private static void Main(string[] args)
{
//Create a self signed certificate authority certificate
X509Certificate2 ca = new X509Certificate2Builder
{
DistinguishedName = new DistinguishedNames
{
commonName = "Selfsigned CA",
countryName = "KW",
localityName = "Hawally",
organizationalUnitName = "My Organization Unit",
organizationName = "My Organization"
},
SubjectAlternativeName = new SubjectAlternativeNames
{
Rfc822Name = "*****@*****.**"
},
friendlyName = "My CA",
keyPurpose = new string[] { BuilderKeyPurpose.AnyExtendedKeyUsage },
keyUsage = BuilderKeyUsage.DigitalSignature | BuilderKeyUsage.CrlSign | BuilderKeyUsage.KeyCertSign,
signatureAlgorithm = PKCS15SignatureAlgorithm.SHA512WITHRSA,
NotAfter = DateTime.Now.AddYears(10)
}.Build();
//Export CA to file
Byte[] certData = ca.Export(X509ContentType.Pkcs12, "abc123");
File.WriteAllBytes("CA.pfx", certData);
File.WriteAllText("CA.cer", ExportToPEM(ca));
//Use the created CA to create EE (End Entity) certificates
//Exchange certificate creation
X509Certificate2 eeExchange = new X509Certificate2Builder
{
DistinguishedName = new DistinguishedNames
{
otherDN = new Dictionary <string, string>
{
{ "CN", "My Name" },
{ "C", "KW" },
{ "O", "My Organization" },
{ "OU", "My Organization Unit" },
{ "L", "Hawally" },
{ "E", "*****@*****.**" }
}
},
friendlyName = "My Exchange Certificate",
Issuer = ca,
Intermediate = false,
keyPurpose = new string[] { },
keyUsage = BuilderKeyUsage.DigitalSignature | BuilderKeyUsage.DataEncipherment,
signatureAlgorithm = PKCS15SignatureAlgorithm.SHA512WITHRSA,
NotAfter = DateTime.Now.AddYears(10)
}.Build();
//Export the exchange certificate to file
certData = eeExchange.Export(X509ContentType.Pkcs12, "abc123");
File.WriteAllBytes("eeExchange.pfx", certData);
File.WriteAllText("eeExchange.cer", ExportToPEM(eeExchange));
//Signing certificate creation
X509Certificate2 eeSigning = new X509Certificate2Builder
{
SubjectName = "CN=My Name, C=KW, O=My Organization, OU=My Organization Unit, L=Hawally, [email protected]",
friendlyName = "My Signing Certificate",
Issuer = ca,
Intermediate = false,
keyPurpose = new string[] { },
keyUsage = BuilderKeyUsage.DigitalSignature,
signatureAlgorithm = PKCS15SignatureAlgorithm.SHA512WITHRSA,
NotAfter = DateTime.Now.AddYears(10)
}.Build();
//Export the signing certificate to file
certData = eeSigning.Export(X509ContentType.Pkcs12, "abc123");
File.WriteAllBytes("eeSigning.pfx", certData);
File.WriteAllText("eeSigning.cer", ExportToPEM(eeSigning));
//Server authentication certificate creation
X509Certificate2 serverAuth = new X509Certificate2Builder
{
DistinguishedName = new DistinguishedNames
{
commonName = "www.example.com",
organizationName = "My Organization",
organizationalUnitName = "My Organization Unit",
localityName = "Hawally",
stateOrProvinceName = "Kuwait",
countryName = "KW"
},
SubjectAlternativeName = new SubjectAlternativeNames
{
Rfc822Name = "*****@*****.**",
DnsName = new string[]
{
"www.example.com",
"example.com",
"api.example.com",
"ws.example.com",
"admin.example.com",
"you.example.com",
}
},
friendlyName = "My Server Certificate",
Issuer = ca,
Intermediate = false,
keyPurpose = new string[] { BuilderKeyPurpose.IdKPServerAuth, BuilderKeyPurpose.IdKPClientAuth },
criticalKeyPurpose = true,
keyUsage = BuilderKeyUsage.DigitalSignature | BuilderKeyUsage.KeyEncipherment,
criticalKeyUsage = true,
signatureAlgorithm = PKCS15SignatureAlgorithm.SHA512WITHRSA,
NotAfter = DateTime.Now.AddYears(10)
}.Build();
//Export the server authentication certificate to file
certData = serverAuth.Export(X509ContentType.Pkcs12, "abc123");
File.WriteAllBytes("serverAuth.pfx", certData);
File.WriteAllText("serverAuth.cer", ExportToPEM(serverAuth));
//Create CSR (certificate signing request)
X509Certificate2Builder.CSR csr = new X509Certificate2Builder
{
//SubjectName = "CN=My Name, C=KW, O=My Organization, OU=My Organization Unit, L=Hawally, [email protected]",
DistinguishedName = new DistinguishedNames
{
commonName = "My Name",
countryName = "KW",
organizationName = "My Organization",
organizationalUnitName = "My Organization Unit",
localityName = "Hawally",
},
SubjectAlternativeName = new SubjectAlternativeNames
{
Rfc822Name = "*****@*****.**"
},
friendlyName = "My Friendly Name",
keyPurpose = new string[] { },
keyUsage = BuilderKeyUsage.DigitalSignature,
signatureAlgorithm = PKCS15SignatureAlgorithm.SHA512WITHRSA,
NotAfter = DateTime.Now.AddYears(10)
}.GenerateCSR();
certData = csr.PrivateKey.Export(X509ContentType.Pkcs12, "abc123");
File.WriteAllBytes("csrPrivateKey.pfx", certData);
File.WriteAllText("csrPrivateKey.cer", ExportToPEM(csr.PrivateKey));
File.WriteAllText("csr.csr", csr.CSRPEM);
}
private static void Main(string[] args)
{
//Take the thumb print from user
Console.Write("Please input the CA thumb print: ");
string caThumbprint = Console.ReadLine();
Console.WriteLine("Finding CA from store...");
//Search the store for it
X509Store store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection cers = store.Certificates.Find(X509FindType.FindByThumbprint, caThumbprint, false);
store.Close();
//See if cert was found
if (cers.Count <= 0)
{
Console.WriteLine("No certificate was found.");
}
//Cert was found now check for if you have its private key
else if (cers[0].HasPrivateKey)
{
//Now we have the certificate and it has a private key no check if the certificate is capable of signing another certificate.
bool hasKeyCertSign = false;
foreach (X509Extension extension in cers[0].Extensions)
{
//OID 2.5.29.15 is for key usage
if (extension.Oid.Value.Equals("2.5.29.15"))
{
X509KeyUsageExtension ext = (X509KeyUsageExtension)extension;
//the key usage KeyCertSign is used for signing certificates
if ((ext.KeyUsages & X509KeyUsageFlags.KeyCertSign) == X509KeyUsageFlags.KeyCertSign)
{
hasKeyCertSign = true;
}
}
}
//Check if the certificate had KeyCertSign as key usage
if (hasKeyCertSign)
{
X509Certificate2 ca = cers[0];
//Initialize the new certificate
X509Certificate2Builder cerBuilder = new X509Certificate2Builder
{
DistinguishedName = new DistinguishedNames
{
commonName = "www.example.com",
organizationName = "Example Organization",
organizationalUnitName = "Example Organization Unit",
localityName = "Hawally",
stateOrProvinceName = "Kuwait",
countryName = "KW"
},
SubjectAlternativeName = new SubjectAlternativeNames
{
Rfc822Name = "*****@*****.**",
DnsName = new string[]
{
"www.example.com",
"example.com",
"api.example.com",
"ws.example.com",
"admin.example.com",
"you.example.com",
}
},
friendlyName = "My Server Certificate",
Issuer = ca,
Intermediate = false,
keyPurpose = new string[]
{
BuilderKeyPurpose.IdKPClientAuth,
BuilderKeyPurpose.IdKPServerAuth
},
keyUsage = BuilderKeyUsage.DigitalSignature | BuilderKeyUsage.KeyEncipherment,
signatureAlgorithm = PKCS15SignatureAlgorithm.SHA256WITHRSA,
NotAfter = DateTime.Now.AddYears(3)
};
//Build the certificate
Console.WriteLine("Building the certificate...");
X509Certificate2 ee = cerBuilder.Build();
Console.WriteLine("Done building, now exporting the private key.");
//Export the private key as PFX
Byte[] certData = ee.Export(X509ContentType.Pkcs12, "abc123");
File.WriteAllBytes("EE.pfx", certData);
Console.WriteLine("Done, please find the file EE.pfx at the run location.");
}
else
{
Console.WriteLine("The certificate found is not a CA.");
}
}
else
{
Console.WriteLine("The certificate has no private key or .");
}
Console.WriteLine("Press any key to exit...");
Console.ReadKey();
}
