public SimpleCA(string countryCode, string organization, string orgunit, string commonName) { var distinguishedName = $"C={countryCode};O={organization};OU={orgunit};CN={commonName}"; //var distinguishedName = "C=US;O=Microsoft;OU=WGA;CN=TedSt"; //CN={commonName}/OU={organizationUnit}/O={organization}/DC={domain}/STREET={address}/L={locality}/ST={state}/C={country}/DC={domainComponent}" var dn = new System.Security.Cryptography.X509Certificates.X500DistinguishedName( distinguishedName ); var key = System.Security.Cryptography.RSA.Create(); key.KeySize = 4096; var hash = System.Security.Cryptography.HashAlgorithmName.SHA512; var req = new System.Security.Cryptography.X509Certificates.CertificateRequest(dn, key, hash, RSASignaturePadding.Pss); var q = Oid.FromFriendlyName("", OidGroup.EnhancedKeyUsage); Oid.FromOidValue("", OidGroup.EnhancedKeyUsage); var r = new OidCollection(); r.Add(q); var v = new X509EnhancedKeyUsageExtension(r, false); req.CertificateExtensions.Add(SetEnhancedKeyUsage(keyCertSign: true)); req.CertificateExtensions.Add(SetBasicConstraints(true)); req.CertificateExtensions.Add(v); var now = DateTimeOffset.UtcNow; var startDate = now - TimeSpan.FromMinutes(5); var endDate = DateTimeOffset.UtcNow + TimeSpan.FromDays(365.25 * 10); rootCert = req.CreateSelfSigned(startDate, endDate); rootKey = key; var rootKeyChain = rootCert.Export(X509ContentType.Pkcs12); }
public void GenerateHierrachyUsingNetClass() { using (RSA parent = RSA.Create(4096)) using (RSA rsa = RSA.Create(2048)) { System.Security.Cryptography.X509Certificates.CertificateRequest parentReq = new System.Security.Cryptography.X509Certificates.CertificateRequest( "CN=Experimental Issuing Authority", parent, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); parentReq.CertificateExtensions.Add( new X509BasicConstraintsExtension(true, false, 0, true)); parentReq.CertificateExtensions.Add( new X509SubjectKeyIdentifierExtension(parentReq.PublicKey, false)); //var csr = parentReq.CreateSigningRequest(); using (X509Certificate2 parentCert = parentReq.CreateSelfSigned( DateTimeOffset.UtcNow.AddDays(-45), DateTimeOffset.UtcNow.AddDays(365))) { CertificateRequest req = new CertificateRequest( "CN=Valid-Looking Timestamp Authority", rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); req.CertificateExtensions.Add( new X509BasicConstraintsExtension(true, false, 0, false)); req.CertificateExtensions.Add( new X509KeyUsageExtension( X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.NonRepudiation, false)); //https://pkisolutions.com/object-identifiers-oid-in-pki/ //https://docs.microsoft.com/en-us/windows/desktop/seccertenroll/supported-extensions req.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension( new OidCollection { new Oid("1.3.6.1.5.5.7.3.8") }, true)); req.CertificateExtensions.Add( new X509SubjectKeyIdentifierExtension(req.PublicKey, false)); req.CreateSigningRequest(); using (X509Certificate2 cert = req.Create( parentCert, DateTimeOffset.UtcNow.AddDays(-1), DateTimeOffset.UtcNow.AddDays(90), new byte[] { 1, 2, 3, 4 })) { // Do something with these certs, like export them to PFX, // or add them to an X509Store, or whatever. } using (X509Certificate2 cert = req.Create( parentCert, DateTimeOffset.UtcNow.AddDays(-1), DateTimeOffset.UtcNow.AddDays(90), new byte[] { 1, 2, 3, 4 })) { // Do something with these certs, like export them to PFX, // or add them to an X509Store, or whatever. } } } }
public static void HybridCertificateRequestTest() { const string TestCN = "CN=Test"; const string LeafCN = "CN=Leaf"; var serialNumber = new byte[20]; var rand = new Random(); rand.NextBytes(serialNumber); serialNumber[0] = 0x80; using (var rsa1 = RSA.Create()) using (var ecdsa2 = ECDsa.Create()) { var request1 = new CertificateRequest(TestCN, rsa1, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); request1.CertificateExtensions.Add(new X509BasicConstraintsExtension(true, false, 0, false)); Assert.NotNull(request1.PublicKey); Assert.NotNull(request1.CertificateExtensions); Assert.NotEmpty(request1.CertificateExtensions); Assert.Equal(TestCN, request1.SubjectName.Name); var ca = request1.CreateSelfSigned(DateTimeOffset.UtcNow, DateTimeOffset.UtcNow + TimeSpan.FromDays(1)); Assert.Equal(ca.Subject, TestCN); var request2 = new CertificateRequest(LeafCN, ecdsa2, HashAlgorithmName.SHA512); request2.CertificateExtensions.Add(new X509BasicConstraintsExtension(false, false, 0, false)); Assert.NotNull(request2.PublicKey); Assert.NotNull(request2.CertificateExtensions); Assert.NotEmpty(request2.CertificateExtensions); Assert.Equal(LeafCN, request2.SubjectName.Name); var signer = X509SignatureGenerator.CreateForRSA(rsa1, RSASignaturePadding.Pkcs1); var leaf = request2.Create(ca.SubjectName, signer, DateTimeOffset.UtcNow, DateTimeOffset.UtcNow + TimeSpan.FromHours(1), serialNumber); Assert.Equal(leaf.Subject, LeafCN); Assert.Equal(new SerialNumber(serialNumber).ToString(), leaf.SerialNumber); Assert.NotNull(leaf.Extensions); Assert.Single(leaf.Extensions); Assert.NotNull(leaf.GetBasicConstraintsExtension()); var buffer = request2.CreateSigningRequest(); var info = buffer.ToCertificationRequestInfo(); Assert.True(info.GetPublicKey().SameAs(ecdsa2.ToPublicKey())); Assert.Equal(LeafCN, new X500DistinguishedName(info.Subject.GetEncoded()).Name); var csr = buffer.ToCertificateRequest(SignatureType.PS256); // var pubk = csr.PublicKey.Key; // Assert.True(pubk.ToPublicKey().SameAs(rsa2.ToPublicKey())); Assert.Equal(LeafCN, csr.SubjectName.Name); var leaf2 = csr.Create(ca.SubjectName, signer, DateTimeOffset.UtcNow, DateTimeOffset.UtcNow + TimeSpan.FromHours(1), serialNumber); Assert.True(leaf2.GetECDsaPublicKey().ToPublicKey().SameAs(ecdsa2.ToPublicKey())); Assert.NotNull(leaf2.PublicKey); Assert.NotNull(leaf2.Extensions); Assert.Single(leaf2.Extensions); Assert.NotNull(leaf2.GetBasicConstraintsExtension()); Assert.Equal(leaf.Subject, leaf2.Subject); Assert.Equal(leaf.SerialNumber, leaf2.SerialNumber); } }