public void Uninstall(PrivateKey pk, Crt crt, IEnumerable <PKI.Crt> chain, IPkiTool cp) { AssertNotDisposed(); throw new NotImplementedException(); }
public void Install(PrivateKey pk, Crt crt, IEnumerable <Crt> chain, IPkiTool cp) { var store = new X509Store(StoreName, StoreLocation); try { store.Open(OpenFlags.ReadWrite); var crtChain = new[] { crt }.Concat(chain); using (var ms = new MemoryStream()) { cp.ExportArchive(pk, crtChain, ArchiveFormat.PKCS12, ms); var flag = X509KeyStorageFlags.UserKeySet; if (StoreLocation == StoreLocation.LocalMachine) { flag = X509KeyStorageFlags.MachineKeySet; } var cert = new X509Certificate2(ms.ToArray(), string.Empty, X509KeyStorageFlags.PersistKeySet | flag | X509KeyStorageFlags.Exportable); if (!string.IsNullOrEmpty(FriendlyName)) { cert.FriendlyName = FriendlyName; } store.Add(cert); } } finally { store.Close(); } }
public void Install(PrivateKey pk, Crt crt, IEnumerable <Crt> chain, IPkiTool cp) { var bindings = IisHelper.ResolveSiteBindings(WebSiteRef); var existing = IisHelper.ResolveSiteBindings( BindingAddress, BindingPort, BindingHost, bindings).ToArray(); if (existing?.Length > 0 && !Force) { throw new InvalidOperationException( "found existing conflicting bindings for target site;" + " use Force parameter to overwrite"); } // TODO: should we expose these as optional params to be overridden by user? var storeLocation = StoreLocation.LocalMachine; var storeName = StoreName.My; var cert = ImportCertificate(pk, crt, chain, cp, storeName, storeLocation, CertificateFriendlyName); var certStore = Enum.GetName(typeof(StoreName), storeName); var certHash = cert.GetCertHash(); if (existing?.Length > 0) { foreach (var oldBinding in existing) { if (BindingHostRequired.HasValue) { oldBinding.BindingHostRequired = BindingHostRequired; } IisHelper.UpdateSiteBinding(oldBinding, certStore, certHash); } } else { var firstBinding = bindings.First(); var newBinding = new IisWebSiteBinding { // Copy over some existing site info SiteId = firstBinding.SiteId, SiteName = firstBinding.SiteName, SiteRoot = firstBinding.SiteRoot, // New binding specifics BindingProtocol = "https", BindingAddress = this.BindingAddress, BindingPort = this.BindingPort.ToString(), BindingHost = this.BindingHost, BindingHostRequired = this.BindingHostRequired, }; IisHelper.CreateSiteBinding(newBinding, certStore, certHash); } }
public void Install(PrivateKey pk, Crt crt, IEnumerable <PKI.Crt> chain, IPkiTool cp) { AssertNotDisposed(); string pkPem; using (var ms = new MemoryStream()) { cp.ExportPrivateKey(pk, EncodingFormat.PEM, ms); pkPem = Encoding.UTF8.GetString(ms.ToArray()); } string crtPem; using (var ms = new MemoryStream()) { cp.ExportCertificate(crt, EncodingFormat.PEM, ms); crtPem = Encoding.UTF8.GetString(ms.ToArray()); } string chainPem = null; if (chain != null) { using (var ms = new MemoryStream()) { foreach (var c in chain) { cp.ExportCertificate(c, EncodingFormat.PEM, ms); } chainPem = Encoding.UTF8.GetString(ms.ToArray()); } } using (var client = new AmazonIdentityManagementServiceClient( CommonParams.ResolveCredentials(), CommonParams.RegionEndpoint)) { var iamRequ = new UploadServerCertificateRequest { PrivateKey = pkPem, CertificateBody = crtPem, CertificateChain = chainPem, ServerCertificateName = this.ServerCertificateName, Path = this.Path }; var iamResp = client.UploadServerCertificate(iamRequ); // TODO: any checks we should do? } }
public void Uninstall(PrivateKey pk, Crt crt, IEnumerable <PKI.Crt> chain, IPkiTool cp) { AssertNotDisposed(); using (var client = new AmazonIdentityManagementServiceClient( CommonParams.ResolveCredentials(), CommonParams.RegionEndpoint)) { var iamRequ = new DeleteServerCertificateRequest { ServerCertificateName = this.ServerCertificateName, }; var iamResp = client.DeleteServerCertificate(iamRequ); // TODO: any checks we should do? } }
public void Install(PrivateKey pk, Crt crt, IEnumerable<PKI.Crt> chain, IPkiTool cp) { AssertNotDisposed(); string pkPem; using (var ms = new MemoryStream()) { cp.ExportPrivateKey(pk, EncodingFormat.PEM, ms); pkPem = Encoding.UTF8.GetString(ms.ToArray()); } string crtPem; using (var ms = new MemoryStream()) { cp.ExportCertificate(crt, EncodingFormat.PEM, ms); crtPem = Encoding.UTF8.GetString(ms.ToArray()); } string chainPem = null; if (chain != null) { using (var ms = new MemoryStream()) { foreach (var c in chain) { cp.ExportCertificate(c, EncodingFormat.PEM, ms); } chainPem = Encoding.UTF8.GetString(ms.ToArray()); } } using (var client = new AmazonIdentityManagementServiceClient( CommonParams.ResolveCredentials(), CommonParams.RegionEndpoint)) { var iamRequ = new UploadServerCertificateRequest { PrivateKey = pkPem, CertificateBody = crtPem, CertificateChain = chainPem, ServerCertificateName = this.ServerCertificateName, Path = this.Path }; var iamResp = client.UploadServerCertificate(iamRequ); // TODO: any checks we should do? } }
public void Uninstall(PrivateKey pk, Crt crt, IEnumerable<PKI.Crt> chain, IPkiTool cp) { AssertNotDisposed(); using (var client = new AmazonIdentityManagementServiceClient( CommonParams.ResolveCredentials(), CommonParams.RegionEndpoint)) { var iamRequ = new DeleteServerCertificateRequest { ServerCertificateName = this.ServerCertificateName, }; var iamResp = client.DeleteServerCertificate(iamRequ); // TODO: any checks we should do? } }
public void Uninstall(PrivateKey pk, Crt crt, IEnumerable <Crt> chain, IPkiTool cp) { throw new NotImplementedException(); }
private string GetIssuerCertificate(CertificateRequest certificate, IPkiTool cp, string certificateFolder, TargetApplication targetApplication) { var linksEnum = certificate.Links; if (linksEnum == null) { return(null); } var links = new LinkCollection(linksEnum); var upLink = links.GetFirstOrDefault("up"); if (upLink == null) { return(null); } var temporaryFileName = Path.GetTempFileName(); try { using (var web = new WebClient()) { var acmeServerBaseUri = _configuration.GetAcmeServerBaseUri(targetApplication); var uri = new Uri(acmeServerBaseUri, upLink.Uri); web.DownloadFile(uri, temporaryFileName); } var cacert = new X509Certificate2(temporaryFileName); var sernum = cacert.GetSerialNumberString(); var cacertDerFile = Path.Combine(certificateFolder, $"ca-{sernum}-crt.der"); var cacertPemFile = Path.Combine(certificateFolder, $"ca-{sernum}-crt.pem"); if (!File.Exists(cacertDerFile)) { File.Copy(temporaryFileName, cacertDerFile, true); } _logger.Information("Saving issuer certificate to {cacertPemFile}", cacertPemFile); if (File.Exists(cacertPemFile)) { return(cacertPemFile); } using (FileStream source = new FileStream(cacertDerFile, FileMode.Open), target = new FileStream(cacertPemFile, FileMode.Create)) { var caCrt = cp.ImportCertificate(EncodingFormat.DER, source); cp.ExportCertificate(caCrt, EncodingFormat.PEM, target); } return(cacertPemFile); } finally { if (File.Exists(temporaryFileName)) { File.Delete(temporaryFileName); } } }
public void Install(PrivateKey pk, Crt crt, IEnumerable <PKI.Crt> chain, IPkiTool cp) { AssertNotDisposed(); if (CertInstaller != null) { CertInstaller.Install(pk, crt, chain, cp); ExistingServerCertificateName = CertInstaller.ServerCertificateName; // Now that the cert has been installed in IAM, we need to // poll to see when it becomes effective because there could // be a slight delay till it's available for reference using (var client = new AmazonIdentityManagementServiceClient( CommonParams.ResolveCredentials(), CommonParams.RegionEndpoint)) { var iamRequ = new GetServerCertificateRequest { ServerCertificateName = ExistingServerCertificateName, }; var triesLeft = 10; string arn = null; while (triesLeft-- > 0) { try { var iamResp = client.GetServerCertificate(iamRequ); arn = iamResp?.ServerCertificate?.ServerCertificateMetadata?.Arn; if (!string.IsNullOrEmpty(arn)) { break; } } catch (Exception) { // TODO: integrate with logging to log some warnings } System.Threading.Thread.Sleep(10 * 1000); } if (string.IsNullOrEmpty(arn)) { throw new InvalidOperationException("unable to resolve uploaded certificate"); } } } string certArn; using (var client = new AmazonIdentityManagementServiceClient( CommonParams.ResolveCredentials(), CommonParams.RegionEndpoint)) { var iamRequ = new GetServerCertificateRequest { ServerCertificateName = ExistingServerCertificateName, }; var iamResp = client.GetServerCertificate(iamRequ); certArn = iamResp?.ServerCertificate?.ServerCertificateMetadata?.Arn; } if (string.IsNullOrEmpty(certArn)) { throw new InvalidOperationException("unable to resolve server certificate against IAM store"); } using (var client = new AmazonElasticLoadBalancingClient( CommonParams.ResolveCredentials(), CommonParams.RegionEndpoint)) { // We've found through experience/experimentation that even if the // cert is successfully installed and retrievable up above, it can // still fail here temporarily till the ELB reference can resolve it int triesLeft = 10; Exception lastEx = null; while (triesLeft-- > 0) { if (!string.IsNullOrEmpty(LoadBalancerProtocol)) { var iamRequ = new CreateLoadBalancerListenersRequest { LoadBalancerName = this.LoadBalancerName, Listeners = new List <Listener> { new Listener { LoadBalancerPort = this.LoadBalancerPort, Protocol = this.LoadBalancerProtocol, InstancePort = this.InstancePort, InstanceProtocol = this.InstanceProtocol, SSLCertificateId = certArn, } } }; try { var iamResp = client.CreateLoadBalancerListeners(iamRequ); // TODO: any checks we should do? // Break out of the outer retry loop lastEx = null; break; } catch (Exception ex) { // TODO: integrate with logging to log some warnings lastEx = ex; } } else { var iamRequ = new SetLoadBalancerListenerSSLCertificateRequest { LoadBalancerName = this.LoadBalancerName, LoadBalancerPort = this.LoadBalancerPort, SSLCertificateId = certArn, }; try { var iamResp = client.SetLoadBalancerListenerSSLCertificate(iamRequ); // TODO: any checks we should do? // Break out of the outer retry loop lastEx = null; break; } catch (Exception ex) { // TODO: integrate with logging to log some warnings lastEx = ex; } } System.Threading.Thread.Sleep(10 * 1000); } if (lastEx != null) { throw new InvalidOperationException( "valid to create/update ELB listener with certificate reference", lastEx); } } }