/// <summary> /// Submit a certificate signing request to a certificate authority, such as a server running Active Directory Certificate Services, and return the certificate or response. /// </summary> /// <param name="csr">Certificate signing request to be submitted.</param> /// <param name="friendlyName">The friendly name of the certificate.</param> /// <param name="caServer">The certificate authority server instance.</param> /// <param name="csrResponse">Response from the certificate signing request, represented as a CsrResponse enum.</param> /// <param name="dispositionMessage">Message returned when a certificate signing fails.</param> public X509Certificate2 SubmitCertificateSigningRequest(CX509CertificateRequestCertificate csr, string friendlyName, string caServer, out CsrResponse csrResponse, out string dispositionMessage) { // Convert the certificate signing request to base-64.. CX509Enrollment enrollment = new CX509Enrollment(); enrollment.InitializeFromRequest(csr); enrollment.CertificateFriendlyName = friendlyName; string csrText = enrollment.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64); // Submit the request to the certificate authority. CCertRequest certRequest = new CCertRequest(); int csrResponseCode = certRequest.Submit(CR_IN_BASE64 | CR_IN_FORMATANY, csrText, string.Empty, caServer); // React to our response response from the certificate authority. switch (csrResponseCode) { case 3: // Issued. csrResponse = CsrResponse.CR_DISP_ISSUED; dispositionMessage = ""; return new X509Certificate2(Encoding.UTF8.GetBytes(certRequest.GetCertificate(CR_OUT_BASE64 | CR_OUT_CHAIN))); case 5: // Pending. csrResponse = CsrResponse.CR_DISP_UNDER_SUBMISSION; dispositionMessage = ""; return null; default: // Failure. csrResponse = CsrResponse.CR_DISP_FAILED; dispositionMessage = certRequest.GetDispositionMessage(); return null; } }
// create a certificate for testing // https://stackoverflow.com/q/18339706 static public X509Certificate2 CreateSelfSignedCertificate(string subjectName, TimeSpan expirationLength) { // create DN for subject and issuer var dn = new CX500DistinguishedName(); dn.Encode("CN=" + subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE); CX509PrivateKey privateKey = new CX509PrivateKey { ProviderName = "Microsoft Strong Cryptographic Provider", Length = 2048, KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE, KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_DECRYPT_FLAG | X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_KEY_AGREEMENT_FLAG, MachineContext = true, ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG }; privateKey.Create(); // Use the stronger SHA512 hashing algorithm var hashobj = new CObjectId(); hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, "SHA512"); // Create the self signing request var cert = new CX509CertificateRequestCertificate(); cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, ""); cert.Subject = dn; cert.Issuer = dn; // the issuer and the subject are the same cert.NotBefore = DateTime.Now.Date; // this cert expires immediately. Change to whatever makes sense for you cert.NotAfter = cert.NotBefore + expirationLength; cert.HashAlgorithm = hashobj; // Specify the hashing algorithm cert.Encode(); // encode the certificate // Do the final enrollment process var enroll = new CX509Enrollment(); enroll.InitializeFromRequest(cert); // load the certificate enroll.CertificateFriendlyName = subjectName; // Optional: add a friendly name string csr = enroll.CreateRequest(); // Output the request in base64 // and install it back as the response enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password // output a base64 encoded PKCS#12 so we can import it back to the .Net security classes var base64encoded = enroll.CreatePFX("", // no password, this is for internal consumption PFXExportOptions.PFXExportChainWithRoot); // instantiate the target class with the PKCS#12 data (and the empty password) return(new System.Security.Cryptography.X509Certificates.X509Certificate2( System.Convert.FromBase64String(base64encoded), "", // mark the private key as exportable (this is usually what you want to do) // mark private key to go into the Machine store instead of the current users store X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet )); }
// http://stackoverflow.com/questions/13806299/how-to-create-a-self-signed-certificate-using-c private static X509Certificate2 CreateSelfSignedCertificate(string subjectName) { // create DN for subject and issuer var dn = new CX500DistinguishedName(); dn.Encode("CN=" + subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE); // create a new private key for the certificate CX509PrivateKey privateKey = new CX509PrivateKey(); privateKey.ProviderName = "Microsoft Base Cryptographic Provider v1.0"; privateKey.MachineContext = true; privateKey.Length = 2048; privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; // use is not limited privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG; privateKey.Create(); // Use the stronger SHA512 hashing algorithm var hashobj = new CObjectId(); hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, "SHA512"); // add extended key usage if you want - look at MSDN for a list of possible OIDs var oid = new CObjectId(); oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // SSL server var oidlist = new CObjectIds(); oidlist.Add(oid); var eku = new CX509ExtensionEnhancedKeyUsage(); eku.InitializeEncode(oidlist); // Create the self signing request var cert = new CX509CertificateRequestCertificate(); cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, ""); cert.Subject = dn; cert.Issuer = dn; // the issuer and the subject are the same cert.NotBefore = DateTime.Now; // this cert expires immediately. Change to whatever makes sense for you cert.NotAfter = DateTime.Now; cert.X509Extensions.Add((CX509Extension)eku); // add the EKU cert.HashAlgorithm = hashobj; // Specify the hashing algorithm cert.Encode(); // encode the certificate // Do the final enrollment process var enroll = new CX509Enrollment(); enroll.InitializeFromRequest(cert); // load the certificate enroll.CertificateFriendlyName = subjectName; // Optional: add a friendly name string csr = enroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64); // Output the request in base64 // and install it back as the response enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password // output a base64 encoded PKCS#12 so we can import it back to the .Net security classes var base64encoded = enroll.CreatePFX("", // no password, this is for internal consumption PFXExportOptions.PFXExportChainWithRoot, EncodingType.XCN_CRYPT_STRING_BASE64); // instantiate the target class with the PKCS#12 data (and the empty password) return new System.Security.Cryptography.X509Certificates.X509Certificate2( System.Convert.FromBase64String(base64encoded), "", // mark the private key as exportable (this is usually what you want to do) System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.Exportable ); }
private CX509CertificateRequestCertificate CreateCertificateRequest(string publisherName) { // create DN for subject and issuer var dn = new CX500DistinguishedName(); dn.Encode("CN=" + publisherName); // create a new private key for the certificate var privateKey = (IX509PrivateKey)Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX509PrivateKey")); privateKey.ProviderName = "Microsoft Base Cryptographic Provider v1.0"; privateKey.MachineContext = false; privateKey.Length = 2048; privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; privateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_SIGNING_FLAG; privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG; privateKey.Create(); // Create the self signing request var cert = new CX509CertificateRequestCertificate(); cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextUser, privateKey, ""); cert.Subject = dn; cert.Issuer = dn; cert.NotBefore = DateTime.Now.Date.AddDays(-1); cert.NotAfter = DateTime.Now.Date.AddYears(1); return(cert); }
private CX509CertificateRequestCertificate FinalizeRequest(CX509CertificateRequestCertificate cert) { var subDN = new CX500DistinguishedName(); subDN.Encode("CN=" + SubjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE); cert.Subject = subDN; cert.Issuer = cert.Subject; cert.NotBefore = DateTime.Now; cert.NotAfter = ValidUntil; for (int i = 0; i < ExtensionsToAdd.Count; i++) { var ext = ExtensionsToAdd[i]; cert.X509Extensions.Add(ext); } var sigId = new CObjectId(); var hash = Oid.FromFriendlyName(Algorithm, OidGroup.HashAlgorithm); sigId.InitializeFromValue(hash.Value); cert.SignatureInformation.HashAlgorithm = sigId; // Complete it cert.Encode(); ExtensionsToAdd.Clear(); return(cert); }
/// <summary> /// Generate a self-signed certificate and add it to the Windows certificate store. /// </summary> /// <param name="subjectName">The subject name of the certificate.</param> /// <param name="friendlyName">The friendly name of the certificate.</param> /// <param name="location">Location of the certificate; either the Current User or Local Machine.</param> /// <param name="addAsTrustedRoot">Whether to add the generated certificate as a trusted root.</param> /// <param name="keyLength">Size of the key in bits.</param> /// <param name="durationYears">Duration of the certificate, specified in years.</param> /// <param name="oids">Collection of OIDs identifying certificate usage.</param> public static X509Certificate2 CreateSelfSignedCertificate(string subjectName, string friendlyName, StoreLocation location, bool addAsTrustedRoot, int keyLength, int durationYears, List <string> oids) { // Create the self-signing request. CX509CertificateRequestCertificate cert = CreateCertificateSigningRequest(subjectName, keyLength, durationYears, oids); // Enroll based on the certificate signing request. CX509Enrollment enrollment = new CX509Enrollment(); enrollment.InitializeFromRequest(cert); enrollment.CertificateFriendlyName = friendlyName; string csrText = enrollment.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64); // Install the certificate chain. Note that no password is specified. enrollment.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csrText, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // Base-64 encode the PKCS#12 certificate in order to re-import it. string pfx = enrollment.CreatePFX("", PFXExportOptions.PFXExportChainWithRoot); // Instantiate the PKCS#12 certificate. X509Certificate2 certificate = new X509Certificate2(System.Convert.FromBase64String(pfx), "", X509KeyStorageFlags.Exportable); // If specified, also install the certificate to the trusted root store. if (addAsTrustedRoot) { X509Store rootStore = new X509Store(StoreName.Root, location); rootStore.Open(OpenFlags.ReadWrite); rootStore.Add(certificate); rootStore.Close(); } return(certificate); }
/// <summary> /// Submit a certificate signing request to a certificate authority, such as a server running Active Directory Certificate Services, and return the certificate or response. /// </summary> /// <param name="csr">Certificate signing request to be submitted.</param> /// <param name="friendlyName">The friendly name of the certificate.</param> /// <param name="caServer">The certificate authority server instance.</param> /// <param name="csrResponse">Response from the certificate signing request, represented as a CsrResponse enum.</param> /// <param name="dispositionMessage">Message returned when a certificate signing fails.</param> public X509Certificate2 SubmitCertificateSigningRequest(CX509CertificateRequestCertificate csr, string friendlyName, string caServer, out CsrResponse csrResponse, out string dispositionMessage) { // Convert the certificate signing request to base-64.. CX509Enrollment enrollment = new CX509Enrollment(); enrollment.InitializeFromRequest(csr); enrollment.CertificateFriendlyName = friendlyName; string csrText = enrollment.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64); // Submit the request to the certificate authority. CCertRequest certRequest = new CCertRequest(); int csrResponseCode = certRequest.Submit(CR_IN_BASE64 | CR_IN_FORMATANY, csrText, string.Empty, caServer); // React to our response response from the certificate authority. switch (csrResponseCode) { case 3: // Issued. csrResponse = CsrResponse.CR_DISP_ISSUED; dispositionMessage = ""; return(new X509Certificate2(Encoding.UTF8.GetBytes(certRequest.GetCertificate(CR_OUT_BASE64 | CR_OUT_CHAIN)))); case 5: // Pending. csrResponse = CsrResponse.CR_DISP_UNDER_SUBMISSION; dispositionMessage = ""; return(null); default: // Failure. csrResponse = CsrResponse.CR_DISP_FAILED; dispositionMessage = certRequest.GetDispositionMessage(); return(null); } }
/// <summary> /// Creates a self signed certificate given the parameters. /// </summary> /// <param name="subject"></param> /// <param name="cipher"></param> /// <param name="keysize"></param> /// <param name="api"></param> /// <returns></returns> public X509Certificate2 CreateSelfSignedCertificate(CertificateSubject subject, CipherAlgorithm cipher, int keysize, WindowsApi api) { CX509PrivateKey privateKey = CreatePrivateKey(cipher, keysize); CX509CertificateRequestCertificate pkcs10 = NewCertificateRequestCrc(subject, privateKey); pkcs10.Issuer = pkcs10.Subject; pkcs10.NotBefore = DateTime.Now.AddDays(-1); pkcs10.NotAfter = DateTime.Now.AddYears(20); var sigoid = new CObjectId(); var alg = new Oid("SHA256"); sigoid.InitializeFromValue(alg.Value); pkcs10.SignatureInformation.HashAlgorithm = sigoid; pkcs10.Encode(); CX509Enrollment enrollment = new CX509Enrollment(); enrollment.InitializeFromRequest(pkcs10); string csr = enrollment.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64); InstallResponseRestrictionFlags restrictionFlags = InstallResponseRestrictionFlags.AllowUntrustedCertificate; enrollment.InstallResponse(restrictionFlags, csr, EncodingType.XCN_CRYPT_STRING_BASE64, string.Empty); string pwd = secret.NewSecret(16); string pfx = enrollment.CreatePFX(pwd, PFXExportOptions.PFXExportChainWithRoot, EncodingType.XCN_CRYPT_STRING_BASE64); return(new X509Certificate2(Convert.FromBase64String(pfx), pwd)); }
public static X509Certificate2 CreateSelfSignedCertificate(string subjectName) { //To make a certificate was used system library from CERTENROLLLib //This lib provides methods for creation certificates in windows envinronment //Defines the subject and issuer of the cert CX500DistinguishedName dn = new CX500DistinguishedName(); dn.Encode("CN=" + subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE); //Create a new private key for the certificate //Was decided not to make them variably in this progr CX509PrivateKey privateKey = new CX509PrivateKey(); privateKey.ProviderName = "Microsoft Base Cryptographic Provider v1.0"; //issuer for a selfsigned certificate privateKey.MachineContext = true; privateKey.Length = 2048; privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; //Use is not limited privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG; privateKey.Create(); //Use trong SHA512 hashing algorithm var hashobj = new CObjectId(); hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, "SHA512"); // Create the self signing request var cert = new CX509CertificateRequestCertificate(); cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, ""); cert.Subject = dn; cert.Issuer = dn; // The issuer and the subject are the same cert.NotBefore = DateTime.Now; cert.NotAfter = new DateTime(2018, 12, 31); // I don't think that anybody cares about using this cert longer than this period cert.HashAlgorithm = hashobj; // Specify the hashing algorithm cert.Encode(); // Encode the certificate // Do the final stuff //Enroll is var enroll = new CX509Enrollment(); enroll.InitializeFromRequest(cert); // load the certificate string csr = enroll.CreateRequest(); // Output the request in base64 // and install it back as the response enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password // output a base64 encoded PKCS#12 so we can import it back to the .Net security classes var base64encoded = enroll.CreatePFX("", // password isn't possible PFXExportOptions.PFXExportChainWithRoot); // instantiate the target class with the PKCS#12 data (and the empty password) return(new X509Certificate2(Convert.FromBase64String(base64encoded), "", // mark the private key as exportable, coz we want to put it into registry X509KeyStorageFlags.Exportable)); }
public static X509Certificate2 CreateSelfSignedCertificate(string issuer, string name) { try { // create a DN for issuer and subject var dn = new CX500DistinguishedName(); dn.Encode("CN=" + issuer, X500NameFlags.XCN_CERT_NAME_STR_NONE); // create a private key for the certificate var privateKey = new CX509PrivateKey(); privateKey.ProviderName = "Microsoft Base Cryptographic Provider v1.0"; privateKey.MachineContext = true; privateKey.Length = 2048; privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG; privateKey.Create(); // use the stronger SHA512 hashing algorithm var hashobj = new CObjectId(); hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, "SHA512"); // add extended key usage (look at MSDN for a list of possible OIDs) var oid = new CObjectId(); oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // SSL server var oidlist = new CObjectIds(); oidlist.Add(oid); var eku = new CX509ExtensionEnhancedKeyUsage(); eku.InitializeEncode(oidlist); // create the self signing request var cert = new CX509CertificateRequestCertificate(); cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, ""); cert.Issuer = dn; cert.Subject = dn; cert.NotBefore = DateTime.Now; cert.NotAfter = DateTime.Now.AddYears(1); // 1 year expiration cert.X509Extensions.Add((CX509Extension)eku); cert.HashAlgorithm = hashobj; cert.Encode(); // do the final enrollment process var enroll = new CX509Enrollment(); enroll.InitializeFromRequest(cert); enroll.CertificateFriendlyName = name; string csr = enroll.CreateRequest(); // output a base64 encoded PKCS#12 enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); var base64encoded = enroll.CreatePFX("", PFXExportOptions.PFXExportChainWithRoot); // return the certificate return(new X509Certificate2(Convert.FromBase64String(base64encoded), "", X509KeyStorageFlags.Exportable)); } catch (Exception exc) { Trace.TraceError("Failed to create a self-signed certificate ({0})", exc); throw; } }
public static X509Certificate2 CreateSelfSignedCertificate(string subjectName, DateTime startDate, DateTime endDate, String password) { // Create DistinguishedName for subject and issuer var name = new CX500DistinguishedName(); name.Encode("CN=" + subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE); // Create a new Private Key for the certificate CX509PrivateKey privateKey = new CX509PrivateKey(); privateKey.ProviderName = "Microsoft RSA SChannel Cryptographic Provider"; privateKey.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE; privateKey.Length = 2048; privateKey.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)"; privateKey.MachineContext = true; privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG; privateKey.Create(); // Define the hashing algorithm var serverauthoid = new CObjectId(); serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // Server Authentication var ekuoids = new CObjectIds(); ekuoids.Add(serverauthoid); var ekuext = new CX509ExtensionEnhancedKeyUsage(); ekuext.InitializeEncode(ekuoids); // Create the self signing request var cert = new CX509CertificateRequestCertificate(); cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, String.Empty); cert.Subject = name; cert.Issuer = cert.Subject; cert.NotBefore = startDate; cert.NotAfter = endDate; cert.X509Extensions.Add((CX509Extension)ekuext); cert.Encode(); // Enroll the certificate var enroll = new CX509Enrollment(); enroll.InitializeFromRequest(cert); string certData = enroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64HEADER); enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, certData, EncodingType.XCN_CRYPT_STRING_BASE64HEADER, String.Empty); var base64encoded = enroll.CreatePFX(password, PFXExportOptions.PFXExportChainWithRoot); // Instantiate the target class with the PKCS#12 data return(new X509Certificate2( System.Convert.FromBase64String(base64encoded), password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.Exportable)); }
private void AddBasicConstraints(CX509CertificateRequestCertificate cert) { // Add basic constraints var bc = new CX509ExtensionBasicConstraints(); bc.InitializeEncode(false, 0); bc.Critical = true; cert.X509Extensions.Add((CX509Extension)bc); }
private void AddKeyUsage(CX509CertificateRequestCertificate cert) { // Add key usage var ku = new CX509ExtensionKeyUsage(); ku.InitializeEncode(CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE); ku.Critical = false; cert.X509Extensions.Add((CX509Extension)ku); }
public X509Certificate2 GenerateCertificate() { SetEnhancedUsages(); SetKeyUsages(); SetBasicConstraints(); CX509CertificateRequestCertificate certReq = CreateRequest(); certReq = FinalizeRequest(certReq); X509Certificate2 cert = CreateNewCertificate(certReq); return(cert); }
private X509Certificate2 CreateNewCertificate(CX509CertificateRequestCertificate cert) { var enr = new CX509Enrollment { CertificateFriendlyName = FriendlyName }; enr.InitializeFromRequest(cert); string endCert = enr.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64); enr.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, endCert, EncodingType.XCN_CRYPT_STRING_BASE64, string.Empty); byte[] certBytes = Convert.FromBase64String(endCert); return(new X509Certificate2(certBytes)); }
private void AddExtendedKeyUsage(CX509CertificateRequestCertificate cert) { // Add extended key usage var eku = new CX509ExtensionEnhancedKeyUsage(); var oid = new CObjectId(); oid.InitializeFromValue("1.3.6.1.5.5.7.3.3"); eku.InitializeEncode(new CObjectIds() { oid }); eku.Critical = true; cert.X509Extensions.Add((CX509Extension)eku); }
private CX509CertificateRequestCertificate NewCertificateRequestCrc(CertificateSubject subject, CX509PrivateKey privateKey) { CX509CertificateRequestCertificate crc = new CX509CertificateRequestCertificate(); crc.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, ""); crc.X509Extensions.Add(GetQualifiedSan(subject.SubjectAlternativeName)); crc.X509Extensions.Add(GetKeyUsage()); crc.Subject = GetEncodedSubject(subject); return(crc); }
public X509Certificate2 GenerateNewCert(string subject, string friendlyName, DateTime validUntil, Algorithm hash, int keyLength) { if (ExtensionsToAdd == null) { ExtensionsToAdd = new List <CX509Extension>(); } SetEnhancedUsages(); SetKeyUsages(); SetBasicConstraints(); CX509CertificateRequestCertificate certReq = CreateRequest((KeyLengths)keyLength); certReq = FinalizeRequest(certReq, subject, validUntil, hash); X509Certificate2 cert = CreateNewCertificate(certReq, friendlyName); ExtensionsToAdd.Clear(); return(cert); }
private CX509CertificateRequestCertificate CreateRequest(KeyLengths keyLength) { var pk = new CX509PrivateKey { ProviderName = provName }; var algId = new CObjectId(); var algVal = Oid.FromFriendlyName("RSA", OidGroup.PublicKeyAlgorithm); algId.InitializeFromValue(algVal.Value); pk.Algorithm = algId; pk.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE; // If this value is anything other KEYEXCHANGE, the certificate cannot be used for decrypting content. pk.Length = (int)keyLength; pk.MachineContext = true; pk.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_NONE; pk.Create(); var req = new CX509CertificateRequestCertificate(); var useCtx = (X509CertificateEnrollmentContext)StoreLocation.LocalMachine; req.InitializeFromPrivateKey(useCtx, pk, string.Empty); return(req); }
private CX509CertificateRequestCertificate CreateRequest() { var pk = new CX509PrivateKey { ProviderName = provName }; var algId = new CObjectId(); var algVal = Oid.FromFriendlyName("RSA", OidGroup.PublicKeyAlgorithm); algId.InitializeFromValue(algVal.Value); pk.Algorithm = algId; pk.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE; pk.Length = KeyLength; pk.MachineContext = MachineContext; pk.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG; pk.Create(); var req = new CX509CertificateRequestCertificate(); var useCtx = (X509CertificateEnrollmentContext)Store; req.InitializeFromPrivateKey(useCtx, pk, string.Empty); return(req); }
/// <summary> /// Generates a certificate signing request for use with Xbox Live. /// </summary> public string GenerateCertRequest() { this.EnsureAdmin(); CX509CertificateRequestCertificate certRequest = new CX509CertificateRequestCertificate(); certRequest.Initialize(X509CertificateEnrollmentContext.ContextMachine); certRequest.PrivateKey.Length = 2048; certRequest.PrivateKey.ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider"; certRequest.PrivateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG; CX500DistinguishedName subject = new CX500DistinguishedName(); subject.Encode("CN=NOT USED"); certRequest.Subject = subject; CX509Enrollment enroll = new CX509Enrollment(); enroll.InitializeFromRequest(certRequest); enroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64HEADER); this.privateKey = certRequest.PrivateKey.Export("PRIVATEBLOB", EncodingType.XCN_CRYPT_STRING_BASE64).ToSecureString(); return(certRequest.PrivateKey.Export("PUBLICBLOB", EncodingType.XCN_CRYPT_STRING_BASE64 | EncodingType.XCN_CRYPT_STRING_NOCRLF)); }
/// <summary> /// Certificate constructor to intialize objects and values required to create a certificate /// </summary> public Certificate() { try { // Create objects required objCertRequest = new CX509CertificateRequestCertificate(); objCSP = new CCspInformation(); objCSPs = new CCspInformations(); objDN = new CX500DistinguishedName(); objEnroll = new CX509Enrollment(); objObjectId = new CObjectId(); objPrivateKey = (IX509PrivateKey)Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX509PrivateKey")); // Friendly name this.FriendlyName = ""; // Set default values. Refer to https://msdn.microsoft.com/en-us/library/windows/desktop/aa374846(v=vs.85).aspx this.CryptographicProviderName = "Microsoft Enhanced Cryptographic Provider v1.0"; this.KeySize = 2048; // Use key for encryption this.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE; // The key can be used for decryption this.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_DECRYPT_FLAG; // Create for user and not machine this.MachineContext = false; // Default to expire in 1 year this.ExpirationLengthInDays = 365; // Let th private key be exported in plain text this.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG; // This is intended for a computer this.EnrollmentContextMachine = X509CertificateEnrollmentContext.ContextUser; // Use a hasing algorithm this.ObjectIdGroupId = ObjectIdGroupId. XCN_CRYPT_HASH_ALG_OID_GROUP_ID; this.ObjectIdPublicKeyFlags = ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY; this.AlgorithmFlags = AlgorithmFlags.AlgorithmFlagsNone; // Use SHA-2 with 512 bits this.AlgorithmName = "SHA512"; this.EncodingType = EncodingType.XCN_CRYPT_STRING_BASE64; // Allow untrusted certificate to be installed this.InstallResponseRestrictionFlags = InstallResponseRestrictionFlags.AllowUntrustedCertificate; // No password set this.Password = null; // Enable key to be exported, keep the machine set, and persist the key set // https://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509keystorageflags(v=vs.110).aspx this.ExportableFlags = X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet; } catch (Exception ex) { throw ex; } }
/// <summary> /// Create a certificate signing request. /// </summary> /// <param name="subjectName">The subject name of the certificate.</param> /// <param name="keyLength">Size of the key in bits.</param> /// <param name="durationYears">Duration of the certificate, specified in years.</param> /// <param name="oids">Collection of OIDs identifying certificate usage.</param> public static CX509CertificateRequestCertificate CreateCertificateSigningRequest(string subjectName, int keyLength, int durationYears, List <string> oids) { // Prepend the subject name with CN= if it doesn't begin with CN=, E=, etc.. if (subjectName.IndexOf("=") < 0) { subjectName = "CN=" + subjectName; } // Generate a distinguished name. CX500DistinguishedName distinguishedName = new CX500DistinguishedName(); distinguishedName.Encode(subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE); // Generate a private key. CX509PrivateKey privateKey = new CX509PrivateKey(); privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG; privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; privateKey.Length = keyLength; privateKey.MachineContext = true; privateKey.ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0"; privateKey.Create(); // Use the SHA-512 hashing algorithm. CObjectId hashAlgorithm = new CObjectId(); hashAlgorithm.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, "SHA512"); // Load the OIDs passed in and specify enhanced key usages. CObjectIds oidCollection = new CObjectIds(); foreach (string oidID in oids) { CObjectId oid = new CObjectId(); oid.InitializeFromValue(oidID); oidCollection.Add(oid); } CX509ExtensionKeyUsage keyUsage = new CX509ExtensionKeyUsage(); keyUsage.InitializeEncode(CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE); CX509ExtensionEnhancedKeyUsage enhancedKeyUsages = new CX509ExtensionEnhancedKeyUsage(); enhancedKeyUsages.InitializeEncode(oidCollection); string sanSubjectName = subjectName.Substring(subjectName.IndexOf("=") + 1); CAlternativeName sanAlternateName = new CAlternativeName(); sanAlternateName.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_RFC822_NAME, sanSubjectName); CAlternativeNames sanAlternativeNames = new CAlternativeNames(); sanAlternativeNames.Add(sanAlternateName); CX509ExtensionAlternativeNames alternativeNamesExtension = new CX509ExtensionAlternativeNames(); alternativeNamesExtension.InitializeEncode(sanAlternativeNames); CX509ExtensionSmimeCapabilities smimeCapabilities = new CX509ExtensionSmimeCapabilities(); smimeCapabilities.SmimeCapabilities.AddAvailableSmimeCapabilities(false); // Create the self-signing request. CX509CertificateRequestCertificate cert = new CX509CertificateRequestCertificate(); cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, ""); cert.Subject = distinguishedName; cert.Issuer = distinguishedName; cert.NotBefore = DateTime.Now; cert.NotAfter = DateTime.Now.AddYears(1); cert.X509Extensions.Add((CX509Extension)keyUsage); cert.X509Extensions.Add((CX509Extension)enhancedKeyUsages); cert.X509Extensions.Add((CX509Extension)alternativeNamesExtension); cert.X509Extensions.Add((CX509Extension)smimeCapabilities); cert.HashAlgorithm = hashAlgorithm; cert.Encode(); return(cert); }
/// <summary> /// Create a certificate signing request. /// </summary> /// <param name="subjectName">The subject name of the certificate.</param> /// <param name="keyLength">Size of the key in bits.</param> /// <param name="durationYears">Duration of the certificate, specified in years.</param> /// <param name="oids">Collection of OIDs identifying certificate usage.</param> public static CX509CertificateRequestCertificate CreateCertificateSigningRequest(string subjectName, int keyLength, int durationYears, List<string> oids) { // Prepend the subject name with CN= if it doesn't begin with CN=, E=, etc.. if (subjectName.IndexOf("=") < 0) subjectName = "CN=" + subjectName; // Generate a distinguished name. CX500DistinguishedName distinguishedName = new CX500DistinguishedName(); distinguishedName.Encode(subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE); // Generate a private key. CX509PrivateKey privateKey = new CX509PrivateKey(); privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG; privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; privateKey.Length = keyLength; privateKey.MachineContext = true; privateKey.ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0"; privateKey.Create(); // Use the SHA-512 hashing algorithm. CObjectId hashAlgorithm = new CObjectId(); hashAlgorithm.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, "SHA512"); // Load the OIDs passed in and specify enhanced key usages. CObjectIds oidCollection = new CObjectIds(); foreach (string oidID in oids) { CObjectId oid = new CObjectId(); oid.InitializeFromValue(oidID); oidCollection.Add(oid); } CX509ExtensionKeyUsage keyUsage = new CX509ExtensionKeyUsage(); keyUsage.InitializeEncode(CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE); CX509ExtensionEnhancedKeyUsage enhancedKeyUsages = new CX509ExtensionEnhancedKeyUsage(); enhancedKeyUsages.InitializeEncode(oidCollection); string sanSubjectName = subjectName.Substring(subjectName.IndexOf("=") + 1); CAlternativeName sanAlternateName = new CAlternativeName(); sanAlternateName.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_RFC822_NAME, sanSubjectName); CAlternativeNames sanAlternativeNames = new CAlternativeNames(); sanAlternativeNames.Add(sanAlternateName); CX509ExtensionAlternativeNames alternativeNamesExtension = new CX509ExtensionAlternativeNames(); alternativeNamesExtension.InitializeEncode(sanAlternativeNames); CX509ExtensionSmimeCapabilities smimeCapabilities = new CX509ExtensionSmimeCapabilities(); smimeCapabilities.SmimeCapabilities.AddAvailableSmimeCapabilities(false); // Create the self-signing request. CX509CertificateRequestCertificate cert = new CX509CertificateRequestCertificate(); cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, ""); cert.Subject = distinguishedName; cert.Issuer = distinguishedName; cert.NotBefore = DateTime.Now; cert.NotAfter = DateTime.Now.AddYears(1); cert.X509Extensions.Add((CX509Extension)keyUsage); cert.X509Extensions.Add((CX509Extension)enhancedKeyUsages); cert.X509Extensions.Add((CX509Extension)alternativeNamesExtension); cert.X509Extensions.Add((CX509Extension)smimeCapabilities); cert.HashAlgorithm = hashAlgorithm; cert.Encode(); return cert; }
private static string CreateCertContent(string cn, TimeSpan expirationLength, string pwd) { var base64encoded = string.Empty; var dn = new CX500DistinguishedName(); dn.Encode("CN=" + cn, X500NameFlags.XCN_CERT_NAME_STR_NONE); var privateKey = new CX509PrivateKey(); privateKey.ProviderName = "Microsoft Strong Cryptographic Provider"; privateKey.Length = 2048; privateKey.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE; privateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_DECRYPT_FLAG | X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_KEY_AGREEMENT_FLAG; privateKey.MachineContext = true; privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG; privateKey.Create(); // Use the stronger SHA512 hashing algorithm var hashobj = new CObjectId(); hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, "SHA256"); // Create the self signing request var cert = new CX509CertificateRequestCertificate(); cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, ""); cert.Subject = dn; cert.Issuer = dn; // the issuer and the subject are the same cert.NotBefore = DateTime.Now.Date; // this cert expires immediately. Change to whatever makes sense for you cert.NotAfter = cert.NotBefore + expirationLength; cert.HashAlgorithm = hashobj; // Specify the hashing algorithm cert.Encode(); // encode the certificate // Do the final enrollment process var enroll = new CX509Enrollment(); enroll.InitializeFromRequest(cert); // load the certificate enroll.CertificateFriendlyName = cn; // Optional: add a friendly name var csr = enroll.CreateRequest(); // Output the request in base64 // and install it back as the response enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, pwd); // no password // output a base64 encoded PKCS#12 so we can import it back to the .Net security classes base64encoded = enroll.CreatePFX(pwd, // no password, this is for internal consumption PFXExportOptions.PFXExportChainWithRoot); return base64encoded; }
public static X509Certificate2 CreateCertificate(string certSubject, bool isCA) { string CAsubject = certSubject; CX500DistinguishedName dn = new CX500DistinguishedName(); dn.Encode("CN=" + CAsubject, X500NameFlags.XCN_CERT_NAME_STR_NONE); string strRfc822Name = certSubject; CAlternativeName objRfc822Name = new CAlternativeName(); CAlternativeNames objAlternativeNames = new CAlternativeNames(); CX509ExtensionAlternativeNames objExtensionAlternativeNames = new CX509ExtensionAlternativeNames(); // Set Alternative RFC822 Name objRfc822Name.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME, strRfc822Name); // Set Alternative Names objAlternativeNames.Add(objRfc822Name); objExtensionAlternativeNames.InitializeEncode(objAlternativeNames); //objPkcs10.X509Extensions.Add((CX509Extension)objExtensionAlternativeNames); //Issuer Property for cleanup string issuer = "__Interceptor_Trusted_Root"; CX500DistinguishedName issuerdn = new CX500DistinguishedName(); issuerdn.Encode("CN=" + issuer, X500NameFlags.XCN_CERT_NAME_STR_NONE); // Create a new Private Key CX509PrivateKey key = new CX509PrivateKey(); key.ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider"; //"Microsoft Enhanced Cryptographic Provider v1.0" // Set CAcert to 1 to be used for Signature if (isCA) { key.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; } else { key.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE; } key.Length = 2048; key.MachineContext = true; key.Create(); // Create Attributes //var serverauthoid = new X509Enrollment.CObjectId(); CObjectId serverauthoid = new CObjectId(); serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); CObjectIds ekuoids = new CObjectIds(); ekuoids.Add(serverauthoid); CX509ExtensionEnhancedKeyUsage ekuext = new CX509ExtensionEnhancedKeyUsage(); ekuext.InitializeEncode(ekuoids); CX509CertificateRequestCertificate cert = new CX509CertificateRequestCertificate(); cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, key, ""); cert.Subject = dn; cert.Issuer = issuerdn; cert.NotBefore = (DateTime.Now).AddDays(-1); //Backup One day to Avoid Timing Issues cert.NotAfter = cert.NotBefore.AddDays(90); //Arbitrary... Change to persist longer... //Use Sha256 CObjectId hashAlgorithmObject = new CObjectId(); hashAlgorithmObject.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, 0, 0, "SHA256"); cert.HashAlgorithm = hashAlgorithmObject; cert.X509Extensions.Add((CX509Extension)ekuext); cert.X509Extensions.Add((CX509Extension)objExtensionAlternativeNames); //https://blogs.msdn.microsoft.com/alejacma/2011/11/07/how-to-add-subject-alternative-name-to-your-certificate-requests-c/ if (isCA) { CX509ExtensionBasicConstraints basicConst = new CX509ExtensionBasicConstraints(); basicConst.InitializeEncode(true, 1); cert.X509Extensions.Add((CX509Extension)basicConst); } else { var store = new X509Store(StoreName.My, StoreLocation.LocalMachine); store.Open(OpenFlags.ReadOnly); X509Certificate2Collection signer = store.Certificates.Find(X509FindType.FindBySubjectName, "__Interceptor_Trusted_Root", false); CSignerCertificate signerCertificate = new CSignerCertificate(); signerCertificate.Initialize(true, 0, EncodingType.XCN_CRYPT_STRING_HEX, signer[0].Thumbprint); cert.SignerCertificate = signerCertificate; } cert.Encode(); CX509Enrollment enrollment = new CX509Enrollment(); enrollment.InitializeFromRequest(cert); string certdata = enrollment.CreateRequest(0); enrollment.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, certdata, 0, ""); if (isCA) { //Install CA Root Certificate X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine); store.Open(OpenFlags.ReadOnly); X509Certificate2Collection certList = store.Certificates.Find(X509FindType.FindBySubjectName, "__Interceptor_Trusted_Root", false); store.Close(); X509Store rootStore = new X509Store(StoreName.Root, StoreLocation.LocalMachine); rootStore.Open(OpenFlags.ReadWrite); X509Certificate2Collection rootcertList = rootStore.Certificates.Find(X509FindType.FindBySubjectName, "__Interceptor_Trusted_Root", false); rootStore.Add(certList[0]); rootStore.Close(); return(certList[0]); } else { //Return Per Domain Cert X509Store xstore = new X509Store(StoreName.My, StoreLocation.LocalMachine); xstore.Open(OpenFlags.ReadOnly); X509Certificate2Collection certList = xstore.Certificates.Find(X509FindType.FindBySubjectName, certSubject, false); xstore.Close(); return(certList[0]); } }
// https://github.com/asafga-gsr-it/CertIntegration/blob/master/CertificateAdmin/CertificateAdmin/obj/Release/Package/PackageTmp/Certificate.cs // https://www.sysadmins.lv/blog-en/introducing-to-certificate-enrollment-apis-part-2-creating-offline-requests.aspx /* * public static X509Certificate2 CreateSelfSignedCA(string subjectName, DateTime notAfterUtc, bool machineContext) * { * // create DN for subject and issuer * var dn = new CX500DistinguishedName(); * dn.Encode("CN=" + EscapeDNComponent(subjectName), X500NameFlags.XCN_CERT_NAME_STR_NONE); * * // create a new private key for the certificate * CX509PrivateKey privateKey = new CX509PrivateKey(); * privateKey.ProviderName = "Microsoft Base Cryptographic Provider v1.0"; * privateKey.MachineContext = machineContext; * privateKey.Length = 2048; * privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; // use is not limited * privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG; * privateKey.Create(); * * var hashobj = new CObjectId(); * hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, * ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, * AlgorithmFlags.AlgorithmFlagsNone, "SHA256"); // https://docs.microsoft.com/en-us/windows/win32/seccng/cng-algorithm-identifiers * * CX509ExtensionKeyUsage keyUsage = new CX509ExtensionKeyUsage(); * keyUsage.InitializeEncode( * CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE | * CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_CERT_SIGN_KEY_USAGE | * CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_CRL_SIGN_KEY_USAGE | * CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_OFFLINE_CRL_SIGN_KEY_USAGE); * * CX509ExtensionBasicConstraints bc = new CX509ExtensionBasicConstraints(); * bc.InitializeEncode(true, -1); // None * bc.Critical = true; * * // add extended key usage if you want - look at MSDN for a list of possible OIDs * var oid = new CObjectId(); * oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // Server Authentication * var oidlist = new CObjectIds(); * oidlist.Add(oid); * var eku = new CX509ExtensionEnhancedKeyUsage(); * eku.InitializeEncode(oidlist); * * // Create the self signing request * var cert = new CX509CertificateRequestCertificate(); * * cert.InitializeFromPrivateKey(machineContext ? X509CertificateEnrollmentContext.ContextMachine: X509CertificateEnrollmentContext.ContextUser, privateKey, ""); * cert.Subject = cert.Issuer = dn; // the issuer and the subject are the same * cert.NotBefore = DateTime.UtcNow.AddDays(-1); * cert.NotAfter = notAfterUtc; * cert.X509Extensions.Add((CX509Extension)keyUsage); * cert.X509Extensions.Add((CX509Extension)eku); // add the EKU * cert.X509Extensions.Add((CX509Extension)bc); * cert.HashAlgorithm = hashobj; // Specify the hashing algorithm * cert.Encode(); // encode the certificate * * // Do the final enrollment process * var enroll = new CX509Enrollment(); * enroll.InitializeFromRequest(cert); // load the certificate * enroll.CertificateFriendlyName = subjectName; // Optional: add a friendly name * string csr = enroll.CreateRequest(); // Output the request in base64 * * // install to MY store * enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password * * // output a base64 encoded PKCS#12 so we can import it back to the .Net security classes * var base64encoded = enroll.CreatePFX("", // no password, this is for internal consumption * PFXExportOptions.PFXExportChainWithRoot); * * // instantiate the target class with the PKCS#12 data (and the empty password) * var x509Certificate2 = new X509Certificate2( * System.Convert.FromBase64String(base64encoded), "", * // mark the private key as exportable (this is usually what you want to do) * X509KeyStorageFlags.Exportable * ); * * X509Store rootStore = null; * try * { * rootStore = new X509Store(StoreName.Root, machineContext ? StoreLocation.LocalMachine : StoreLocation.CurrentUser); * rootStore.Open(OpenFlags.ReadWrite); * // install to CA store * var crtPub = new X509Certificate2(x509Certificate2) { PrivateKey = null }; * rootStore.Add(crtPub); * crtPub.Reset(); * } * catch * { * // ignore when adding to trust root failed * } * finally * { * rootStore?.Close(); * } * * return x509Certificate2; * } */ public static X509Certificate2 CreateCertificate(string subjectName, string hostname, DateTime notAfterUtc, X509Certificate issuer, bool machineContext) { CSignerCertificate signerCertificate = new CSignerCertificate(); signerCertificate.Initialize(false, X509PrivateKeyVerify.VerifyNone, EncodingType.XCN_CRYPT_STRING_HEX, issuer.GetRawCertDataString()); // create DN for subject and issuer var dn = new CX500DistinguishedName(); dn.Encode("CN=" + EscapeDNComponent(subjectName), X500NameFlags.XCN_CERT_NAME_STR_NONE); // create a new private key for the certificate CX509PrivateKey privateKey = new CX509PrivateKey(); privateKey.ProviderName = "Microsoft Base Cryptographic Provider v1.0"; privateKey.MachineContext = machineContext; privateKey.Length = 2048; privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; // use is not limited privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG; privateKey.Create(); var hashobj = new CObjectId(); hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, "SHA256"); CX509ExtensionKeyUsage keyUsage = new CX509ExtensionKeyUsage(); keyUsage.InitializeEncode( CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE); CX509ExtensionBasicConstraints bc = new CX509ExtensionBasicConstraints(); bc.InitializeEncode(false, 0); bc.Critical = false; // SAN CX509ExtensionAlternativeNames san = null; if (!string.IsNullOrEmpty(hostname)) { CAlternativeNames ians; if (IPAddress.TryParse(hostname, out var ip)) { var ian = new CAlternativeName(); ian.InitializeFromRawData(AlternativeNameType.XCN_CERT_ALT_NAME_IP_ADDRESS, EncodingType.XCN_CRYPT_STRING_BASE64, Convert.ToBase64String(ip.GetAddressBytes())); ians = new CAlternativeNames { ian }; } else { var ian = new CAlternativeName(); ian.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME, hostname); var ianStar = new CAlternativeName(); ianStar.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME, "*." + hostname); // wildcard ians = new CAlternativeNames { ian, ianStar }; } san = new CX509ExtensionAlternativeNames(); san.InitializeEncode(ians); } // add extended key usage if you want - look at MSDN for a list of possible OIDs var oid = new CObjectId(); oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // SSL server var oidlist = new CObjectIds(); oidlist.Add(oid); var eku = new CX509ExtensionEnhancedKeyUsage(); eku.InitializeEncode(oidlist); var dnIssuer = new CX500DistinguishedName(); dnIssuer.Encode(issuer.Subject, X500NameFlags.XCN_CERT_NAME_STR_NONE); // Create the self signing request var cert = new CX509CertificateRequestCertificate(); cert.InitializeFromPrivateKey(machineContext ? X509CertificateEnrollmentContext.ContextMachine : X509CertificateEnrollmentContext.ContextUser, privateKey, ""); cert.Subject = dn; cert.Issuer = dnIssuer; cert.SignerCertificate = signerCertificate; cert.NotBefore = DateTime.UtcNow.AddDays(-1); cert.NotAfter = notAfterUtc; cert.X509Extensions.Add((CX509Extension)keyUsage); cert.X509Extensions.Add((CX509Extension)eku); // EnhancedKeyUsage cert.X509Extensions.Add((CX509Extension)bc); // ExtensionBasicConstraints if (san != null) { cert.X509Extensions.Add((CX509Extension)san); // SAN } cert.HashAlgorithm = hashobj; // Specify the hashing algorithm cert.Encode(); // encode the certificate // Do the final enrollment process var enroll = new CX509Enrollment(); enroll.InitializeFromRequest(cert); // load the certificate //enroll.CertificateFriendlyName = subjectName; // Optional: add a friendly name string csr = enroll.CreateRequest(); // Output the request in base64 // and install it back as the response enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password // output a base64 encoded PKCS#12 so we can import it back to the .Net security classes var base64encoded = enroll.CreatePFX("", // no password, this is for internal consumption PFXExportOptions.PFXExportChainWithRoot); // instantiate the target class with the PKCS#12 data (and the empty password) var x509Certificate2 = new X509Certificate2( Convert.FromBase64String(base64encoded), "", X509KeyStorageFlags.Exportable); // mark the private key as exportable (this is usually what you want to do) return(x509Certificate2); }
/// <summary> /// Add Reference: COM > TypeLibraries > CertEnroll 1.0 Type Library /// </summary> /// <param name="subjectName"></param> /// <returns></returns> public static X509Certificate2 CreateSelfSignedCertificate(string subjectName, TimeSpan expiresIn) { // create DN for subject and issuer var dn = new CX500DistinguishedName(); dn.Encode("CN=" + subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE); // create a new private key for the certificate CX509PrivateKey privateKey = new CX509PrivateKey(); privateKey.ProviderName = "Microsoft Base Cryptographic Provider v1.0"; privateKey.MachineContext = true; privateKey.Length = 2048; privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; // use is not limited privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG; privateKey.Create(); // Use the stronger SHA512 hashing algorithm var hashobj = new CObjectId(); hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, "SHA512"); // add extended key usage if you want - look at MSDN for a list of possible OIDs var oid = new CObjectId(); oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // SSL server var oidlist = new CObjectIds(); oidlist.Add(oid); var eku = new CX509ExtensionEnhancedKeyUsage(); eku.InitializeEncode(oidlist); // Create the self signing request var cert = new CX509CertificateRequestCertificate(); cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, ""); cert.Subject = dn; cert.Issuer = dn; // the issuer and the subject are the same cert.NotBefore = DateTime.Now; // this cert expires immediately. Change to whatever makes sense for you cert.NotAfter = DateTime.Now.Add(expiresIn); cert.X509Extensions.Add((CX509Extension)eku); // add the EKU cert.HashAlgorithm = hashobj; // Specify the hashing algorithm cert.Encode(); // encode the certificate // Do the final enrollment process var enroll = new CX509Enrollment(); enroll.InitializeFromRequest(cert); // load the certificate enroll.CertificateFriendlyName = subjectName; // Optional: add a friendly name string csr = enroll.CreateRequest(); // Output the request in base64 // and install it back as the response enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password // output a base64 encoded PKCS#12 so we can import it back to the .Net security classes var base64encoded = enroll.CreatePFX("", // no password, this is for internal consumption PFXExportOptions.PFXExportChainWithRoot); // instantiate the target class with the PKCS#12 data (and the empty password) return(new System.Security.Cryptography.X509Certificates.X509Certificate2( System.Convert.FromBase64String(base64encoded), "", // mark the private key as exportable (this is usually what you want to do) System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.Exportable )); }
public static X509Certificate2 CreateCertificate(Certificate crt) { bool isCA = !crt.SignByCertificateAuthority; // create DN for subject and issuer var dn = new CX500DistinguishedName(); dn.Encode(GetEncodedDistinguishedName(crt), X500NameFlags.XCN_CERT_NAME_STR_NONE); // create a new private key for the certificate CX509PrivateKey privateKey = new CX509PrivateKey { ProviderName = "Microsoft Base Cryptographic Provider v1.0", MachineContext = crt.MachineContext, Length = crt.KeyLength, KeySpec = X509KeySpec.XCN_AT_SIGNATURE, // use is not limited ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG }; privateKey.Create(); var hashobj = new CObjectId(); hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, crt.DigestAlgorithm); CERTENROLLLib.X509KeyUsageFlags x509KeyUsageFlags; CX509ExtensionBasicConstraints bc = new CX509ExtensionBasicConstraints(); if (isCA) { x509KeyUsageFlags = CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_CERT_SIGN_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_CRL_SIGN_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_OFFLINE_CRL_SIGN_KEY_USAGE; bc.InitializeEncode(true, -1); bc.Critical = true; } else { x509KeyUsageFlags = CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE; if (crt.CertificateType == CertificateType.ClientCertificate) { x509KeyUsageFlags |= CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE; } if (crt.CertificateType == CertificateType.ServerCertificate) { x509KeyUsageFlags |= CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE; } bc.InitializeEncode(false, -1); bc.Critical = false; } CX509ExtensionKeyUsage keyUsage = new CX509ExtensionKeyUsage(); keyUsage.InitializeEncode(x509KeyUsageFlags); keyUsage.Critical = false; // SAN var canList = new List <CAlternativeName>(); foreach (var sanItem in crt.SANList) { if (!string.IsNullOrWhiteSpace(sanItem.Value)) { var can = new CAlternativeName(); switch (sanItem.Type) { case Certificate.SANType.DNS: can.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME, sanItem.Value); break; case Certificate.SANType.IP: can.InitializeFromRawData(AlternativeNameType.XCN_CERT_ALT_NAME_IP_ADDRESS, EncodingType.XCN_CRYPT_STRING_BASE64, Convert.ToBase64String(IPAddress.Parse(sanItem.Value).GetAddressBytes())); break; case Certificate.SANType.URI: can.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_URL, sanItem.Value); break; case Certificate.SANType.email: can.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_RFC822_NAME, sanItem.Value); break; } canList.Add(can); } } CX509ExtensionAlternativeNames san = null; if (canList.Any()) { san = new CX509ExtensionAlternativeNames(); var cans = new CAlternativeNames(); foreach (var item in canList) { cans.Add(item); } san.InitializeEncode(cans); } CX509ExtensionEnhancedKeyUsage eku = null; if (crt.CertificateType != CertificateType.None) { const string XCN_OID_PKIX_KP_SERVER_AUTH = "1.3.6.1.5.5.7.3.1"; const string XCN_OID_PKIX_KP_CLIENT_AUTH = "1.3.6.1.5.5.7.3.2"; var oid = new CObjectId(); if (crt.CertificateType == CertificateType.ServerCertificate) { oid.InitializeFromValue(XCN_OID_PKIX_KP_SERVER_AUTH); } if (crt.CertificateType == CertificateType.ClientCertificate) { oid.InitializeFromValue(XCN_OID_PKIX_KP_CLIENT_AUTH); } var oidlist = new CObjectIds(); oidlist.Add(oid); eku = new CX509ExtensionEnhancedKeyUsage(); eku.InitializeEncode(oidlist); } // Create the self signing request var cereq = new CX509CertificateRequestCertificate(); cereq.InitializeFromPrivateKey(crt.MachineContext ? X509CertificateEnrollmentContext.ContextMachine : X509CertificateEnrollmentContext.ContextUser, privateKey, ""); cereq.Subject = dn; cereq.Issuer = dn; cereq.NotBefore = DateTime.UtcNow.AddDays(-1); cereq.NotAfter = DateTime.UtcNow.AddDays(crt.Lifetime.Value); if (crt.SignByCertificateAuthority) { var issuer = MyCurrentUserX509Store.Certificates .Find(X509FindType.FindByThumbprint, crt.CertificateAuthority, false) .OfType <X509Certificate2>() .Where(c => c.HasPrivateKey).FirstOrDefault() ?? throw new Exception("Issuer not found: " + crt.CertificateAuthority); cereq.SignerCertificate = new CSignerCertificate(); cereq.SignerCertificate.Initialize(false, X509PrivateKeyVerify.VerifyNone, EncodingType.XCN_CRYPT_STRING_HEX, issuer.GetRawCertDataString()); cereq.Issuer = new CX500DistinguishedName(); cereq.Issuer.Encode(issuer.Subject, X500NameFlags.XCN_CERT_NAME_STR_NONE); } cereq.X509Extensions.Add((CX509Extension)keyUsage); if (eku != null) { cereq.X509Extensions.Add((CX509Extension)eku); // EnhancedKeyUsage } if (bc != null) { cereq.X509Extensions.Add((CX509Extension)bc); // ExtensionBasicConstraints } if (san != null) { cereq.X509Extensions.Add((CX509Extension)san); // SAN } cereq.HashAlgorithm = hashobj; // Specify the hashing algorithm cereq.Encode(); // encode the certificate // Do the final enrollment process var enroll = new CX509Enrollment(); enroll.InitializeFromRequest(cereq); // load the certificate //enroll.CertificateFriendlyName = subjectName; // Optional: add a friendly name string csr = enroll.CreateRequest(); // Output the request in base64 // and install it back as the response enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password // output a base64 encoded PKCS#12 so we can import it back to the .Net security classes var base64encoded = enroll.CreatePFX("", // no password, this is for internal consumption PFXExportOptions.PFXExportChainWithRoot); // instantiate the target class with the PKCS#12 data (and the empty password) var x509Certificate2 = new X509Certificate2( Convert.FromBase64String(base64encoded), "", X509KeyStorageFlags.Exportable); // mark the private key as exportable (this is usually what you want to do) if (isCA) { X509Store rootStore = null; try { rootStore = new X509Store(StoreName.Root, crt.MachineContext ? StoreLocation.LocalMachine : StoreLocation.CurrentUser); rootStore.Open(OpenFlags.ReadWrite); // install to CA store var crtPub = new X509Certificate2(x509Certificate2) { PrivateKey = null }; rootStore.Add(crtPub); crtPub.Reset(); } catch { // ignore when adding to trust root failed } finally { rootStore?.Close(); } } crt.Value = x509Certificate2; return(x509Certificate2); }
/// <summary> /// Certificate constructor to intialize objects and values required to create a certificate /// </summary> public Certificate() { try { // Create objects required objCertRequest = new CX509CertificateRequestCertificate(); objCSP = new CCspInformation(); objCSPs = new CCspInformations(); objDN = new CX500DistinguishedName(); objEnroll = new CX509Enrollment(); objObjectId = new CObjectId(); objPrivateKey = (CX509PrivateKey)Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX509PrivateKey")); // Friendly name this.FriendlyName = ""; // Set default values. Refer to https://msdn.microsoft.com/en-us/library/windows/desktop/aa374846(v=vs.85).aspx this.CryptographicProviderName = "Microsoft Enhanced Cryptographic Provider v1.0"; this.KeySize = 2048; // Use key for encryption this.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE; // The key can be used for decryption this.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_DECRYPT_FLAG; // Create for user and not machine this.MachineContext = false; // Default to expire in 1 year this.ExpirationLengthInDays = 365; // Let th private key be exported in plain text this.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG; // This is intended for a computer this.EnrollmentContextMachine = X509CertificateEnrollmentContext.ContextUser; // Use a hasing algorithm this.ObjectIdGroupId = ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID; this.ObjectIdPublicKeyFlags = ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY; this.AlgorithmFlags = AlgorithmFlags.AlgorithmFlagsNone; // Use SHA-2 with 512 bits this.AlgorithmName = "SHA512"; this.EncodingType = EncodingType.XCN_CRYPT_STRING_BASE64; // Allow untrusted certificate to be installed this.InstallResponseRestrictionFlags = InstallResponseRestrictionFlags.AllowUntrustedCertificate; // No password set this.Password = null; // Enable key to be exported, keep the machine set, and persist the key set // https://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509keystorageflags(v=vs.110).aspx this.ExportableFlags = X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet; } catch (Exception ex) { throw ex; } }
private static string CreateCertContent(string cn, TimeSpan expirationLength, string pwd) { string base64encoded = string.Empty; var dn = new CERTENROLLLib.CX500DistinguishedName(); dn.Encode("CN=" + cn, X500NameFlags.XCN_CERT_NAME_STR_NONE); CX509PrivateKey privateKey = new CX509PrivateKey(); privateKey.ProviderName = "Microsoft Strong Cryptographic Provider"; privateKey.Length = 2048; privateKey.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE; privateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_DECRYPT_FLAG | X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_KEY_AGREEMENT_FLAG; privateKey.MachineContext = true; privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG; privateKey.Create(); // Use the stronger SHA512 hashing algorithm var hashobj = new CObjectId(); hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, "SHA512"); // Create the self signing request var cert = new CX509CertificateRequestCertificate(); cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, ""); cert.Subject = dn; cert.Issuer = dn; // the issuer and the subject are the same cert.NotBefore = DateTime.Now.Date; var objExtensionAlternativeNames = new CX509ExtensionAlternativeNames(); { var altNames = new CAlternativeNames(); //var dnsHostname = new CAlternativeName(); //dnsHostname.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME, Environment.MachineName); //altNames.Add(dnsHostname); //foreach (var ipAddress in Dns.GetHostAddresses(Dns.GetHostName())) //{ // if ((ipAddress.AddressFamily == AddressFamily.InterNetwork || // ipAddress.AddressFamily == AddressFamily.InterNetworkV6) && !IPAddress.IsLoopback(ipAddress)) // { // var dns = new CAlternativeName(); // dns.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME, ipAddress.ToString()); // altNames.Add(dns); // } //} var dns1 = new CAlternativeName(); dns1.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME, "localhost"); altNames.Add(dns1); objExtensionAlternativeNames.InitializeEncode(altNames); } cert.X509Extensions.Add((CX509Extension)objExtensionAlternativeNames); // this cert expires immediately. Change to whatever makes sense for you cert.NotAfter = cert.NotBefore + expirationLength; cert.HashAlgorithm = hashobj; // Specify the hashing algorithm cert.Encode(); // encode the certificate // Do the final enrollment process var enroll = new CX509Enrollment(); enroll.InitializeFromRequest(cert); // load the certificate enroll.CertificateFriendlyName = cn; // Optional: add a friendly name string csr = enroll.CreateRequest(); // Output the request in base64 // and install it back as the response enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, pwd); // no password // output a base64 encoded PKCS#12 so we can import it back to the .Net security classes base64encoded = enroll.CreatePFX(pwd, // no password, this is for internal consumption PFXExportOptions.PFXExportChainWithRoot); return(base64encoded); }
public SelfSignedCertificateRequest() { Request = new CX509CertificateRequestCertificate(); }
public static X509Certificate2 CreateSelfSignedCertificate(string subjectName) { var distinguishedName = new CX500DistinguishedName(); distinguishedName.Encode( "CN=" + subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE); CCspInformations objCSPs = new CCspInformations(); CCspInformation objCSP = new CCspInformation(); objCSP.InitializeFromName( "Microsoft Enhanced RSA and AES Cryptographic Provider"); objCSPs.Add(objCSP); // Build the private key CX509PrivateKey privateKey = new CX509PrivateKey(); privateKey.MachineContext = false; privateKey.Length = 2048; privateKey.CspInformations = objCSPs; privateKey.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE; privateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES; privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG; // Create the private key in the CSP's protected storage privateKey.Create(); // Build the algorithm identifier var hashobj = new CObjectId(); hashobj.InitializeFromAlgorithmName( ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, "SHA256"); // Create the self-signing request from the private key var certificateRequest = new CX509CertificateRequestCertificate(); certificateRequest.InitializeFromPrivateKey( X509CertificateEnrollmentContext.ContextUser, privateKey, string.Empty); certificateRequest.Subject = distinguishedName; certificateRequest.Issuer = distinguishedName; certificateRequest.NotBefore = DateTime.Now.AddDays(-1); certificateRequest.NotAfter = DateTime.Now.AddYears(100); certificateRequest.HashAlgorithm = hashobj; certificateRequest.Encode(); var enrollment = new CX509Enrollment(); // Load the certificate request enrollment.InitializeFromRequest(certificateRequest); enrollment.CertificateFriendlyName = subjectName; // Output the request in base64 and install it back as the response string csr = enrollment.CreateRequest(); // Install the response enrollment.InstallResponse( InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, string.Empty); // Get the new certificate without the private key byte[] certificateData = Convert.FromBase64String(enrollment.Certificate); return(new X509Certificate2(certificateData)); }
/// <summary> /// CreateSelfSignedCertificate method implementation /// </summary> private static string InternalCreateSelfSignedCertificate(string subjectName, int years) { var dn = new CX500DistinguishedName(); var neos = new CX500DistinguishedName(); dn.Encode("CN=" + subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE); neos.Encode("CN=MFA RSA Keys Certificate", X500NameFlags.XCN_CERT_NAME_STR_NONE); CX509PrivateKey privateKey = new CX509PrivateKey(); privateKey.ProviderName = "Microsoft RSA SChannel Cryptographic Provider"; privateKey.MachineContext = true; privateKey.Length = 2048; privateKey.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE; // use is not limited privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG | X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG | X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_ARCHIVING_FLAG | X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_ARCHIVING_FLAG; privateKey.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)"; privateKey.Create(); var hashobj = new CObjectId(); hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, "SHA256"); var oid = new CObjectId(); oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // SSL server var oidlist = new CObjectIds(); oidlist.Add(oid); var coid = new CObjectId(); coid.InitializeFromValue("1.3.6.1.5.5.7.3.2"); // Client auth oidlist.Add(coid); var eku = new CX509ExtensionEnhancedKeyUsage(); eku.InitializeEncode(oidlist); // Create the self signing request var cert = new CX509CertificateRequestCertificate(); cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextAdministratorForceMachine, privateKey, ""); cert.Subject = dn; cert.Issuer = neos; cert.NotBefore = DateTime.Now.AddDays(-10); cert.NotAfter = DateTime.Now.AddYears(years); cert.X509Extensions.Add((CX509Extension)eku); // add the EKU cert.HashAlgorithm = hashobj; // Specify the hashing algorithm cert.Encode(); // encode the certificate // Do the final enrollment process var enroll = new CX509Enrollment(); enroll.InitializeFromRequest(cert); // load the certificate enroll.CertificateFriendlyName = subjectName; // Optional: add a friendly name string csr = enroll.CreateRequest(); // Output the request in base64 // and install it back as the response enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password // output a base64 encoded PKCS#12 so we can import it back to the .Net security classes var base64encoded = enroll.CreatePFX("", PFXExportOptions.PFXExportChainWithRoot); return(base64encoded); }
private static StoreName store = StoreName.My; // Store as a personal certificate private static X509Certificate2 CreateSelfSignedCertificate(string Operator, string SiteId, int SeqNo, bool isServerCert, string SAN) { // Create a custom subject name & friendly name string distName = $"CN={FriendlyName.ToLower()}_{SiteId}_{SeqNo}, OU={Operator}_{SiteId}, O={Operator}, C=GB"; // create DN for subject and issuer // var dn = new X500DistinguishedName(distName); // dn.Encode(distName, X500NameFlags.XCN_CERT_NAME_STR_NONE); var dn = new CX500DistinguishedName(); dn.Encode(distName, X500NameFlags.XCN_CERT_NAME_STR_NONE); // create a new private key for the certificate //CX509PrivateKey privateKey = new CX509PrivateKey(); //var privateKey = new CX509PrivateKey(); var typeName = "X509Enrollment.CX509PrivateKey"; var type = Type.GetTypeFromProgID(typeName); if (type == null) { throw new Exception(typeName + " is not available on your system: 0x80040154 (REGDB_E_CLASSNOTREG)"); } var privateKey = Activator.CreateInstance(type) as IX509PrivateKey; if (privateKey == null) { throw new Exception("Your certlib does not know an implementation of " + typeName + " (in HKLM:\\SOFTWARE\\Classes\\Interface\\)!"); } privateKey.ProviderName = "Microsoft Base Cryptographic Provider v1.0"; privateKey.MachineContext = true; privateKey.Length = 2048; privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; // use is not limited // privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG; privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG; privateKey.Create(); // Use the stronger SHA512 hashing algorithm var hashobj = new CObjectId(); hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, "SHA512"); // add extended key usage if you want - look at MSDN for a list of possible OIDs var oid = new CObjectId(); // oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // SSL server if (isServerCert) { oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // SSL Server } else { oid.InitializeFromValue("1.3.6.1.5.5.7.3.2"); // SSL client } var oidlist = new CObjectIds(); oidlist.Add(oid); var eku = new CX509ExtensionEnhancedKeyUsage(); eku.InitializeEncode(oidlist); // Create the self signing request var cert = new CX509CertificateRequestCertificate(); cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, ""); if (!string.IsNullOrEmpty(SAN)) { CAlternativeName objRfc822Name = new CAlternativeName(); CAlternativeNames objAlternativeNames = new CAlternativeNames(); CX509ExtensionAlternativeNames objExtensionAlternativeNames = new CX509ExtensionAlternativeNames(); // Set Alternative RFC822 Name objRfc822Name.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME, SAN); // Set Alternative Names objAlternativeNames.Add(objRfc822Name); objExtensionAlternativeNames.InitializeEncode(objAlternativeNames); cert.X509Extensions.Add((CX509Extension)objExtensionAlternativeNames); } cert.Subject = dn; cert.Issuer = dn; // the issuer and the subject are the same cert.NotBefore = DateTime.Today; cert.NotAfter = DateTime.Today.AddYears(10); // expire in 10 years time cert.X509Extensions.Add((CX509Extension)eku); // add the EKU cert.HashAlgorithm = hashobj; // Specify the hashing algorithm cert.Encode(); // encode the certificate // Do the final enrollment process var enroll = new CX509Enrollment(); enroll.InitializeFromRequest(cert); // load the certificate enroll.CertificateFriendlyName = FriendlyName; // Optional: add a friendly name string csr = enroll.CreateRequest(); // Output the request in base64 // and install it back as the response enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password // output a base64 encoded PKCS#12 so we can import it back to the .Net security classes var base64encoded = enroll.CreatePFX("", // no password, this is for internal consumption PFXExportOptions.PFXExportChainWithRoot); // instantiate the target class with the PKCS#12 data (and the empty password) X509Certificate2 newCert = new X509Certificate2(System.Convert.FromBase64String(base64encoded), "", // mark the private key as exportable (this is usually what you want to do) System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.Exportable // Ensure the machine key is created and retained // http://stackoverflow.com/questions/425688/how-to-set-read-permission-on-the-private-key-file-of-x-509-certificate-from-ne | X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet); return(newCert); }