public string CreateRequest(string cn, string ou, string o, string l, string s, string c, string oid, int keylength) { var objCSPs = new CCspInformations(); objCSPs.AddAvailableCsps(); var objPrivateKey = new CX509PrivateKey(); objPrivateKey.Length = keylength; objPrivateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; //http://msdn.microsoft.com/en-us/library/windows/desktop/aa379409(v=vs.85).aspx objPrivateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES; //http://msdn.microsoft.com/en-us/library/windows/desktop/aa379417(v=vs.85).aspx objPrivateKey.MachineContext = false; //http://msdn.microsoft.com/en-us/library/windows/desktop/aa379024(v=vs.85).aspx objPrivateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG; //http://msdn.microsoft.com/en-us/library/windows/desktop/aa379412(v=vs.85).aspx objPrivateKey.CspInformations = objCSPs; objPrivateKey.Create(); var objPkcs10 = new CX509CertificateRequestPkcs10(); objPkcs10.InitializeFromPrivateKey( X509CertificateEnrollmentContext.ContextUser, //http://msdn.microsoft.com/en-us/library/windows/desktop/aa379399(v=vs.85).aspx objPrivateKey, string.Empty); var objExtensionKeyUsage = new CX509ExtensionKeyUsage(); objExtensionKeyUsage.InitializeEncode( CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE | // http://msdn.microsoft.com/en-us/library/windows/desktop/aa379410(v=vs.85).aspx CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE | // http://msdn.microsoft.com/en-us/library/windows/desktop/aa379410(v=vs.85).aspx CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE | // http://msdn.microsoft.com/en-us/library/windows/desktop/aa379410(v=vs.85).aspx CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE); // http://msdn.microsoft.com/en-us/library/windows/desktop/aa379410(v=vs.85).aspx objPkcs10.X509Extensions.Add((CX509Extension)objExtensionKeyUsage); var objObjectId = new CObjectId(); var objObjectIds = new CObjectIds(); var objX509ExtensionEnhancedKeyUsage = new CX509ExtensionEnhancedKeyUsage(); //objObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.1"); objObjectId.InitializeFromValue(oid); //Some info about OIDS: http://www.alvestrand.no/objectid/1.3.6.1.5.5.7.3.html objObjectIds.Add(objObjectId); objX509ExtensionEnhancedKeyUsage.InitializeEncode(objObjectIds); objPkcs10.X509Extensions.Add((CX509Extension)objX509ExtensionEnhancedKeyUsage); // TODO: Create CERTS with SAN: http://msdn.microsoft.com/en-us/library/windows/desktop/aa378081(v=vs.85).aspx /* var test3 = new CX509ExtensionAlternativeNames(); var test4 = new CAlternativeName(); var test2 = new CAlternativeNames(); test4.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME,"CRAP.no"); test2.Add(test4); test3.InitializeEncode(test2); */ //objPkcs10.X509Extensions.Add((CX509Extension)); var objDN = new CX500DistinguishedName(); var subjectName = "CN = " + cn + ",OU = " + ou + ",O = " + o + ",L = " + l + ",S = " + s + ",C = " + c; objDN.Encode(subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE); //http://msdn.microsoft.com/en-us/library/windows/desktop/aa379394(v=vs.85).aspx objPkcs10.Subject = objDN; var objEnroll = new CX509Enrollment(); objEnroll.InitializeFromRequest(objPkcs10); var strRequest = objEnroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64); //http://msdn.microsoft.com/en-us/library/windows/desktop/aa374936(v=vs.85).aspx return strRequest; }
private void AddKeyUsage(CX509CertificateRequestCertificate cert) { // Add key usage var ku = new CX509ExtensionKeyUsage(); ku.InitializeEncode(CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE); ku.Critical = false; cert.X509Extensions.Add((CX509Extension)ku); }
private CX509Extension GetKeyUsage() { CX509ExtensionKeyUsage keyUsage = new CX509ExtensionKeyUsage(); keyUsage.InitializeEncode( CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE ); return((CX509Extension)keyUsage); }
private void SetKeyUsages() { var ku = new CX509ExtensionKeyUsage { Critical = false }; ku.InitializeEncode( CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE); ExtensionsToAdd.Add((CX509Extension)ku); }
public override void Initialize() { base.Initialize(); var request = (IX509CertificateRequestPkcs10)Request; request.PrivateKey.Length = 2048; { request.PrivateKey.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE; request.PrivateKey.ProviderName = "Microsoft RSA Schannel Cryptographic Provider"; } var keyUsage = new CX509ExtensionKeyUsage(); //Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment //keyUsage.InitializeEncode((CERTENROLLLib.X509KeyUsageFlags) 0xF0); //Digital Signature, Non-Repudiation, Key Encipherment, non Data Encipherment keyUsage.InitializeEncode((CERTENROLLLib.X509KeyUsageFlags) 0xE0); var objectId = new CObjectId(); //Server Authentication (1.3.6.1.5.5.7.3.1) objectId.InitializeFromName(CERTENROLL_OBJECTID.XCN_OID_PKIX_KP_SERVER_AUTH); var enhancedKeyUsage = new CX509ExtensionEnhancedKeyUsage(); enhancedKeyUsage.InitializeEncode(new CObjectIds { objectId }); var extensions = new CX509Extensions { (CX509Extension)keyUsage, (CX509Extension)enhancedKeyUsage, }; request.X509Extensions.AddRange(extensions); }
protected static string GenerateCSR() { var objPrivateKey = new CX509PrivateKey(); objPrivateKey.MachineContext = false; objPrivateKey.Length = 2048; objPrivateKey.ProviderType = X509ProviderType.XCN_PROV_RSA_AES; objPrivateKey.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE; objPrivateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES; objPrivateKey.CspInformations = new CCspInformations(); objPrivateKey.CspInformations.AddAvailableCsps(); objPrivateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG; objPrivateKey.Create(); var cert = new CX509CertificateRequestPkcs10(); cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextUser, objPrivateKey, string.Empty); var objExtensionKeyUsage = new CX509ExtensionKeyUsage(); objExtensionKeyUsage.InitializeEncode((X509KeyUsageFlags)X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE | X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE | X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE | X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE ); cert.X509Extensions.Add((CX509Extension)objExtensionKeyUsage); var cobjectId = new CObjectId(); cobjectId.InitializeFromName(CERTENROLL_OBJECTID.XCN_OID_PKIX_KP_CLIENT_AUTH); var cobjectIds = new CObjectIds(); cobjectIds.Add(cobjectId); var pValue = cobjectIds; var cx509ExtensionEnhancedKeyUsage = new CX509ExtensionEnhancedKeyUsage(); cx509ExtensionEnhancedKeyUsage.InitializeEncode(pValue); cert.X509Extensions.Add((CX509Extension)cx509ExtensionEnhancedKeyUsage); var cx509Enrollment = new CX509Enrollment(); cx509Enrollment.InitializeFromRequest(cert); var output = cx509Enrollment.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64); return(output); }
// create the certifcate request public string CreateCertifcate(string hostName) { // Create all the objects that will be required CX509CertificateRequestPkcs10 objPkcs10 = new CX509CertificateRequestPkcs10(); CX509PrivateKey objPrivateKey = new CX509PrivateKey(); CCspInformation objCSP = new CCspInformation(); CCspInformations objCSPs = new CCspInformations(); CX500DistinguishedName objDN = new CX500DistinguishedName(); CX509Enrollment objEnroll = new CX509Enrollment(); CObjectIds objObjectIds = new CObjectIds(); CObjectId objObjectId = new CObjectId(); CX509ExtensionKeyUsage objExtensionKeyUsage = new CX509ExtensionKeyUsage(); CX509ExtensionEnhancedKeyUsage objX509ExtensionEnhancedKeyUsage = new CX509ExtensionEnhancedKeyUsage(); string CertifcateStr; try { Database db = new Database(); /*Check if there is allready request for the hostname so we dont need to create new one*/ if (db.CheckIfCertificateExists(hostName) == 1) { return("Exsits"); } if (db.CheckIfCertificateExists(hostName) == 2) { return("Issued"); } //create the private key (CX509CertificateRequestPkcs10 will initilizae from the private key) objCSP.InitializeFromName("Microsoft Enhanced Cryptographic Provider v1.0"); objCSPs.Add(objCSP); objPrivateKey.Length = 1024; objPrivateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; objPrivateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES; objPrivateKey.MachineContext = false; objPrivateKey.CspInformations = objCSPs; objPrivateKey.Create(); //create pkc10 object from the privaet key objPkcs10.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextUser, objPrivateKey, ""); objExtensionKeyUsage.InitializeEncode(CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE); // objPkcs10.X509Extensions.Add((CX509Extension)objExtensionKeyUsage); // objObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.2"); // objObjectIds.Add(objObjectId); // objX509ExtensionEnhancedKeyUsage.InitializeEncode(objObjectIds); // objPkcs10.X509Extensions.Add((CX509Extension)objX509ExtensionEnhancedKeyUsage); objDN.Encode("CN=" + hostName, X500NameFlags.XCN_CERT_NAME_STR_NONE); //create DistinguishedName objPkcs10.Subject = objDN; //initial the DistinguishedName objEnroll.InitializeFromRequest(objPkcs10); //init enrollement request CertifcateStr = objEnroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64); //Certifcate Request return(CertifcateStr); } catch (Exception ex) { Database db = new Database(); db.InsertToErrorMessageTable(hostName, 0, ex.Message, "CreateCertifcate");//insert Error Message into The Error Table Log In The DataBase return("Error" + ex.Message); } }
public void GenerateCsr(SSLCertificate cert) { // Create all the objects that will be required CX509CertificateRequestPkcs10 pkcs10 = Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX509CertificateRequestPkcs10", true)) as CX509CertificateRequestPkcs10; CX509PrivateKey privateKey = Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX509PrivateKey", true)) as CX509PrivateKey; CCspInformation csp = Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CCspInformation", true)) as CCspInformation; CCspInformations csPs = Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CCspInformations", true)) as CCspInformations; CX500DistinguishedName dn = Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX500DistinguishedName", true)) as CX500DistinguishedName; CX509Enrollment enroll = Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX509Enrollment", true)) as CX509Enrollment; CObjectIds objectIds = Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CObjectIds", true)) as CObjectIds; CObjectId objectId = Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CObjectId", true)) as CObjectId; CX509ExtensionKeyUsage extensionKeyUsage = Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX509ExtensionKeyUsage", true)) as CX509ExtensionKeyUsage; CX509ExtensionEnhancedKeyUsage x509ExtensionEnhancedKeyUsage = Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX509ExtensionEnhancedKeyUsage", true)) as CX509ExtensionEnhancedKeyUsage; try { // Initialize the csp object using the desired Cryptograhic Service Provider (CSP) csp.InitializeFromName("Microsoft RSA SChannel Cryptographic Provider"); // Add this CSP object to the CSP collection object csPs.Add(csp); // Provide key container name, key length and key spec to the private key object privateKey.Length = cert.CSRLength; privateKey.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE; privateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES; privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG | X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_ARCHIVING_FLAG | X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_ARCHIVING_FLAG | X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG; privateKey.MachineContext = true; // Provide the CSP collection object (in this case containing only 1 CSP object) // to the private key object privateKey.CspInformations = csPs; // Create the actual key pair privateKey.Create(); // Initialize the PKCS#10 certificate request object based on the private key. // Using the context, indicate that this is a user certificate request and don't // provide a template name pkcs10.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, ""); cert.PrivateKey = privateKey.ToString(); // Key Usage Extension extensionKeyUsage.InitializeEncode( CertEnrollInterop.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE | CertEnrollInterop.X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE | CertEnrollInterop.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE | CertEnrollInterop.X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE ); pkcs10.X509Extensions.Add((CX509Extension)extensionKeyUsage); // Enhanced Key Usage Extension objectId.InitializeFromName(CertEnrollInterop.CERTENROLL_OBJECTID.XCN_OID_PKIX_KP_SERVER_AUTH); objectIds.Add(objectId); x509ExtensionEnhancedKeyUsage.InitializeEncode(objectIds); pkcs10.X509Extensions.Add((CX509Extension)x509ExtensionEnhancedKeyUsage); // Encode the name in using the Distinguished Name object string request = String.Format(@"CN={0}, O={1}, OU={2}, L={3}, S={4}, C={5}", cert.Hostname, cert.Organisation, cert.OrganisationUnit, cert.City, cert.State, cert.Country); dn.Encode(request, X500NameFlags.XCN_CERT_NAME_STR_NONE); // enable SMIME capabilities pkcs10.SmimeCapabilities = true; // Assing the subject name by using the Distinguished Name object initialized above pkcs10.Subject = dn; // Create enrollment request enroll.InitializeFromRequest(pkcs10); enroll.CertificateFriendlyName = cert.FriendlyName; cert.CSR = enroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64REQUESTHEADER); } catch (Exception ex) { Log.WriteError("Error creating CSR", ex); } }
public static X509Certificate2 CreateCertificate(Certificate crt) { bool isCA = !crt.SignByCertificateAuthority; // create DN for subject and issuer var dn = new CX500DistinguishedName(); dn.Encode(GetEncodedDistinguishedName(crt), X500NameFlags.XCN_CERT_NAME_STR_NONE); // create a new private key for the certificate CX509PrivateKey privateKey = new CX509PrivateKey { ProviderName = "Microsoft Base Cryptographic Provider v1.0", MachineContext = crt.MachineContext, Length = crt.KeyLength, KeySpec = X509KeySpec.XCN_AT_SIGNATURE, // use is not limited ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG }; privateKey.Create(); var hashobj = new CObjectId(); hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, crt.DigestAlgorithm); CERTENROLLLib.X509KeyUsageFlags x509KeyUsageFlags; CX509ExtensionBasicConstraints bc = new CX509ExtensionBasicConstraints(); if (isCA) { x509KeyUsageFlags = CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_CERT_SIGN_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_CRL_SIGN_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_OFFLINE_CRL_SIGN_KEY_USAGE; bc.InitializeEncode(true, -1); bc.Critical = true; } else { x509KeyUsageFlags = CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE; if (crt.CertificateType == CertificateType.ClientCertificate) { x509KeyUsageFlags |= CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE; } if (crt.CertificateType == CertificateType.ServerCertificate) { x509KeyUsageFlags |= CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE; } bc.InitializeEncode(false, -1); bc.Critical = false; } CX509ExtensionKeyUsage keyUsage = new CX509ExtensionKeyUsage(); keyUsage.InitializeEncode(x509KeyUsageFlags); keyUsage.Critical = false; // SAN var canList = new List <CAlternativeName>(); foreach (var sanItem in crt.SANList) { if (!string.IsNullOrWhiteSpace(sanItem.Value)) { var can = new CAlternativeName(); switch (sanItem.Type) { case Certificate.SANType.DNS: can.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME, sanItem.Value); break; case Certificate.SANType.IP: can.InitializeFromRawData(AlternativeNameType.XCN_CERT_ALT_NAME_IP_ADDRESS, EncodingType.XCN_CRYPT_STRING_BASE64, Convert.ToBase64String(IPAddress.Parse(sanItem.Value).GetAddressBytes())); break; case Certificate.SANType.URI: can.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_URL, sanItem.Value); break; case Certificate.SANType.email: can.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_RFC822_NAME, sanItem.Value); break; } canList.Add(can); } } CX509ExtensionAlternativeNames san = null; if (canList.Any()) { san = new CX509ExtensionAlternativeNames(); var cans = new CAlternativeNames(); foreach (var item in canList) { cans.Add(item); } san.InitializeEncode(cans); } CX509ExtensionEnhancedKeyUsage eku = null; if (crt.CertificateType != CertificateType.None) { const string XCN_OID_PKIX_KP_SERVER_AUTH = "1.3.6.1.5.5.7.3.1"; const string XCN_OID_PKIX_KP_CLIENT_AUTH = "1.3.6.1.5.5.7.3.2"; var oid = new CObjectId(); if (crt.CertificateType == CertificateType.ServerCertificate) { oid.InitializeFromValue(XCN_OID_PKIX_KP_SERVER_AUTH); } if (crt.CertificateType == CertificateType.ClientCertificate) { oid.InitializeFromValue(XCN_OID_PKIX_KP_CLIENT_AUTH); } var oidlist = new CObjectIds(); oidlist.Add(oid); eku = new CX509ExtensionEnhancedKeyUsage(); eku.InitializeEncode(oidlist); } // Create the self signing request var cereq = new CX509CertificateRequestCertificate(); cereq.InitializeFromPrivateKey(crt.MachineContext ? X509CertificateEnrollmentContext.ContextMachine : X509CertificateEnrollmentContext.ContextUser, privateKey, ""); cereq.Subject = dn; cereq.Issuer = dn; cereq.NotBefore = DateTime.UtcNow.AddDays(-1); cereq.NotAfter = DateTime.UtcNow.AddDays(crt.Lifetime.Value); if (crt.SignByCertificateAuthority) { var issuer = MyCurrentUserX509Store.Certificates .Find(X509FindType.FindByThumbprint, crt.CertificateAuthority, false) .OfType <X509Certificate2>() .Where(c => c.HasPrivateKey).FirstOrDefault() ?? throw new Exception("Issuer not found: " + crt.CertificateAuthority); cereq.SignerCertificate = new CSignerCertificate(); cereq.SignerCertificate.Initialize(false, X509PrivateKeyVerify.VerifyNone, EncodingType.XCN_CRYPT_STRING_HEX, issuer.GetRawCertDataString()); cereq.Issuer = new CX500DistinguishedName(); cereq.Issuer.Encode(issuer.Subject, X500NameFlags.XCN_CERT_NAME_STR_NONE); } cereq.X509Extensions.Add((CX509Extension)keyUsage); if (eku != null) { cereq.X509Extensions.Add((CX509Extension)eku); // EnhancedKeyUsage } if (bc != null) { cereq.X509Extensions.Add((CX509Extension)bc); // ExtensionBasicConstraints } if (san != null) { cereq.X509Extensions.Add((CX509Extension)san); // SAN } cereq.HashAlgorithm = hashobj; // Specify the hashing algorithm cereq.Encode(); // encode the certificate // Do the final enrollment process var enroll = new CX509Enrollment(); enroll.InitializeFromRequest(cereq); // load the certificate //enroll.CertificateFriendlyName = subjectName; // Optional: add a friendly name string csr = enroll.CreateRequest(); // Output the request in base64 // and install it back as the response enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password // output a base64 encoded PKCS#12 so we can import it back to the .Net security classes var base64encoded = enroll.CreatePFX("", // no password, this is for internal consumption PFXExportOptions.PFXExportChainWithRoot); // instantiate the target class with the PKCS#12 data (and the empty password) var x509Certificate2 = new X509Certificate2( Convert.FromBase64String(base64encoded), "", X509KeyStorageFlags.Exportable); // mark the private key as exportable (this is usually what you want to do) if (isCA) { X509Store rootStore = null; try { rootStore = new X509Store(StoreName.Root, crt.MachineContext ? StoreLocation.LocalMachine : StoreLocation.CurrentUser); rootStore.Open(OpenFlags.ReadWrite); // install to CA store var crtPub = new X509Certificate2(x509Certificate2) { PrivateKey = null }; rootStore.Add(crtPub); crtPub.Reset(); } catch { // ignore when adding to trust root failed } finally { rootStore?.Close(); } } crt.Value = x509Certificate2; return(x509Certificate2); }
// https://github.com/asafga-gsr-it/CertIntegration/blob/master/CertificateAdmin/CertificateAdmin/obj/Release/Package/PackageTmp/Certificate.cs // https://www.sysadmins.lv/blog-en/introducing-to-certificate-enrollment-apis-part-2-creating-offline-requests.aspx /* * public static X509Certificate2 CreateSelfSignedCA(string subjectName, DateTime notAfterUtc, bool machineContext) * { * // create DN for subject and issuer * var dn = new CX500DistinguishedName(); * dn.Encode("CN=" + EscapeDNComponent(subjectName), X500NameFlags.XCN_CERT_NAME_STR_NONE); * * // create a new private key for the certificate * CX509PrivateKey privateKey = new CX509PrivateKey(); * privateKey.ProviderName = "Microsoft Base Cryptographic Provider v1.0"; * privateKey.MachineContext = machineContext; * privateKey.Length = 2048; * privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; // use is not limited * privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG; * privateKey.Create(); * * var hashobj = new CObjectId(); * hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, * ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, * AlgorithmFlags.AlgorithmFlagsNone, "SHA256"); // https://docs.microsoft.com/en-us/windows/win32/seccng/cng-algorithm-identifiers * * CX509ExtensionKeyUsage keyUsage = new CX509ExtensionKeyUsage(); * keyUsage.InitializeEncode( * CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE | * CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_CERT_SIGN_KEY_USAGE | * CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_CRL_SIGN_KEY_USAGE | * CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_OFFLINE_CRL_SIGN_KEY_USAGE); * * CX509ExtensionBasicConstraints bc = new CX509ExtensionBasicConstraints(); * bc.InitializeEncode(true, -1); // None * bc.Critical = true; * * // add extended key usage if you want - look at MSDN for a list of possible OIDs * var oid = new CObjectId(); * oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // Server Authentication * var oidlist = new CObjectIds(); * oidlist.Add(oid); * var eku = new CX509ExtensionEnhancedKeyUsage(); * eku.InitializeEncode(oidlist); * * // Create the self signing request * var cert = new CX509CertificateRequestCertificate(); * * cert.InitializeFromPrivateKey(machineContext ? X509CertificateEnrollmentContext.ContextMachine: X509CertificateEnrollmentContext.ContextUser, privateKey, ""); * cert.Subject = cert.Issuer = dn; // the issuer and the subject are the same * cert.NotBefore = DateTime.UtcNow.AddDays(-1); * cert.NotAfter = notAfterUtc; * cert.X509Extensions.Add((CX509Extension)keyUsage); * cert.X509Extensions.Add((CX509Extension)eku); // add the EKU * cert.X509Extensions.Add((CX509Extension)bc); * cert.HashAlgorithm = hashobj; // Specify the hashing algorithm * cert.Encode(); // encode the certificate * * // Do the final enrollment process * var enroll = new CX509Enrollment(); * enroll.InitializeFromRequest(cert); // load the certificate * enroll.CertificateFriendlyName = subjectName; // Optional: add a friendly name * string csr = enroll.CreateRequest(); // Output the request in base64 * * // install to MY store * enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password * * // output a base64 encoded PKCS#12 so we can import it back to the .Net security classes * var base64encoded = enroll.CreatePFX("", // no password, this is for internal consumption * PFXExportOptions.PFXExportChainWithRoot); * * // instantiate the target class with the PKCS#12 data (and the empty password) * var x509Certificate2 = new X509Certificate2( * System.Convert.FromBase64String(base64encoded), "", * // mark the private key as exportable (this is usually what you want to do) * X509KeyStorageFlags.Exportable * ); * * X509Store rootStore = null; * try * { * rootStore = new X509Store(StoreName.Root, machineContext ? StoreLocation.LocalMachine : StoreLocation.CurrentUser); * rootStore.Open(OpenFlags.ReadWrite); * // install to CA store * var crtPub = new X509Certificate2(x509Certificate2) { PrivateKey = null }; * rootStore.Add(crtPub); * crtPub.Reset(); * } * catch * { * // ignore when adding to trust root failed * } * finally * { * rootStore?.Close(); * } * * return x509Certificate2; * } */ public static X509Certificate2 CreateCertificate(string subjectName, string hostname, DateTime notAfterUtc, X509Certificate issuer, bool machineContext) { CSignerCertificate signerCertificate = new CSignerCertificate(); signerCertificate.Initialize(false, X509PrivateKeyVerify.VerifyNone, EncodingType.XCN_CRYPT_STRING_HEX, issuer.GetRawCertDataString()); // create DN for subject and issuer var dn = new CX500DistinguishedName(); dn.Encode("CN=" + EscapeDNComponent(subjectName), X500NameFlags.XCN_CERT_NAME_STR_NONE); // create a new private key for the certificate CX509PrivateKey privateKey = new CX509PrivateKey(); privateKey.ProviderName = "Microsoft Base Cryptographic Provider v1.0"; privateKey.MachineContext = machineContext; privateKey.Length = 2048; privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; // use is not limited privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG; privateKey.Create(); var hashobj = new CObjectId(); hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, "SHA256"); CX509ExtensionKeyUsage keyUsage = new CX509ExtensionKeyUsage(); keyUsage.InitializeEncode( CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE); CX509ExtensionBasicConstraints bc = new CX509ExtensionBasicConstraints(); bc.InitializeEncode(false, 0); bc.Critical = false; // SAN CX509ExtensionAlternativeNames san = null; if (!string.IsNullOrEmpty(hostname)) { CAlternativeNames ians; if (IPAddress.TryParse(hostname, out var ip)) { var ian = new CAlternativeName(); ian.InitializeFromRawData(AlternativeNameType.XCN_CERT_ALT_NAME_IP_ADDRESS, EncodingType.XCN_CRYPT_STRING_BASE64, Convert.ToBase64String(ip.GetAddressBytes())); ians = new CAlternativeNames { ian }; } else { var ian = new CAlternativeName(); ian.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME, hostname); var ianStar = new CAlternativeName(); ianStar.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME, "*." + hostname); // wildcard ians = new CAlternativeNames { ian, ianStar }; } san = new CX509ExtensionAlternativeNames(); san.InitializeEncode(ians); } // add extended key usage if you want - look at MSDN for a list of possible OIDs var oid = new CObjectId(); oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // SSL server var oidlist = new CObjectIds(); oidlist.Add(oid); var eku = new CX509ExtensionEnhancedKeyUsage(); eku.InitializeEncode(oidlist); var dnIssuer = new CX500DistinguishedName(); dnIssuer.Encode(issuer.Subject, X500NameFlags.XCN_CERT_NAME_STR_NONE); // Create the self signing request var cert = new CX509CertificateRequestCertificate(); cert.InitializeFromPrivateKey(machineContext ? X509CertificateEnrollmentContext.ContextMachine : X509CertificateEnrollmentContext.ContextUser, privateKey, ""); cert.Subject = dn; cert.Issuer = dnIssuer; cert.SignerCertificate = signerCertificate; cert.NotBefore = DateTime.UtcNow.AddDays(-1); cert.NotAfter = notAfterUtc; cert.X509Extensions.Add((CX509Extension)keyUsage); cert.X509Extensions.Add((CX509Extension)eku); // EnhancedKeyUsage cert.X509Extensions.Add((CX509Extension)bc); // ExtensionBasicConstraints if (san != null) { cert.X509Extensions.Add((CX509Extension)san); // SAN } cert.HashAlgorithm = hashobj; // Specify the hashing algorithm cert.Encode(); // encode the certificate // Do the final enrollment process var enroll = new CX509Enrollment(); enroll.InitializeFromRequest(cert); // load the certificate //enroll.CertificateFriendlyName = subjectName; // Optional: add a friendly name string csr = enroll.CreateRequest(); // Output the request in base64 // and install it back as the response enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password // output a base64 encoded PKCS#12 so we can import it back to the .Net security classes var base64encoded = enroll.CreatePFX("", // no password, this is for internal consumption PFXExportOptions.PFXExportChainWithRoot); // instantiate the target class with the PKCS#12 data (and the empty password) var x509Certificate2 = new X509Certificate2( Convert.FromBase64String(base64encoded), "", X509KeyStorageFlags.Exportable); // mark the private key as exportable (this is usually what you want to do) return(x509Certificate2); }
public X509Certificate2 CreateSelfSignedCertificate(string FriendlyName, string SubjectName) { try { // Create DN for Subject CX500DistinguishedName dnSubject = new CX500DistinguishedName(); dnSubject.Encode(String.Format(@"CN={0}", SubjectName), X500NameFlags.XCN_CERT_NAME_STR_NONE); // Create DN for Issuer CX500DistinguishedName dnIssuer = new CX500DistinguishedName(); dnIssuer.Encode(String.Format(@"CN={0}", IssuerName), X500NameFlags.XCN_CERT_NAME_STR_NONE); // Use the stronger SHA512 hashing algorithm CObjectId HashAlgorithm = new CObjectId(); HashAlgorithm.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, strAlgorithmName); // add extended key usage if you want - look at MSDN for a list of possible OIDs CObjectId oid1 = new CObjectId(); oid1.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // SSL Server CObjectId oid2 = new CObjectId(); oid2.InitializeFromValue("1.3.6.1.5.5.7.3.2"); // SSL Client CObjectIds oidlist = new CObjectIds(); oidlist.Add(oid1); oidlist.Add(oid2); CX509ExtensionEnhancedKeyUsage eku = new CX509ExtensionEnhancedKeyUsage(); eku.InitializeEncode(oidlist); CX509ExtensionAlternativeNames objExtensionAlternativeNames = new CX509ExtensionAlternativeNames(); { CAlternativeNames altNames = new CAlternativeNames(); CAlternativeName dnsLocalHost = new CAlternativeName(); dnsLocalHost.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME, "LOCALHOST"); altNames.Add(dnsLocalHost); CAlternativeName dnsHostname = new CAlternativeName(); dnsHostname.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME, Environment.MachineName); altNames.Add(dnsHostname); foreach (var ipAddress in Dns.GetHostAddresses(Dns.GetHostName())) { if ((ipAddress.AddressFamily == AddressFamily.InterNetwork) && !IPAddress.IsLoopback(ipAddress)) { CAlternativeName dns = new CAlternativeName(); dns.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME, ipAddress.ToString()); altNames.Add(dns); } } objExtensionAlternativeNames.InitializeEncode(altNames); } //CX509ExtensionSmimeCapabilities smimeCapabilities = new CX509ExtensionSmimeCapabilities(); //smimeCapabilities.SmimeCapabilities.AddAvailableSmimeCapabilities(false); CX509ExtensionBasicConstraints basicConst = new CX509ExtensionBasicConstraints(); basicConst.InitializeEncode(dnSubject.Name == dnIssuer.Name ? true : false, 1); // Key Usage Extension CX509ExtensionKeyUsage objExtensionKeyUsage = new CX509ExtensionKeyUsage(); objExtensionKeyUsage.InitializeEncode( CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_CERT_SIGN_KEY_USAGE ); // Create the self signing request CX509CertificateRequestCertificate cert = new CX509CertificateRequestCertificate(); cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, PrivateKey, ""); cert.Subject = dnSubject; cert.Issuer = dnIssuer; cert.NotBefore = DateTime.Today.AddDays(-1); cert.NotAfter = DateTime.Today.AddYears(ExpirationLengthInYear); cert.X509Extensions.Add((CX509Extension)eku); // add the EKU cert.X509Extensions.Add((CX509Extension)objExtensionAlternativeNames); cert.X509Extensions.Add((CX509Extension)objExtensionKeyUsage); cert.X509Extensions.Add((CX509Extension)basicConst); //cert.X509Extensions.Add((CX509Extension)smimeCapabilities); cert.HashAlgorithm = HashAlgorithm; // Specify the hashing algorithm cert.Encode(); // encode the certificate // Do the final enrollment process CX509Enrollment enroll = new CX509Enrollment(); enroll.InitializeFromRequest(cert); // load the certificate enroll.CertificateFriendlyName = FriendlyName; // Optional: add a friendly name string csr = enroll.CreateRequest(); // Output the request in base64 and install it back as the response // no password output a base64 encoded PKCS#12 so we can import it back to the .Net security classes enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password, this is for internal consumption var base64encoded = enroll.CreatePFX("", PFXExportOptions.PFXExportChainWithRoot); // instantiate the target class with the PKCS#12 data (and the empty password) // mark the private key as exportable (this is usually what you want to do) return(new X509Certificate2(Convert.FromBase64String(base64encoded), "", X509KeyStorageFlags.Exportable)); } catch (Exception ex) { throw new Exception(ex.Message); } }
public static X509Certificate2 CreateCertificate(string subjectName, int days, X509Certificate2 issuer) { CSignerCertificate signerCertificate = new CSignerCertificate(); signerCertificate.Initialize(true, X509PrivateKeyVerify.VerifyNone, EncodingType.XCN_CRYPT_STRING_HEX, issuer.GetRawCertDataString()); // create DN for subject and issuer var dn = new CX500DistinguishedName(); dn.Encode("CN=" + subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE); // create a new private key for the certificate CX509PrivateKey privateKey = new CX509PrivateKey(); privateKey.ProviderName = "Microsoft Base Cryptographic Provider v1.0"; privateKey.MachineContext = true; privateKey.Length = 2048; privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; // use is not limited privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG; privateKey.Create(); var hashobj = new CObjectId(); hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, "SHA256"); CX509ExtensionKeyUsage keyUsage = new CX509ExtensionKeyUsage(); keyUsage.InitializeEncode(CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE); CX509ExtensionBasicConstraints bc = new CX509ExtensionBasicConstraints(); bc.InitializeEncode(false, 0); bc.Critical = false; // add extended key usage if you want - look at MSDN for a list of possible OIDs var oid = new CObjectId(); oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // SSL server var oidlist = new CObjectIds(); oidlist.Add(oid); var eku = new CX509ExtensionEnhancedKeyUsage(); eku.InitializeEncode(oidlist); var dnIssuer = new CX500DistinguishedName(); dnIssuer.Encode(issuer.Subject, X500NameFlags.XCN_CERT_NAME_STR_NONE); // Create the self signing request var cert = new CX509CertificateRequestCertificate(); cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, ""); cert.Subject = dn; cert.Issuer = dnIssuer; cert.SignerCertificate = signerCertificate; cert.NotBefore = DateTime.UtcNow.Date.AddDays(-1); cert.NotAfter = DateTime.UtcNow.Date.AddDays(days); cert.X509Extensions.Add((CX509Extension)keyUsage); cert.X509Extensions.Add((CX509Extension)eku); // add the EKU cert.X509Extensions.Add((CX509Extension)bc); /* * var ski = new CX509ExtensionAuthorityKeyIdentifier(); * ski.InitializeEncode(EncodingType.XCN_CRYPT_STRING_BINARY, cert.PublicKey.ComputeKeyIdentifier(KeyIdentifierHashAlgorithm.SKIHashSha1, EncodingType.XCN_CRYPT_STRING_BINARY)); * cert.X509Extensions.Add((CX509Extension)ski); */ cert.HashAlgorithm = hashobj; // Specify the hashing algorithm cert.Encode(); // encode the certificate // Do the final enrollment process var enroll = new CX509Enrollment(); enroll.InitializeFromRequest(cert); // load the certificate enroll.CertificateFriendlyName = subjectName; // Optional: add a friendly name string csr = enroll.CreateRequest(); // Output the request in base64 // and install it back as the response enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password // output a base64 encoded PKCS#12 so we can import it back to the .Net security classes var base64encoded = enroll.CreatePFX("", // no password, this is for internal consumption PFXExportOptions.PFXExportChainWithRoot); // instantiate the target class with the PKCS#12 data (and the empty password) var x509Certificate2 = new System.Security.Cryptography.X509Certificates.X509Certificate2( System.Convert.FromBase64String(base64encoded), "", // mark the private key as exportable (this is usually what you want to do) System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.Exportable); return(x509Certificate2); }
public static X509Certificate2 CreateCodeSigningCertificate(string subjectName, string oid, byte[] data) { var dn = new CX500DistinguishedName(); dn.Encode(subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE); // create a new private key for the certificate CX509PrivateKey privateKey = new CX509PrivateKey(); // http://blogs.technet.com/b/pki/archive/2009/08/05/how-to-create-a-web-server-ssl-certificate-manually.aspx privateKey.ProviderName = "Microsoft RSA SChannel Cryptographic Provider"; privateKey.Length = 2048; privateKey.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE; privateKey.MachineContext = false; privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG; privateKey.Create(); // Use the stronger SHA512 hashing algorithm var hashobj = new CObjectId(); hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, "SHA512"); // add code signing EKUs var oidCodeSigning = new CObjectId(); oidCodeSigning.InitializeFromValue("1.3.6.1.5.5.7.3.3"); var oidLifetimeSigning = new CObjectId(); oidLifetimeSigning.InitializeFromValue("1.3.6.1.4.1.311.10.3.13"); var oidlist = new CObjectIds(); oidlist.Add(oidCodeSigning); oidlist.Add(oidLifetimeSigning); var eku = new CX509ExtensionEnhancedKeyUsage(); eku.InitializeEncode(oidlist); var keyUsage = new CX509ExtensionKeyUsage(); keyUsage.InitializeEncode( // Digital Signature, Key Encipherment (a0) X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE | X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE); // add CA Restriction (not a CA) var caRestriction = new CX509ExtensionBasicConstraints(); caRestriction.InitializeEncode(false, -1); // add the arbitrary data var ourExtensionOid = new CObjectId(); ourExtensionOid.InitializeFromValue(oid); var ourExtension = new CX509Extension(); ourExtension.Initialize(ourExtensionOid, EncodingType.XCN_CRYPT_STRING_BASE64, Convert.ToBase64String(data)); // Create the self signing request var cert = new CX509CertificateRequestCertificate(); cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextUser, privateKey, ""); cert.Subject = dn; cert.Issuer = dn; cert.NotBefore = DateTime.Now.AddDays(-1); cert.NotAfter = DateTime.Now.AddYears(30); cert.X509Extensions.Add((CX509Extension)eku); cert.X509Extensions.Add((CX509Extension)caRestriction); cert.X509Extensions.Add((CX509Extension)keyUsage); cert.X509Extensions.Add((CX509Extension)ourExtension); cert.HashAlgorithm = hashobj; cert.Encode(); var enroll = new CX509Enrollment(); enroll.InitializeFromRequest(cert); var csr = enroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64); enroll.InstallResponse( InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); return(new X509Certificate2(Convert.FromBase64String(enroll.Certificate[EncodingType.XCN_CRYPT_STRING_BASE64]))); }
public void GenerateCsr(SSLCertificate cert) { // Create all the objects that will be required CX509CertificateRequestPkcs10 pkcs10 = new CX509CertificateRequestPkcs10(); CX509PrivateKey privateKey = new CX509PrivateKey(); CCspInformation csp = new CCspInformation(); CCspInformations csPs = new CCspInformations(); CX500DistinguishedName dn = new CX500DistinguishedName(); CX509Enrollment enroll = new CX509Enrollment(); CObjectIds objectIds = new CObjectIds(); CObjectId clientObjectId = new CObjectId(); CObjectId serverObjectId = new CObjectId(); CX509ExtensionKeyUsage extensionKeyUsage = new CX509ExtensionKeyUsage(); CX509ExtensionEnhancedKeyUsage x509ExtensionEnhancedKeyUsage = new CX509ExtensionEnhancedKeyUsage(); try { // Initialize the csp object using the desired Cryptograhic Service Provider (CSP) csp.InitializeFromName("Microsoft RSA SChannel Cryptographic Provider"); // Add this CSP object to the CSP collection object csPs.Add(csp); // Provide key container name, key length and key spec to the private key object //objPrivateKey.ContainerName = "AlejaCMa"; privateKey.Length = cert.CSRLength; privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; privateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES; privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG | X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG; privateKey.MachineContext = true; // Provide the CSP collection object (in this case containing only 1 CSP object) // to the private key object privateKey.CspInformations = csPs; // Create the actual key pair privateKey.Create(); // Initialize the PKCS#10 certificate request object based on the private key. // Using the context, indicate that this is a user certificate request and don't // provide a template name pkcs10.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, ""); cert.PrivateKey = privateKey.ToString(); // Key Usage Extension extensionKeyUsage.InitializeEncode( CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE ); pkcs10.X509Extensions.Add((CX509Extension)extensionKeyUsage); // Enhanced Key Usage Extension clientObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.2"); objectIds.Add(clientObjectId); serverObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.1"); objectIds.Add(serverObjectId); x509ExtensionEnhancedKeyUsage.InitializeEncode(objectIds); pkcs10.X509Extensions.Add((CX509Extension)x509ExtensionEnhancedKeyUsage); // Encode the name in using the Distinguished Name object string request = String.Format(@"CN={0}, O={1}, OU={2}, L={3}, S={4}, C={5}", cert.Hostname, cert.Organisation, cert.OrganisationUnit, cert.City, cert.State, cert.Country); dn.Encode(request, X500NameFlags.XCN_CERT_NAME_STR_NONE); // Assing the subject name by using the Distinguished Name object initialized above pkcs10.Subject = dn; // Create enrollment request enroll.InitializeFromRequest(pkcs10); enroll.CertificateFriendlyName = cert.FriendlyName; cert.CSR = enroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64REQUESTHEADER); } catch (Exception ex) { Log.WriteError("Error creating CSR", ex); } }
/// <summary> /// Creates a self-signed cert. /// </summary> /// <param name="subject"></param> /// <param name="notAfter"></param> /// <param name="pwd"></param> /// <returns></returns> /// <remarks> /// https://blogs.msdn.microsoft.com/alejacma/2008/09/05/how-to-create-a-certificate-request-with-certenroll-and-net-c/ /// http://stackoverflow.com/questions/13806299/how-to-create-a-self-signed-certificate-using-c /// https://technet.microsoft.com/es-es/aa379410 /// </remarks> public static X509Certificate2 CreateSelfSignedCert(DistinguishedName subject, DateTime notAfter, String pwd) { var cn = new CX500DistinguishedName(); cn.Encode(subject.ToString(), X500NameFlags.XCN_CERT_NAME_STR_SEMICOLON_FLAG); var privateKey = new CX509PrivateKey { ContainerNamePrefix = "nf-", ProviderName = MS_CRYPTO_PROV_NAME, MachineContext = false, Length = 2048, KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE, ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG }; privateKey.Create(); var hashobj = new CObjectId(); hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, RSAPKCS1SHA512SigDesc.SHA_512); var keyUsage = new CX509ExtensionKeyUsage(); keyUsage.InitializeEncode(X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE | X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE); //add extended key usage var serverAuth = new CObjectId(); serverAuth.InitializeFromValue("1.3.6.1.5.5.7.3.1"); var clientAuth = new CObjectId(); clientAuth.InitializeFromValue("1.3.6.1.5.5.7.3.2"); var fileCrypt = new CObjectId(); fileCrypt.InitializeFromValue("1.3.6.1.4.1.311.10.3.4"); var docSign = new CObjectId(); docSign.InitializeFromValue("1.3.6.1.4.1.311.10.3.12"); var oidList = new CObjectIds { serverAuth, fileCrypt, docSign }; var eku = new CX509ExtensionEnhancedKeyUsage(); eku.InitializeEncode(oidList); var cert = new CX509CertificateRequestCertificate(); cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextUser, privateKey, ""); cert.Subject = cn; cert.Issuer = cn; cert.NotBefore = DateTime.Now; cert.NotAfter = notAfter; cert.X509Extensions.Add((CX509Extension)keyUsage); cert.X509Extensions.Add((CX509Extension)eku); cert.HashAlgorithm = hashobj; cert.Encode(); var enroll = new CX509Enrollment(); enroll.InitializeFromRequest(cert); enroll.CertificateFriendlyName = subject.CommonName; var csr = enroll.CreateRequest(); enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedRoot, csr, EncodingType.XCN_CRYPT_STRING_BASE64, pwd); var b64Encode = enroll.CreatePFX(pwd, PFXExportOptions.PFXExportEEOnly); var managedX509Cert = new X509Certificate2(Convert.FromBase64String(b64Encode), pwd, X509KeyStorageFlags.Exportable); return(managedX509Cert); }
/// <summary> /// Create a certificate signing request. /// </summary> /// <param name="subjectName">The subject name of the certificate.</param> /// <param name="keyLength">Size of the key in bits.</param> /// <param name="durationYears">Duration of the certificate, specified in years.</param> /// <param name="oids">Collection of OIDs identifying certificate usage.</param> public static CX509CertificateRequestCertificate CreateCertificateSigningRequest(string subjectName, int keyLength, int durationYears, List <string> oids) { // Prepend the subject name with CN= if it doesn't begin with CN=, E=, etc.. if (subjectName.IndexOf("=") < 0) { subjectName = "CN=" + subjectName; } // Generate a distinguished name. CX500DistinguishedName distinguishedName = new CX500DistinguishedName(); distinguishedName.Encode(subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE); // Generate a private key. CX509PrivateKey privateKey = new CX509PrivateKey(); privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG; privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; privateKey.Length = keyLength; privateKey.MachineContext = true; privateKey.ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0"; privateKey.Create(); // Use the SHA-512 hashing algorithm. CObjectId hashAlgorithm = new CObjectId(); hashAlgorithm.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, "SHA512"); // Load the OIDs passed in and specify enhanced key usages. CObjectIds oidCollection = new CObjectIds(); foreach (string oidID in oids) { CObjectId oid = new CObjectId(); oid.InitializeFromValue(oidID); oidCollection.Add(oid); } CX509ExtensionKeyUsage keyUsage = new CX509ExtensionKeyUsage(); keyUsage.InitializeEncode(CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE); CX509ExtensionEnhancedKeyUsage enhancedKeyUsages = new CX509ExtensionEnhancedKeyUsage(); enhancedKeyUsages.InitializeEncode(oidCollection); string sanSubjectName = subjectName.Substring(subjectName.IndexOf("=") + 1); CAlternativeName sanAlternateName = new CAlternativeName(); sanAlternateName.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_RFC822_NAME, sanSubjectName); CAlternativeNames sanAlternativeNames = new CAlternativeNames(); sanAlternativeNames.Add(sanAlternateName); CX509ExtensionAlternativeNames alternativeNamesExtension = new CX509ExtensionAlternativeNames(); alternativeNamesExtension.InitializeEncode(sanAlternativeNames); CX509ExtensionSmimeCapabilities smimeCapabilities = new CX509ExtensionSmimeCapabilities(); smimeCapabilities.SmimeCapabilities.AddAvailableSmimeCapabilities(false); // Create the self-signing request. CX509CertificateRequestCertificate cert = new CX509CertificateRequestCertificate(); cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, ""); cert.Subject = distinguishedName; cert.Issuer = distinguishedName; cert.NotBefore = DateTime.Now; cert.NotAfter = DateTime.Now.AddYears(1); cert.X509Extensions.Add((CX509Extension)keyUsage); cert.X509Extensions.Add((CX509Extension)enhancedKeyUsages); cert.X509Extensions.Add((CX509Extension)alternativeNamesExtension); cert.X509Extensions.Add((CX509Extension)smimeCapabilities); cert.HashAlgorithm = hashAlgorithm; cert.Encode(); return(cert); }
/// <summary> /// Create a certificate signing request. /// </summary> /// <param name="subjectName">The subject name of the certificate.</param> /// <param name="keyLength">Size of the key in bits.</param> /// <param name="durationYears">Duration of the certificate, specified in years.</param> /// <param name="oids">Collection of OIDs identifying certificate usage.</param> public static CX509CertificateRequestCertificate CreateCertificateSigningRequest(string subjectName, int keyLength, int durationYears, List<string> oids) { // Prepend the subject name with CN= if it doesn't begin with CN=, E=, etc.. if (subjectName.IndexOf("=") < 0) subjectName = "CN=" + subjectName; // Generate a distinguished name. CX500DistinguishedName distinguishedName = new CX500DistinguishedName(); distinguishedName.Encode(subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE); // Generate a private key. CX509PrivateKey privateKey = new CX509PrivateKey(); privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG; privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; privateKey.Length = keyLength; privateKey.MachineContext = true; privateKey.ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0"; privateKey.Create(); // Use the SHA-512 hashing algorithm. CObjectId hashAlgorithm = new CObjectId(); hashAlgorithm.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, "SHA512"); // Load the OIDs passed in and specify enhanced key usages. CObjectIds oidCollection = new CObjectIds(); foreach (string oidID in oids) { CObjectId oid = new CObjectId(); oid.InitializeFromValue(oidID); oidCollection.Add(oid); } CX509ExtensionKeyUsage keyUsage = new CX509ExtensionKeyUsage(); keyUsage.InitializeEncode(CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE); CX509ExtensionEnhancedKeyUsage enhancedKeyUsages = new CX509ExtensionEnhancedKeyUsage(); enhancedKeyUsages.InitializeEncode(oidCollection); string sanSubjectName = subjectName.Substring(subjectName.IndexOf("=") + 1); CAlternativeName sanAlternateName = new CAlternativeName(); sanAlternateName.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_RFC822_NAME, sanSubjectName); CAlternativeNames sanAlternativeNames = new CAlternativeNames(); sanAlternativeNames.Add(sanAlternateName); CX509ExtensionAlternativeNames alternativeNamesExtension = new CX509ExtensionAlternativeNames(); alternativeNamesExtension.InitializeEncode(sanAlternativeNames); CX509ExtensionSmimeCapabilities smimeCapabilities = new CX509ExtensionSmimeCapabilities(); smimeCapabilities.SmimeCapabilities.AddAvailableSmimeCapabilities(false); // Create the self-signing request. CX509CertificateRequestCertificate cert = new CX509CertificateRequestCertificate(); cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, ""); cert.Subject = distinguishedName; cert.Issuer = distinguishedName; cert.NotBefore = DateTime.Now; cert.NotAfter = DateTime.Now.AddYears(1); cert.X509Extensions.Add((CX509Extension)keyUsage); cert.X509Extensions.Add((CX509Extension)enhancedKeyUsages); cert.X509Extensions.Add((CX509Extension)alternativeNamesExtension); cert.X509Extensions.Add((CX509Extension)smimeCapabilities); cert.HashAlgorithm = hashAlgorithm; cert.Encode(); return cert; }
/// <summary> /// Function used to create a certificate signing request using the OS. /// Note that this function will place a certificate in the "Certificate Enrollment Requests" folder /// of the certificate store specified in loc. You can view this by running either /// certmgr or mmc from the command line. /// </summary> /// <param name="loc">Location to put certificate</param> /// <param name="subject_line">The subject line of the certificate, fields should be ; seperated, i.e.: "C=US; ST=Minnesota; L=Eden Prairie; O=Forward Pay Systems, Inc.; OU=Forward Pay; CN=fps.com"</param> /// <returns>The certificate signing request, if successful in PEM format</returns> public string GenerateRequest() { //code originally came from: http://blogs.msdn.com/b/alejacma/archive/2008/09/05/how-to-create-a-certificate-request-with-certenroll-and-net-c.aspx //modified version of it is here: http://stackoverflow.com/questions/16755634/issue-generating-a-csr-in-windows-vista-cx509certificaterequestpkcs10 //here is the standard for certificates: http://www.ietf.org/rfc/rfc3280.txt //the PKCS#10 certificate request (http://msdn.microsoft.com/en-us/library/windows/desktop/aa377505.aspx) CX509CertificateRequestPkcs10 objPkcs10 = new CX509CertificateRequestPkcs10(); //assymetric private key that can be used for encryption (http://msdn.microsoft.com/en-us/library/windows/desktop/aa378921.aspx) CX509PrivateKey objPrivateKey = new CX509PrivateKey(); //access to the general information about a cryptographic provider (http://msdn.microsoft.com/en-us/library/windows/desktop/aa375967.aspx) CCspInformation objCSP = new CCspInformation(); //collection on cryptographic providers available: http://msdn.microsoft.com/en-us/library/windows/desktop/aa375967(v=vs.85).aspx CCspInformations objCSPs = new CCspInformations(); CX500DistinguishedName objDN = new CX500DistinguishedName(); //top level object that enables installing a certificate response http://msdn.microsoft.com/en-us/library/windows/desktop/aa377809.aspx CX509Enrollment objEnroll = new CX509Enrollment(); CObjectIds objObjectIds = new CObjectIds(); CObjectId objObjectId = new CObjectId(); CObjectId objObjectId2 = new CObjectId(); CX509ExtensionKeyUsage objExtensionKeyUsage = new CX509ExtensionKeyUsage(); CX509ExtensionEnhancedKeyUsage objX509ExtensionEnhancedKeyUsage = new CX509ExtensionEnhancedKeyUsage(); string csr_pem = null; // Initialize the csp object using the desired Cryptograhic Service Provider (CSP) objCSPs.AddAvailableCsps(); //Provide key container name, key length and key spec to the private key object objPrivateKey.ProviderName = providerName; objPrivateKey.Length = KeyLength; objPrivateKey.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE; //Must flag as XCN_AT_KEYEXCHANGE to use this certificate for exchanging symmetric keys (needed for most SSL cipher suites) objPrivateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES; if (Location == StoreLocation.LocalMachine) { objPrivateKey.MachineContext = true; } else { objPrivateKey.MachineContext = false; //must set this to true if installing to the local machine certificate store } objPrivateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG; //must set this if we want to be able to export it later. (for WinSIP maybe we don't want to be able to ever export the key??) objPrivateKey.CspInformations = objCSPs; // Create the actual key pair objPrivateKey.Create(); // Initialize the PKCS#10 certificate request object based on the private key. // Using the context, indicate that this is a user certificate request and don't // provide a template name if (Location == StoreLocation.LocalMachine) { objPkcs10.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, objPrivateKey, ""); } else { objPkcs10.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextUser, objPrivateKey, ""); } //Set has to sha256 CObjectId hashobj = new CObjectId(); hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, "SHA256"); objPkcs10.HashAlgorithm = hashobj; // Key Usage Extension -- we only need digital signature and key encipherment for TLS: // NOTE: in openSSL, I didn't used to request any specific extensions. Instead, I let the CA add them objExtensionKeyUsage.InitializeEncode( CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE ); objPkcs10.X509Extensions.Add((CX509Extension)objExtensionKeyUsage); // Enhanced Key Usage Extension objObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // OID for Server Authentication usage (see this: http://stackoverflow.com/questions/17477279/client-authentication-1-3-6-1-5-5-7-3-2-oid-in-server-certificates) objObjectId2.InitializeFromValue("1.3.6.1.5.5.7.3.2"); // OID for Client Authentication usage (see this: http://stackoverflow.com/questions/17477279/client-authentication-1-3-6-1-5-5-7-3-2-oid-in-server-certificates) objObjectIds.Add(objObjectId); objObjectIds.Add(objObjectId2); objX509ExtensionEnhancedKeyUsage.InitializeEncode(objObjectIds); objPkcs10.X509Extensions.Add((CX509Extension)objX509ExtensionEnhancedKeyUsage); // Encode the name in using the Distinguished Name object // see here: http://msdn.microsoft.com/en-us/library/windows/desktop/aa379394(v=vs.85).aspx /*objDN.Encode( * "C=US, ST=Minnesota, L=Eden Prairie, O=Forward Pay Systems; Inc., OU=Forward Pay, CN=ERIC_CN", * X500NameFlags.XCN_CERT_NAME_STR_NONE * );*/ objDN.Encode( Subject, X500NameFlags.XCN_CERT_NAME_STR_SEMICOLON_FLAG ); //"C=US; ST=Minnesota; L=Eden Prairie; O=Forward Pay Systems, Inc.; OU=Forward Pay; CN=ERIC_CN" // Assing the subject name by using the Distinguished Name object initialized above objPkcs10.Subject = objDN; //suppress extra attributes: objPkcs10.SuppressDefaults = true; // Create enrollment request objEnroll.InitializeFromRequest(objPkcs10); csr_pem = objEnroll.CreateRequest( EncodingType.XCN_CRYPT_STRING_BASE64 ); csr_pem = "-----BEGIN CERTIFICATE REQUEST-----\r\n" + csr_pem + "-----END CERTIFICATE REQUEST-----"; return(csr_pem); }