary>
/// <param name="CertificateName"></param>
/// <param name="hosts"></param>
/// <returns></returns>
public static X509Certificate2 GenerateCA(string CertificateName, string hosts = null)
{
SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddIpAddress(IPAddress.Loopback);
sanBuilder.AddIpAddress(IPAddress.IPv6Loopback);
sanBuilder.AddDnsName("localhost");
if (hosts != null)
{
string[] strings = hosts.Split(',');
foreach (var str in strings)
{
sanBuilder.AddDnsName(str);
}
}
sanBuilder.AddDnsName(Environment.MachineName);
X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN={CertificateName}");
using (RSA rsa = RSA.Create(2048))
{
var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(
new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false));
request.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(
new OidCollection {
new Oid("1.3.6.1.5.5.7.3.1")
}, false));
request.CertificateExtensions.Add(sanBuilder.Build());
var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(3650)));
//certificate.FriendlyName = CertificateName;
//return certificate;
return(new X509Certificate2(certificate.Export(X509ContentType.Pfx, "WeNeedASaf3rPassword"),
"WeNeedASaf3rPassword", X509KeyStorageFlags.Exportable));
}
}
private static X509Certificate2 BuildSelfSignedServerCertificate()
{
const string CertificateName = "ErpNet.FP";
SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddIpAddress(IPAddress.Loopback);
sanBuilder.AddIpAddress(IPAddress.IPv6Loopback);
sanBuilder.AddDnsName(Environment.MachineName);
sanBuilder.AddDnsName("localhost");
var addresses = GetLocalV4Addresses();
foreach (var address in addresses)
{
sanBuilder.AddIpAddress(address);
}
X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN={CertificateName}");
using (RSA rsa = RSA.Create(2048))
{
var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(
new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false));
request.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(
new OidCollection {
new Oid("1.3.6.1.5.5.7.3.1")
}, false));
request.CertificateExtensions.Add(sanBuilder.Build());
var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(3650)));
// For now, in .net core 3 the property FriendlyName is not implemented for POSIX systems, like linux and macOS
// certificate.FriendlyName = CertificateName;
return(new X509Certificate2(certificate.Export(X509ContentType.Pfx, "ErpNet.FP.Password"), "ErpNet.FP.Password", X509KeyStorageFlags.MachineKeySet));
}
}
public X509Certificate2 CreateSignedCertificate(string certificateName, string dnsName, X509Certificate2 issuerCertificate)
{
var sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddIpAddress(IPAddress.Loopback);
sanBuilder.AddIpAddress(IPAddress.IPv6Loopback);
sanBuilder.AddDnsName(dnsName);
sanBuilder.AddDnsName(Environment.MachineName);
var distinguishedName = new X500DistinguishedName($"CN={certificateName}");
using var rsa = RSA.Create(2048);
var request = new CertificateRequest(
distinguishedName,
rsa,
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(
new X509KeyUsageExtension(
X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment |
X509KeyUsageFlags.DigitalSignature, false));
request.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(
new OidCollection {
new Oid("1.3.6.1.5.5.7.3.1")
}, false));
request.CertificateExtensions.Add(sanBuilder.Build());
var notBefore = issuerCertificate.NotBefore;
var notAfter = issuerCertificate.NotAfter.AddDays(-1);
// cert serial is the epoch/unix timestamp
var epoch = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc);
var unixTime = Convert.ToInt64((DateTime.UtcNow - epoch).TotalSeconds);
var serial = BitConverter.GetBytes(unixTime);
var certificate = request.Create(issuerCertificate, notBefore, notAfter, serial);
return(certificate.CopyWithPrivateKey(rsa));
}
private static X509Certificate2 GenerateSelfSignedCertificate(string name)
{
var distinguishedName = new X500DistinguishedName($"CN={name}");
using (var rsa = RSA.Create(2048))
{
var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(
new X509KeyUsageExtension(
X509KeyUsageFlags.DataEncipherment |
X509KeyUsageFlags.KeyEncipherment |
X509KeyUsageFlags.DigitalSignature, false));
request.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(
new OidCollection
{
new Oid("1.3.6.1.5.5.7.3.1"), // server auth
new Oid("1.3.6.1.5.5.7.3.2") // client auth
}, false));
// When creating the localhost certificate, add the other names
if (string.Equals(name, "localhost", StringComparison.OrdinalIgnoreCase))
{
var sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddIpAddress(IPAddress.Loopback);
sanBuilder.AddIpAddress(IPAddress.IPv6Loopback);
sanBuilder.AddDnsName("localhost");
sanBuilder.AddDnsName(Environment.MachineName);
request.CertificateExtensions.Add(sanBuilder.Build());
}
var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)),
new DateTimeOffset(DateTime.UtcNow.AddDays(90)));
var tempPwd = Guid.NewGuid().ToString();
return(new X509Certificate2(certificate.Export(X509ContentType.Pfx, tempPwd), tempPwd, X509KeyStorageFlags.MachineKeySet));
}
}
/// <summary>
/// Generate a root CA certificate and store it as a PFX file.
/// </summary>
/// <param name="outputDir">Output directory (if null or empty, then the certificate isn't stored as a PFX file)</param>
/// <param name="certificateName">Certificate name</param>
/// <param name="friendlyName">Friendly certificate name</param>
/// <param name="password">PFX password</param>
/// <param name="keySize">Key size (e.g. 4096)</param>
/// <param name="expirationDate">Expiration date</param>
/// <param name="dnsNames">List of DNS names</param>
/// <param name="ipAddresses">List of IP addresses</param>
public static X509Certificate2 GenerateRootCaPfx(string outputDir, string certificateName, string friendlyName, string password,
int keySize, DateTime expirationDate,
string[] dnsNames, IPAddress[] ipAddresses = null)
{
SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder();
if (ipAddresses != null && ipAddresses.Length != 0)
{
foreach (var ip in ipAddresses)
{
sanBuilder.AddIpAddress(ip);
}
}
foreach (var dns in dnsNames)
{
sanBuilder.AddDnsName(dns);
}
X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN={certificateName}");
using RSA rsa = RSA.Create(keySize);
var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA512, RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(new X509BasicConstraintsExtension(true, false, 0, true));
request.CertificateExtensions.Add(sanBuilder.Build());
var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(expirationDate));
certificate.FriendlyName = friendlyName;
var newCert = new X509Certificate2(certificate.Export(X509ContentType.Pfx, password), password,
X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
if (!string.IsNullOrEmpty(outputDir))
{
var certBytes = newCert.Export(X509ContentType.Pfx, password);
if (!Directory.Exists($"{outputDir}"))
{
Directory.CreateDirectory($"{outputDir}");
}
var fileName = $"{outputDir}{Path.DirectorySeparatorChar}{certificateName}.pfx";
if (!File.Exists(fileName))
{
File.WriteAllBytes(fileName, certBytes);
}
}
return(newCert);
}
private X509Certificate2 buildSelfSignedServerCertificate(string name)
{
SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddIpAddress(IPAddress.Loopback);
sanBuilder.AddIpAddress(IPAddress.IPv6Loopback);
sanBuilder.AddDnsName("localhost");
sanBuilder.AddDnsName(Environment.MachineName);
X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN={name}");
using RSA rsa = RSA.Create(2048);
var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(
new X509KeyUsageExtension(
X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment |
X509KeyUsageFlags.DigitalSignature, false));
request.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(
new OidCollection {
new Oid("1.3.6.1.5.5.7.3.1")
}, false));
request.CertificateExtensions.Add(sanBuilder.Build());
var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)),
new DateTimeOffset(DateTime.UtcNow.AddDays(3650)));
// try
// {
// certificate.FriendlyName = name;
// }
// catch (Exception) { }
return(new X509Certificate2(certificate.Export(X509ContentType.Pfx, "WeNeedASaf3rPassword"),
"WeNeedASaf3rPassword", X509KeyStorageFlags.UserKeySet));
}
public static void SingleValue_IPAddress_v4()
{
SubjectAlternativeNameBuilder builder = new SubjectAlternativeNameBuilder();
builder.AddIpAddress(IPAddress.Loopback);
X509Extension extension = builder.Build();
Assert.Equal(SubjectAltNameOid, extension.Oid.Value);
Assert.Equal("300687047F000001", extension.RawData.ByteArrayToHex());
}
public static void CreateBrokerTlsCert(this X509Certificate2 CACertificate, string domainname, IPAddress iP, string pubfile, string pivfile, string email)
{
var build = new SubjectAlternativeNameBuilder();
build.AddDnsName(domainname);
build.AddIpAddress(iP);
build.AddEmailAddress(email ?? "*****@*****.**");
string name = $"C=CN,CN={iP.ToString()},ST=IoTSharp,O={Dns.GetHostName()},OU= CA_{MethodBase.GetCurrentMethod().Module.Assembly.GetName().Name}";
var broker = CACertificate.CreateTlsClientRSA(name, build);
broker.SavePem(pubfile, pivfile);
}
public static void MultipleBuilds_WithModification()
{
SubjectAlternativeNameBuilder builder = new SubjectAlternativeNameBuilder();
builder.AddIpAddress(IPAddress.Loopback);
X509Extension extension = builder.Build();
Assert.Equal(SubjectAltNameOid, extension.Oid.Value);
builder.AddIpAddress(IPAddress.IPv6Loopback);
X509Extension secondExtension = builder.Build();
Assert.NotSame(extension, secondExtension);
Assert.Equal(extension.Oid.Value, secondExtension.Oid.Value);
Assert.Equal(extension.Critical, secondExtension.Critical);
Assert.True(
secondExtension.RawData.Length > extension.RawData.Length,
$"secondExtension.RawData.Length > extension.RawData.Length");
}
public X509Certificate2 CreateSelfSignedCertificate(string certificateName, string dnsName)
{
var sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddIpAddress(IPAddress.Loopback);
sanBuilder.AddIpAddress(IPAddress.IPv6Loopback);
sanBuilder.AddDnsName(dnsName);
sanBuilder.AddDnsName(Environment.MachineName);
var distinguishedName = new X500DistinguishedName($"CN={certificateName}");
using var rsa = RSA.Create(2048);
var request = new CertificateRequest(
distinguishedName,
rsa,
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(
new X509KeyUsageExtension(
X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment |
X509KeyUsageFlags.DigitalSignature, false));
request.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(
new OidCollection {
new Oid("1.3.6.1.5.5.7.3.1")
}, false));
request.CertificateExtensions.Add(sanBuilder.Build());
var certificate = request.CreateSelfSigned(
new DateTimeOffset(DateTime.UtcNow.AddDays(-1)),
new DateTimeOffset(DateTime.UtcNow.AddYears(10)));
certificate.FriendlyName = certificateName;
return(certificate);
}
private static IEnumerable <object[]> GetThumbprintsGenerated()
{
var sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddIpAddress(IPAddress.Loopback);
sanBuilder.AddIpAddress(IPAddress.IPv6Loopback);
sanBuilder.AddDnsName("localhost");
sanBuilder.AddDnsName(Environment.MachineName);
var distinguishedName = new X500DistinguishedName($"CN={CertificateName}");
X509Certificate2 newCert;
using (var rsa = RSA.Create(2048))
{
var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(
new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false));
request.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(
new OidCollection {
new Oid("1.3.6.1.5.5.7.3.1")
}, false));
request.CertificateExtensions.Add(sanBuilder.Build());
var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(3650)));
newCert = new X509Certificate2(certificate.Export(X509ContentType.Pfx, "WeNeedASaf3rPassword"), "WeNeedASaf3rPassword", X509KeyStorageFlags.MachineKeySet);
}
using (var store = new X509Store(StoreName.My, StoreLocation.CurrentUser, OpenFlags.ReadWrite))
{
store.Add(newCert);
}
yield return(new object[] { newCert.Thumbprint });
}