private static void Main(string[] args) { //Create a self signed certificate authority certificate X509Certificate2 ca = new X509Certificate2Builder { DistinguishedName = new DistinguishedNames { commonName = "Selfsigned CA", countryName = "KW", localityName = "Hawally", organizationalUnitName = "My Organization Unit", organizationName = "My Organization" }, SubjectAlternativeName = new SubjectAlternativeNames { Rfc822Name = "*****@*****.**" }, friendlyName = "My CA", keyPurpose = new string[] { BuilderKeyPurpose.AnyExtendedKeyUsage }, keyUsage = BuilderKeyUsage.DigitalSignature | BuilderKeyUsage.CrlSign | BuilderKeyUsage.KeyCertSign, signatureAlgorithm = PKCS15SignatureAlgorithm.SHA512WITHRSA, NotAfter = DateTime.Now.AddYears(10) }.Build(); //Export CA to file Byte[] certData = ca.Export(X509ContentType.Pkcs12, "abc123"); File.WriteAllBytes("CA.pfx", certData); File.WriteAllText("CA.cer", ExportToPEM(ca)); //Use the created CA to create EE (End Entity) certificates //Exchange certificate creation X509Certificate2 eeExchange = new X509Certificate2Builder { DistinguishedName = new DistinguishedNames { otherDN = new Dictionary <string, string> { { "CN", "My Name" }, { "C", "KW" }, { "O", "My Organization" }, { "OU", "My Organization Unit" }, { "L", "Hawally" }, { "E", "*****@*****.**" } } }, friendlyName = "My Exchange Certificate", Issuer = ca, Intermediate = false, keyPurpose = new string[] { }, keyUsage = BuilderKeyUsage.DigitalSignature | BuilderKeyUsage.DataEncipherment, signatureAlgorithm = PKCS15SignatureAlgorithm.SHA512WITHRSA, NotAfter = DateTime.Now.AddYears(10) }.Build(); //Export the exchange certificate to file certData = eeExchange.Export(X509ContentType.Pkcs12, "abc123"); File.WriteAllBytes("eeExchange.pfx", certData); File.WriteAllText("eeExchange.cer", ExportToPEM(eeExchange)); //Signing certificate creation X509Certificate2 eeSigning = new X509Certificate2Builder { SubjectName = "CN=My Name, C=KW, O=My Organization, OU=My Organization Unit, L=Hawally, [email protected]", friendlyName = "My Signing Certificate", Issuer = ca, Intermediate = false, keyPurpose = new string[] { }, keyUsage = BuilderKeyUsage.DigitalSignature, signatureAlgorithm = PKCS15SignatureAlgorithm.SHA512WITHRSA, NotAfter = DateTime.Now.AddYears(10) }.Build(); //Export the signing certificate to file certData = eeSigning.Export(X509ContentType.Pkcs12, "abc123"); File.WriteAllBytes("eeSigning.pfx", certData); File.WriteAllText("eeSigning.cer", ExportToPEM(eeSigning)); //Server authentication certificate creation X509Certificate2 serverAuth = new X509Certificate2Builder { DistinguishedName = new DistinguishedNames { commonName = "www.example.com", organizationName = "My Organization", organizationalUnitName = "My Organization Unit", localityName = "Hawally", stateOrProvinceName = "Kuwait", countryName = "KW" }, SubjectAlternativeName = new SubjectAlternativeNames { Rfc822Name = "*****@*****.**", DnsName = new string[] { "www.example.com", "example.com", "api.example.com", "ws.example.com", "admin.example.com", "you.example.com", } }, friendlyName = "My Server Certificate", Issuer = ca, Intermediate = false, keyPurpose = new string[] { BuilderKeyPurpose.IdKPServerAuth, BuilderKeyPurpose.IdKPClientAuth }, criticalKeyPurpose = true, keyUsage = BuilderKeyUsage.DigitalSignature | BuilderKeyUsage.KeyEncipherment, criticalKeyUsage = true, signatureAlgorithm = PKCS15SignatureAlgorithm.SHA512WITHRSA, NotAfter = DateTime.Now.AddYears(10) }.Build(); //Export the server authentication certificate to file certData = serverAuth.Export(X509ContentType.Pkcs12, "abc123"); File.WriteAllBytes("serverAuth.pfx", certData); File.WriteAllText("serverAuth.cer", ExportToPEM(serverAuth)); //Create CSR (certificate signing request) X509Certificate2Builder.CSR csr = new X509Certificate2Builder { //SubjectName = "CN=My Name, C=KW, O=My Organization, OU=My Organization Unit, L=Hawally, [email protected]", DistinguishedName = new DistinguishedNames { commonName = "My Name", countryName = "KW", organizationName = "My Organization", organizationalUnitName = "My Organization Unit", localityName = "Hawally", }, SubjectAlternativeName = new SubjectAlternativeNames { Rfc822Name = "*****@*****.**" }, friendlyName = "My Friendly Name", keyPurpose = new string[] { }, keyUsage = BuilderKeyUsage.DigitalSignature, signatureAlgorithm = PKCS15SignatureAlgorithm.SHA512WITHRSA, NotAfter = DateTime.Now.AddYears(10) }.GenerateCSR(); certData = csr.PrivateKey.Export(X509ContentType.Pkcs12, "abc123"); File.WriteAllBytes("csrPrivateKey.pfx", certData); File.WriteAllText("csrPrivateKey.cer", ExportToPEM(csr.PrivateKey)); File.WriteAllText("csr.csr", csr.CSRPEM); }
private static void Main(string[] args) { //Take the thumb print from user Console.Write("Please input the CA thumb print: "); string caThumbprint = Console.ReadLine(); Console.WriteLine("Finding CA from store..."); //Search the store for it X509Store store = new X509Store(StoreName.Root, StoreLocation.LocalMachine); store.Open(OpenFlags.ReadOnly); X509Certificate2Collection cers = store.Certificates.Find(X509FindType.FindByThumbprint, caThumbprint, false); store.Close(); //See if cert was found if (cers.Count <= 0) { Console.WriteLine("No certificate was found."); } //Cert was found now check for if you have its private key else if (cers[0].HasPrivateKey) { //Now we have the certificate and it has a private key no check if the certificate is capable of signing another certificate. bool hasKeyCertSign = false; foreach (X509Extension extension in cers[0].Extensions) { //OID 2.5.29.15 is for key usage if (extension.Oid.Value.Equals("2.5.29.15")) { X509KeyUsageExtension ext = (X509KeyUsageExtension)extension; //the key usage KeyCertSign is used for signing certificates if ((ext.KeyUsages & X509KeyUsageFlags.KeyCertSign) == X509KeyUsageFlags.KeyCertSign) { hasKeyCertSign = true; } } } //Check if the certificate had KeyCertSign as key usage if (hasKeyCertSign) { X509Certificate2 ca = cers[0]; //Initialize the new certificate X509Certificate2Builder cerBuilder = new X509Certificate2Builder { DistinguishedName = new DistinguishedNames { commonName = "www.example.com", organizationName = "Example Organization", organizationalUnitName = "Example Organization Unit", localityName = "Hawally", stateOrProvinceName = "Kuwait", countryName = "KW" }, SubjectAlternativeName = new SubjectAlternativeNames { Rfc822Name = "*****@*****.**", DnsName = new string[] { "www.example.com", "example.com", "api.example.com", "ws.example.com", "admin.example.com", "you.example.com", } }, friendlyName = "My Server Certificate", Issuer = ca, Intermediate = false, keyPurpose = new string[] { BuilderKeyPurpose.IdKPClientAuth, BuilderKeyPurpose.IdKPServerAuth }, keyUsage = BuilderKeyUsage.DigitalSignature | BuilderKeyUsage.KeyEncipherment, signatureAlgorithm = PKCS15SignatureAlgorithm.SHA256WITHRSA, NotAfter = DateTime.Now.AddYears(3) }; //Build the certificate Console.WriteLine("Building the certificate..."); X509Certificate2 ee = cerBuilder.Build(); Console.WriteLine("Done building, now exporting the private key."); //Export the private key as PFX Byte[] certData = ee.Export(X509ContentType.Pkcs12, "abc123"); File.WriteAllBytes("EE.pfx", certData); Console.WriteLine("Done, please find the file EE.pfx at the run location."); } else { Console.WriteLine("The certificate found is not a CA."); } } else { Console.WriteLine("The certificate has no private key or ."); } Console.WriteLine("Press any key to exit..."); Console.ReadKey(); }