public static X509Certificate2 genCert() { var gen = new X509V3CertificateGenerator(); var keypairgen = new RsaKeyPairGenerator(); keypairgen.Init(new KeyGenerationParameters(new SecureRandom(new CryptoApiRandomGenerator()), 4096)); var keypair = keypairgen.GenerateKeyPair(); var random = new Random(); random.Next(); random.Next(); random.Next(); random.Next(); random.Next(); random.Next(); random.Next(); var CN = new X509Name("CN=IRCLib"); var SN = BigInteger.ProbablePrime(120, random); gen.SetSerialNumber(SN); gen.SetIssuerDN(CN); gen.SetSubjectDN(CN); gen.SetNotBefore(DateTime.UtcNow.Subtract(new TimeSpan(5, 0, 0))); gen.SetNotAfter(DateTime.UtcNow.AddYears(5)); gen.SetPublicKey(keypair.Public); var gcert = gen.Generate(new Asn1SignatureFactory("MD5WithRSA", keypair.Private)); Console.WriteLine($"Keypair results: Public: {keypair.Public}\nPrivate: {keypair.Private}"); var cert = new X509Certificate2(gcert.GetEncoded(), "irclib", X509KeyStorageFlags.Exportable); Console.WriteLine($"Public Key: {cert.PublicKey}\nPrivate Key present: {cert.HasPrivateKey} at creation time."); return(cert); }
public object GetResult() { // Org.BouncyCastle.Crypto.Tls.TlsContext // https://github.com/bcgit/bc-csharp/blob/master/crypto/src/crypto/tls/Chacha20Poly1305.cs // var ccp = new Org.BouncyCastle.Crypto.Tls.Chacha20Poly1305(null); Org.BouncyCastle.Asn1.DerObjectIdentifier cc = Org.BouncyCastle.Asn1.X509.X509Name.CountryOfCitizenship; Org.BouncyCastle.Asn1.DerObjectIdentifier cr = Org.BouncyCastle.Asn1.X509.X509Name.CountryOfResidence; Org.BouncyCastle.Asn1.DerObjectIdentifier coi = Org.BouncyCastle.Asn1.X509.X509Name.OrganizationIdentifier; // https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/ // https://dzone.com/articles/creating-self-signed-certificate // https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl // https://www.akadia.com/services/ssh_test_certificate.html // https://coderanch.com/how-to/javadoc/itext-2.1.7/com/lowagie/text/pdf/PdfPKCS7.X509Name.html#CN var oc = Org.BouncyCastle.Asn1.X509.X509Name.C; // Country code var oST = Org.BouncyCastle.Asn1.X509.X509Name.ST; // State or Province var ol = Org.BouncyCastle.Asn1.X509.X509Name.L; // Locality var oo = Org.BouncyCastle.Asn1.X509.X509Name.O; // Organization name var ou = Org.BouncyCastle.Asn1.X509.X509Name.OU; // Organizational Unit Name var ocn = Org.BouncyCastle.Asn1.X509.X509Name.CN; // Common name var oce = Org.BouncyCastle.Asn1.X509.X509Name.E; // email address in Verisign certificates var ocee = Org.BouncyCastle.Asn1.X509.X509Name.EmailAddress; // Email address (RSA PKCS#9 extension) - IA5String Org.BouncyCastle.Asn1.X509.X509Name a = new Org.BouncyCastle.Asn1.X509.X509Name("ou"); throw new System.NotImplementedException(); }
} // End Sub ReadCertificationRequest // https://stackoverflow.com/questions/21912390/decode-read-a-csr-certificate-signing-request-using-java-or-bouncycastle private static string GetX509Field(string asn1ObjectIdentifier, Org.BouncyCastle.Asn1.X509.X509Name x500Name) { string retVal = null; System.Collections.IList rdnArray = x500Name.GetValueList( new Org.BouncyCastle.Asn1.DerObjectIdentifier(asn1ObjectIdentifier) ); System.Collections.IList oids = x500Name.GetOidList(); System.Collections.IList foo = x500Name.GetValueList(); System.Console.WriteLine(oids); System.Console.WriteLine(foo); foreach (Org.BouncyCastle.Asn1.DerObjectIdentifier thisOID in oids) { string oidName = System.Convert.ToString(Org.BouncyCastle.Asn1.X509.X509Name.DefaultSymbols[thisOID]); System.Console.WriteLine(oidName); System.Collections.IList values = x500Name.GetValueList(thisOID); System.Console.WriteLine(values); } // Next thisOID foreach (object x in rdnArray) { // System.Console.WriteLine(x); retVal = System.Convert.ToString(x); return(retVal); } // Next x return(retVal); } // End Function GetX509Field
/// <summary> /// Temporäres Zertifikat für Verschlüsselung und Signatur erstellen. /// </summary> /// <param name="name">Name</param> /// <param name="email">Email</param> /// <param name="producerId">Hersteller-ID</param> /// <param name="producerVersion">Hersteller-Version</param> /// <param name="locality">Ort</param> /// <param name="country">Land</param> /// <returns>Zertifikat</returns> public static SystemX509.X509Certificate2 CreateTemporaryCertificate( string name, string email, string producerId, string producerVersion, string locality, string country) { var rsaCrypto = new System.Security.Cryptography.RSACryptoServiceProvider(2048); var keyPair = GetRsaKeyPair(rsaCrypto); var certGen = new Org.BouncyCastle.X509.X509V3CertificateGenerator(); var now = DateTime.Now; certGen.SetNotAfter(new DateTime(now.Year + 1, 12, 31, 23, 59, 59)); var notBefore = new DateTime(now.Year, 1, 1); certGen.SetNotBefore(notBefore); certGen.SetSerialNumber(new Org.BouncyCastle.Math.BigInteger(string.Format("{0:yyyyMMdd}", notBefore))); var certName = new Org.BouncyCastle.Asn1.X509.X509Name( string.Format("CN={0}, O={1}, OU={2}, L={3}, C={4}", name, producerId, producerVersion, locality, country)); certGen.SetSubjectDN(certName); certGen.SetIssuerDN(certName); certGen.SetPublicKey(keyPair.Public); var bcCert = certGen.Generate(new Asn1SignatureFactory("SHA256WITHRSA", keyPair.Private)); var cert = new SystemX509.X509Certificate2(bcCert.GetEncoded()); cert = LinkPrivateKeyToCert(cert, rsaCrypto, null); return(cert); }
} // End Sub BuildAlternativeNameNetCoreVariant // https://codereview.stackexchange.com/questions/84752/net-bouncycastle-csr-and-private-key-generation public static Org.BouncyCastle.Asn1.X509.X509Name CreateSubject( string countryIso2Characters , string stateOrProvince , string localityOrCity , string companyName , string division , string domainName , string email) { // https://people.eecs.berkeley.edu/~jonah/bc/org/bouncycastle/asn1/x509/X509Name.html KeyValuePairList <Org.BouncyCastle.Asn1.DerObjectIdentifier, string> attrs = new KeyValuePairList <Org.BouncyCastle.Asn1.DerObjectIdentifier, string>(); if (!string.IsNullOrEmpty(countryIso2Characters) && countryIso2Characters.Trim() != string.Empty) { attrs.Add(Org.BouncyCastle.Asn1.X509.X509Name.C, countryIso2Characters); } if (!string.IsNullOrEmpty(stateOrProvince) && stateOrProvince.Trim() != string.Empty) { attrs.Add(Org.BouncyCastle.Asn1.X509.X509Name.ST, stateOrProvince); } if (!string.IsNullOrEmpty(localityOrCity) && localityOrCity.Trim() != string.Empty) { attrs.Add(Org.BouncyCastle.Asn1.X509.X509Name.L, localityOrCity); } if (!string.IsNullOrEmpty(companyName) && companyName.Trim() != string.Empty) { attrs.Add(Org.BouncyCastle.Asn1.X509.X509Name.O, companyName); } if (!string.IsNullOrEmpty(division) && division.Trim() != string.Empty) { attrs.Add(Org.BouncyCastle.Asn1.X509.X509Name.OU, division); } // Must have ? if (!string.IsNullOrEmpty(domainName) && domainName.Trim() != string.Empty) { attrs.Add(Org.BouncyCastle.Asn1.X509.X509Name.CN, domainName); } if (!string.IsNullOrEmpty(email) && email.Trim() != string.Empty) { //attrs.Add(Org.BouncyCastle.Asn1.X509.X509Name.E, email); // email address in Verisign certificates attrs.Add(Org.BouncyCastle.Asn1.X509.X509Name.EmailAddress, email); // Email address (RSA PKCS#9 extension) } Org.BouncyCastle.Asn1.X509.X509Name subject = new Org.BouncyCastle.Asn1.X509.X509Name(attrs.Keys, attrs.Values); return(subject); } // End Function CreateSubject
/// <summary> /// Formata o assunto no padrão codificar /// </summary> /// <param name="subject"></param> /// <returns></returns> private static Subject getSubject(BCA.X509.X509Name subject) { /** * Codificar Signature Sample * C=BR, * O=ICP-Brasil, * ST=MG, * L=Belo Horizonte, * OU=Secretaria da Receita Federal do Brasil - RFB, * OU=RFB e-CNPJ A3, * OU=Autenticado por PRODEMGE, * CN=CODIFICAR SISTEMAS TECNOLOGICOS LTDA ME:05957264000151 **/ /*List<Tuple<SubjectType, BCA.DerObjectIdentifier>> listSubject = new List<Tuple<SubjectType, BCA.DerObjectIdentifier>> * { * new Tuple<SubjectType, BCA.DerObjectIdentifier>(SubjectType.Country, iTextSharp.text.pdf.security.CertificateInfo.X509Name.C), * new Tuple<SubjectType, BCA.DerObjectIdentifier>(SubjectType.Organization, iTextSharp.text.pdf.security.CertificateInfo.X509Name.O), * new Tuple<SubjectType, BCA.DerObjectIdentifier>(SubjectType.State, iTextSharp.text.pdf.security.CertificateInfo.X509Name.ST), * new Tuple<SubjectType, BCA.DerObjectIdentifier>(SubjectType.Locality, iTextSharp.text.pdf.security.CertificateInfo.X509Name.L), * new Tuple<SubjectType, BCA.DerObjectIdentifier>(SubjectType.OrganizationalUnit, iTextSharp.text.pdf.security.CertificateInfo.X509Name.OU), * new Tuple<SubjectType, BCA.DerObjectIdentifier>(SubjectType.CommonName, iTextSharp.text.pdf.security.CertificateInfo.X509Name.CN), * }; * * Subject sub = new Subject(); * * foreach (Tuple<SubjectType, BCA.DerObjectIdentifier> item in listSubject) * foreach (string obj in subject.GetValueList(item.Item2)) * sub.Add(new SubjectDetail(item.Item1, obj)); * * return sub;*/ Dictionary <SubjectType, BCA.DerObjectIdentifier> listSubject = new Dictionary <SubjectType, BCA.DerObjectIdentifier>(); listSubject.Add(SubjectType.Country, iTextSharp.text.pdf.security.CertificateInfo.X509Name.C); listSubject.Add(SubjectType.Organization, iTextSharp.text.pdf.security.CertificateInfo.X509Name.O); listSubject.Add(SubjectType.State, iTextSharp.text.pdf.security.CertificateInfo.X509Name.ST); listSubject.Add(SubjectType.Locality, iTextSharp.text.pdf.security.CertificateInfo.X509Name.L); listSubject.Add(SubjectType.OrganizationalUnit, iTextSharp.text.pdf.security.CertificateInfo.X509Name.OU); listSubject.Add(SubjectType.CommonName, iTextSharp.text.pdf.security.CertificateInfo.X509Name.CN); Subject sub = new Subject(); foreach (KeyValuePair <SubjectType, BCA.DerObjectIdentifier> pair in listSubject) { foreach (string obj in subject.GetValueList(pair.Value)) { sub.Add(new SubjectDetail(pair.Key, obj)); } } return(sub); }
// https://stackoverflow.com/questions/6128541/bouncycastle-privatekey-to-x509certificate2-privatekey public static Org.BouncyCastle.X509.X509Certificate CreateX509Cert(string certName) { var keypairgen = new Org.BouncyCastle.Crypto.Generators.RsaKeyPairGenerator(); keypairgen.Init(new Org.BouncyCastle.Crypto.KeyGenerationParameters( new Org.BouncyCastle.Security.SecureRandom( new Org.BouncyCastle.Crypto.Prng.CryptoApiRandomGenerator() ) , 1024 ) ); var keypair = keypairgen.GenerateKeyPair(); var gen = new Org.BouncyCastle.X509.X509V3CertificateGenerator(); var CN = new Org.BouncyCastle.Asn1.X509.X509Name("CN=" + certName); var SN = Org.BouncyCastle.Math.BigInteger.ProbablePrime(120, new Random()); gen.SetSerialNumber(SN); gen.SetSubjectDN(CN); gen.SetIssuerDN(CN); gen.SetNotAfter(DateTime.Now.AddYears(1)); gen.SetNotBefore(DateTime.Now.Subtract(new TimeSpan(7, 0, 0, 0))); gen.SetSignatureAlgorithm("MD5WithRSA"); gen.SetPublicKey(keypair.Public); gen.AddExtension( Org.BouncyCastle.Asn1.X509.X509Extensions.AuthorityKeyIdentifier.Id, false, new Org.BouncyCastle.Asn1.X509.AuthorityKeyIdentifier( Org.BouncyCastle.X509.SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(keypair.Public), new Org.BouncyCastle.Asn1.X509.GeneralNames(new Org.BouncyCastle.Asn1.X509.GeneralName(CN)), SN )); gen.AddExtension( Org.BouncyCastle.Asn1.X509.X509Extensions.ExtendedKeyUsage.Id, false, new Org.BouncyCastle.Asn1.X509.ExtendedKeyUsage(new ArrayList() { new Org.BouncyCastle.Asn1.DerObjectIdentifier("1.3.6.1.5.5.7.3.1") })); Org.BouncyCastle.X509.X509Certificate newCert = gen.Generate(keypair.Private); return(newCert); }
public static byte[] CreatePfxBytes( Org.BouncyCastle.X509.X509Certificate certificate , Org.BouncyCastle.Crypto.AsymmetricKeyParameter privateKey , string password = "") { byte[] pfxBytes = null; // create certificate entry Org.BouncyCastle.Pkcs.X509CertificateEntry certEntry = new Org.BouncyCastle.Pkcs.X509CertificateEntry(certificate); Org.BouncyCastle.Asn1.X509.X509Name name = new Org.BouncyCastle.Asn1.X509.X509Name(certificate.SubjectDN.ToString()); string friendlyName = (string)name.GetValueList(Org.BouncyCastle.Asn1.X509.X509Name.O)[0]; if (System.StringComparer.InvariantCultureIgnoreCase.Equals("Skynet Earth Inc.", friendlyName)) { friendlyName = "Skynet Certification Authority"; } Org.BouncyCastle.Pkcs.Pkcs12StoreBuilder builder = new Org.BouncyCastle.Pkcs.Pkcs12StoreBuilder(); builder.SetUseDerEncoding(true); Org.BouncyCastle.Pkcs.Pkcs12Store store = builder.Build(); store.SetCertificateEntry(friendlyName, certEntry); // create store entry store.SetKeyEntry( friendlyName , new Org.BouncyCastle.Pkcs.AsymmetricKeyEntry(privateKey) , new Org.BouncyCastle.Pkcs.X509CertificateEntry[] { certEntry } ); using (System.IO.MemoryStream stream = new System.IO.MemoryStream()) { // Cert is contained in store // null: no password, "": an empty passwords // note: Linux needs empty password on null... store.Save(stream, password == null ? "".ToCharArray() : password.ToCharArray(), new Org.BouncyCastle.Security.SecureRandom()); // stream.Position = 0; pfxBytes = Org.BouncyCastle.Pkcs.Pkcs12Utilities.ConvertToDefiniteLength(stream.ToArray()); } // End Using stream return(pfxBytes); } // End Function CreatePfxBytes
// DumpPfx(ee25519Cert, subject, caKey25519); public static void DumpPfx( Org.BouncyCastle.X509.X509Certificate bouncyCert , Org.BouncyCastle.Asn1.X509.X509Name subject , Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair pair) { Org.BouncyCastle.Pkcs.Pkcs12Store store = new Org.BouncyCastle.Pkcs.Pkcs12Store(); Org.BouncyCastle.Pkcs.X509CertificateEntry certificateEntry = new Org.BouncyCastle.Pkcs.X509CertificateEntry(bouncyCert); store.SetCertificateEntry(subject.ToString(), certificateEntry); store.SetKeyEntry(subject.ToString(), new Org.BouncyCastle.Pkcs.AsymmetricKeyEntry(pair.Private) , new[] { certificateEntry } ); Org.BouncyCastle.Security.SecureRandom random = new Org.BouncyCastle.Security.SecureRandom( new Org.BouncyCastle.Crypto.Prng.CryptoApiRandomGenerator() ); using (System.IO.MemoryStream stream = new System.IO.MemoryStream()) { string tempPassword = "******"; store.Save(stream, tempPassword.ToCharArray(), random); using (System.Security.Cryptography.X509Certificates.X509Certificate2 cert = new System.Security.Cryptography.X509Certificates.X509Certificate2( stream.ToArray() , tempPassword , System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.PersistKeySet | System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.Exportable) ) { System.Text.StringBuilder builder = new System.Text.StringBuilder(); builder.AppendLine("-----BEGIN CERTIFICATE-----"); builder.AppendLine(System.Convert.ToBase64String( cert.Export(System.Security.Cryptography.X509Certificates.X509ContentType.Cert) , System.Base64FormattingOptions.InsertLineBreaks) ); builder.AppendLine("-----END CERTIFICATE-----"); // PFX //builder.ToString().Dump("Self-signed Certificate"); } // End Using cert } // End Using stream } // End Sub DumpPfx
// Using BouncyCastle API, how do I sign a Certificate Signing Request (CSR) using my own CA? // https://stackoverflow.com/questions/44440974/bouncy-castle-decode-csr-c-sharp // You will have to add some code to read the subject's public key info // from the CSR and then generate a version 3 certificate as shown in the example. // The OpenSSL equivalent for this is // openssl ca –in <CSR> -cert <CA-cert-file> -out <signed-cert> public static void ReadCertificationRequest(string csr) { Org.BouncyCastle.Pkcs.Pkcs10CertificationRequest decodedCsr = null; using (System.IO.TextReader sr = new System.IO.StringReader(csr)) { Org.BouncyCastle.OpenSsl.PemReader pr = new Org.BouncyCastle.OpenSsl.PemReader(sr); object obj = pr.ReadObject(); decodedCsr = (Org.BouncyCastle.Pkcs.Pkcs10CertificationRequest)obj; } // End Using sr Org.BouncyCastle.Asn1.Pkcs.CertificationRequestInfo csri = decodedCsr.GetCertificationRequestInfo(); GetX509ExtensionsFromCsr(csri); Org.BouncyCastle.Asn1.X509.X509Name subj = csri.Subject; // decodedCsr.Signature // decodedCsr.SignatureAlgorithm GetX509Field(Org.BouncyCastle.Asn1.X509.X509Name.EmailAddress.Id, subj); System.Console.WriteLine(csri.Subject); // csri.SubjectPublicKeyInfo // csri.Version // csri.Attributes //Org.BouncyCastle.Asn1.Asn1Set attributes = // new Org.BouncyCastle.Asn1.DerSet( // new Org.BouncyCastle.Asn1.Pkcs.AttributePkcs( // Org.BouncyCastle.Asn1.Pkcs.PkcsObjectIdentifiers.Pkcs9AtExtensionRequest // , new Org.BouncyCastle.Asn1.DerSet(new Org.BouncyCastle.Asn1.X509.X509Extensions(extensions)) // ) //); } // End Sub ReadCertificationRequest
private string GetResponderName(ResponderID responderId, ref bool byKey) { Org.BouncyCastle.Asn1.DerTaggedObject dt = (Org.BouncyCastle.Asn1.DerTaggedObject)responderId.ToAsn1Object(); if (dt.TagNo == 1) { Org.BouncyCastle.Asn1.X509.X509Name name = Org.BouncyCastle.Asn1.X509.X509Name.GetInstance(dt.GetObject()); byKey = false; return(name.ToString()); } else if (dt.TagNo == 2) { Asn1TaggedObject tagger = (Asn1TaggedObject)responderId.ToAsn1Object(); Asn1OctetString pubInfo = (Asn1OctetString)tagger.GetObject(); byKey = true; return(Convert.ToBase64String(pubInfo.GetOctets())); } else { return(null); } }
} // End Sub WriteCerAndCrt public static void Test() { Org.BouncyCastle.Asn1.X509.X509Name caName = new Org.BouncyCastle.Asn1.X509.X509Name("CN=TestCA"); Org.BouncyCastle.Asn1.X509.X509Name eeName = new Org.BouncyCastle.Asn1.X509.X509Name("CN=TestEE"); Org.BouncyCastle.Asn1.X509.X509Name eeName25519 = new Org.BouncyCastle.Asn1.X509.X509Name("CN=TestEE25519"); string countryIso2Characters = "EA"; string stateOrProvince = "ERA"; string localityOrCity = "NeutralZone"; string companyName = "Skynet Earth Inc."; string division = "Skynet mbH"; string domainName = "sky.net"; string email = "*****@*****.**"; Org.BouncyCastle.Asn1.X509.X509Name subj = CertificateInfo.CreateSubject( countryIso2Characters, stateOrProvince , localityOrCity, companyName , division, domainName, email); System.Console.WriteLine(subj); Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair caKey25519 = KeyGenerator.GenerateEcKeyPair("curve25519", s_secureRandom.Value); Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair caKey = KeyGenerator.GenerateEcKeyPair("secp256r1", s_secureRandom.Value); Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair eeKey = KeyGenerator.GenerateRsaKeyPair(2048, s_secureRandom.Value); string publicKey = null; // id_rsa.pub using (System.IO.TextWriter textWriter = new System.IO.StringWriter()) { Org.BouncyCastle.OpenSsl.PemWriter pemWriter = new Org.BouncyCastle.OpenSsl.PemWriter(textWriter); pemWriter.WriteObject(eeKey); pemWriter.Writer.Flush(); publicKey = textWriter.ToString(); } // End Using textWriter System.Console.WriteLine(publicKey); // https://social.msdn.microsoft.com/Forums/vstudio/de-DE/8d49a681-22c6-417f-af3c-8daebd6f10dd/signierung-eines-hashs-mit-ellipticcurve-crypto?forum=visualcsharpde // https://stackoverflow.com/questions/22963581/reading-elliptic-curve-private-key-from-file-with-bouncycastle/41947163 // PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(pkcs8key); // The EC PARAMETERS block in your file is an accident of the way openssl ecparam - genkey works by default; // it is not needed or used as part of the actual key and you can omit it by specifying - noout // which is admittedly somewhat unobvious. // The actual key structure('hidden' in the base64/ DER data) for EC(DSA / DH) // does contain some parameter info which RSA doesn't but DSA does. PrivatePublicPemKeyPair keyPair = KeyImportExport.GetPemKeyPair(caKey25519); // PrivatePublicPemKeyPair keyPair = PrivatePublicPemKeyPair.ImportFrom("", ""); Org.BouncyCastle.X509.X509Certificate caCert = GenerateCertificate(caName, caName, caKey.Private, caKey.Public, s_secureRandom.Value); Org.BouncyCastle.X509.X509Certificate eeCert = GenerateCertificate(caName, eeName, caKey.Private, eeKey.Public, s_secureRandom.Value); Org.BouncyCastle.X509.X509Certificate ee25519Cert = GenerateCertificate(caName, eeName25519, caKey25519.Private, caKey25519.Public, s_secureRandom.Value); bool caOk = ValidateSelfSignedCert(caCert, caKey.Public); bool eeOk = ValidateSelfSignedCert(eeCert, caKey.Public); bool ee25519 = ValidateSelfSignedCert(eeCert, caKey.Public); PfxGenerator.CreatePfxFile("example.pfx", caCert, caKey.Private, null); // System.IO.File.WriteAllBytes("fileName", caCert.Export(X509ContentType.Pkcs12, PfxPassword)); // https://info.ssl.com/how-to-der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-conver-them/ // The file extensions .CRT and .CER are interchangeable. // If your server requires that you use the .CER file extension, you can change the extension // http://www.networksolutions.com/support/what-is-the-difference-between-a-crt-and-a-cer-file/ // https://stackoverflow.com/questions/642284/apache-with-ssl-how-to-convert-cer-to-crt-certificates // File extensions for cryptographic certificates aren't really as standardized as you'd expect. // Windows by default treats double - clicking a.crt file as a request to import the certificate // So, they're different in that sense, at least, that Windows has some inherent different meaning // for what happens when you double click each type of file. // One is a "binary" X.509 encoding, and the other is a "text" base64 encoding that usually starts with "-----BEGIN CERTIFICATE-----". // into the Windows Root Certificate store, but treats a.cer file as a request just to view the certificate. // CER is an X.509 certificate in binary form, DER encoded // CRT is a binary X.509 certificate, encapsulated in text (base-64) encoding // Most systems accept both formats, but if you need to you can convert one to the other via openssl // Certificate file should be PEM-encoded X.509 Certificate file: // openssl x509 -inform DER -in certificate.cer -out certificate.pem using (System.IO.Stream f = System.IO.File.Open("ca.cer", System.IO.FileMode.Create)) { byte[] buf = caCert.GetEncoded(); f.Write(buf, 0, buf.Length); f.Flush(); } using (System.IO.Stream fs = System.IO.File.Open("ee.cer", System.IO.FileMode.Create)) { byte[] buf = eeCert.GetEncoded(); fs.Write(buf, 0, buf.Length); fs.Flush(); } // End Using fs using (System.IO.Stream fs = System.IO.File.Open("ee25519.cer", System.IO.FileMode.Create)) { byte[] buf = ee25519Cert.GetEncoded(); fs.Write(buf, 0, buf.Length); fs.Flush(); } // End Using fs // new System.Text.ASCIIEncoding(false) // new System.Text.UTF8Encoding(false) using (System.IO.Stream fs = System.IO.File.Open("ee.crt", System.IO.FileMode.Create)) { using (System.IO.StreamWriter sw = new System.IO.StreamWriter(fs, System.Text.Encoding.ASCII)) { byte[] buf = eeCert.GetEncoded(); string pem = ToPem(buf); sw.Write(pem); } // End Using sw } // End Using fs using (System.IO.Stream fs = System.IO.File.Open("ee25519.crt", System.IO.FileMode.Create)) { using (System.IO.StreamWriter sw = new System.IO.StreamWriter(fs, System.Text.Encoding.ASCII)) { byte[] buf = ee25519Cert.GetEncoded(); string pem = ToPem(buf); sw.Write(pem); } // End Using sw } // End Using fs Org.BouncyCastle.Asn1.X509.X509Name subject = eeName25519; } // End Sub Test
} // End Function GenerateRootCertificate // SHA512WITHRSA // SHA512WITHRSAANDMGF1 // RIPEMD256WITHRSA // SHA512WITHDSA // SHA512WITHECDSA // GOST3411WITHECGOST3410 private static Org.BouncyCastle.X509.X509Certificate GenerateCertificate( Org.BouncyCastle.Asn1.X509.X509Name issuer, Org.BouncyCastle.Asn1.X509.X509Name subject, Org.BouncyCastle.Crypto.AsymmetricKeyParameter issuerPrivate, Org.BouncyCastle.Crypto.AsymmetricKeyParameter subjectPublic, Org.BouncyCastle.Security.SecureRandom secureRandom ) { Org.BouncyCastle.Crypto.ISignatureFactory signatureFactory; if (issuerPrivate is Org.BouncyCastle.Crypto.Parameters.ECPrivateKeyParameters) { // System.Collections.IEnumerable names = Org.BouncyCastle.Crypto.Operators.Asn1SignatureFactory.SignatureAlgNames; // System.Console.WriteLine(names); // string x9 = Org.BouncyCastle.Asn1.X9.X9ObjectIdentifiers.ECDsaWithSha256.ToString(); // System.Console.WriteLine(x9); // Org.BouncyCastle.Asn1.X9.X9ObjectIdentifiers.ECDsaWithSha512 signatureFactory = new Org.BouncyCastle.Crypto.Operators.Asn1SignatureFactory( Org.BouncyCastle.Asn1.X9.X9ObjectIdentifiers.ECDsaWithSha256.ToString(), issuerPrivate); } else { // Org.BouncyCastle.Asn1.Pkcs.PkcsObjectIdentifiers.Sha512WithRsaEncryption signatureFactory = new Org.BouncyCastle.Crypto.Operators.Asn1SignatureFactory( Org.BouncyCastle.Asn1.Pkcs.PkcsObjectIdentifiers.Sha256WithRsaEncryption.ToString(), issuerPrivate); } Org.BouncyCastle.Math.BigInteger serialNumber = Org.BouncyCastle.Utilities.BigIntegers.CreateRandomInRange( Org.BouncyCastle.Math.BigInteger.One, Org.BouncyCastle.Math.BigInteger.ValueOf(System.Int64.MaxValue), secureRandom ); // Org.BouncyCastle.Asn1.X509.X509Name subjectDN = new Org.BouncyCastle.Asn1.X509.X509Name("CN=" + commonNameValue); Org.BouncyCastle.X509.X509V3CertificateGenerator certGenerator = new Org.BouncyCastle.X509.X509V3CertificateGenerator(); certGenerator.SetIssuerDN(issuer); certGenerator.SetSubjectDN(subject); // The certificate needs a serial number. // This is used for revocation, and usually should be an incrementing index // (which makes it easier to revoke a range of certificates). // Since we don’t have anywhere to store the incrementing index, we can just use a random number. // certGenerator.SetSerialNumber(serialNumber); certGenerator.SetSerialNumber(Org.BouncyCastle.Math.BigInteger.ValueOf(1)); certGenerator.SetNotAfter(System.DateTime.UtcNow.AddHours(1)); certGenerator.SetNotBefore(System.DateTime.UtcNow); certGenerator.SetPublicKey(subjectPublic); // https://www.programcreek.com/java-api-examples/?class=org.bouncycastle.x509.X509V3CertificateGenerator&method=setSubjectDN // certGenerator.AddExtension(Org.BouncyCastle.Asn1.X509.X509Name.C.Id, true, new X509Name("CH")); // https://en.wikipedia.org/wiki/Subject_Alternative_Name // byte[] subjectAltName = new GeneralNames(new GeneralName(GeneralName.DnsName, "localhost")).GetDerEncoded(); // certGenerator.AddExtension(Org.BouncyCastle.Asn1.X509.X509Extensions.SubjectAlternativeName, false, subjectAltName); /* * // https://www.programcreek.com/java-api-examples/?api=org.bouncycastle.cert.X509v3CertificateBuilder * Org.BouncyCastle.Asn1.DerSequence subjectAlternativeNames = * new Org.BouncyCastle.Asn1.DerSequence( * new Org.BouncyCastle.Asn1.Asn1Encodable[] { * new Org.BouncyCastle.Asn1.X509.GeneralName(Org.BouncyCastle.Asn1.X509.GeneralName.DnsName, "localhost"), * new Org.BouncyCastle.Asn1.X509.GeneralName(Org.BouncyCastle.Asn1.X509.GeneralName.DnsName, System.Environment.MachineName), * new Org.BouncyCastle.Asn1.X509.GeneralName(Org.BouncyCastle.Asn1.X509.GeneralName.DnsName, "127.0.0.1") * }); * * * certGenerator.AddExtension( * Org.BouncyCastle.Asn1.X509.X509Extensions.SubjectAlternativeName * , false * , subjectAlternativeNames * ); */ // https://security.stackexchange.com/questions/169217/certificate-chain-is-broken // certGenerator.AddExtension(Org.BouncyCastle.Asn1.X509.X509Extensions.BasicConstraints.Id, true, new Org.BouncyCastle.Asn1.X509.BasicConstraints(3)); // Key Usage certGenerator.AddExtension(Org.BouncyCastle.Asn1.X509.X509Extensions.KeyUsage, true , new Org.BouncyCastle.Asn1.X509.KeyUsage( Org.BouncyCastle.Asn1.X509.KeyUsage.DigitalSignature | Org.BouncyCastle.Asn1.X509.KeyUsage.KeyEncipherment | Org.BouncyCastle.Asn1.X509.KeyUsage.DataEncipherment | Org.BouncyCastle.Asn1.X509.KeyUsage.KeyCertSign | Org.BouncyCastle.Asn1.X509.KeyUsage.KeyAgreement | Org.BouncyCastle.Asn1.X509.KeyUsage.NonRepudiation | Org.BouncyCastle.Asn1.X509.KeyUsage.CrlSign ) ); certGenerator.AddExtension(Org.BouncyCastle.Asn1.X509.X509Extensions.ExtendedKeyUsage.Id, true , new Org.BouncyCastle.Asn1.X509.ExtendedKeyUsage(new[] { Org.BouncyCastle.Asn1.X509.KeyPurposeID.IdKPClientAuth , Org.BouncyCastle.Asn1.X509.KeyPurposeID.IdKPServerAuth }) ); return(certGenerator.Generate(signatureFactory)); } // End Function GenerateCertificate
// https://gist.github.com/Venomed/5337717aadfb61b09e58 // https://www.powershellgallery.com/packages/Posh-ACME/2.2.0/Content/Private%5CNew-Csr.ps1 public static string CreateSignatureRequest( Org.BouncyCastle.Asn1.X509.X509Name subject , Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair caKey25519 , Org.BouncyCastle.Security.SecureRandom secureRandom) { Org.BouncyCastle.Crypto.ISignatureFactory signatureFactory; Org.BouncyCastle.Crypto.AsymmetricKeyParameter publicKey = caKey25519.Public; Org.BouncyCastle.Crypto.AsymmetricKeyParameter signingKey = caKey25519.Private; if (signingKey is Org.BouncyCastle.Crypto.Parameters.ECPrivateKeyParameters) { signatureFactory = new Org.BouncyCastle.Crypto.Operators.Asn1SignatureFactory( Org.BouncyCastle.Asn1.X9.X9ObjectIdentifiers.ECDsaWithSha256.ToString(), signingKey); } else { signatureFactory = new Org.BouncyCastle.Crypto.Operators.Asn1SignatureFactory( Org.BouncyCastle.Asn1.Pkcs.PkcsObjectIdentifiers.Sha256WithRsaEncryption.ToString(), signingKey); } System.Collections.Generic.Dictionary <Org.BouncyCastle.Asn1.DerObjectIdentifier, Org.BouncyCastle.Asn1.X509.X509Extension> extensions = new System.Collections.Generic.Dictionary <Org.BouncyCastle.Asn1.DerObjectIdentifier, Org.BouncyCastle.Asn1.X509.X509Extension>() { { Org.BouncyCastle.Asn1.X509.X509Extensions.BasicConstraints, new Org.BouncyCastle.Asn1.X509.X509Extension( true , new Org.BouncyCastle.Asn1.DerOctetString(new Org.BouncyCastle.Asn1.X509.BasicConstraints(false)) ) }, { Org.BouncyCastle.Asn1.X509.X509Extensions.KeyUsage, new Org.BouncyCastle.Asn1.X509.X509Extension(true, new Org.BouncyCastle.Asn1.DerOctetString( new Org.BouncyCastle.Asn1.X509.KeyUsage( Org.BouncyCastle.Asn1.X509.KeyUsage.DigitalSignature | Org.BouncyCastle.Asn1.X509.KeyUsage.KeyEncipherment | Org.BouncyCastle.Asn1.X509.KeyUsage.DataEncipherment | Org.BouncyCastle.Asn1.X509.KeyUsage.NonRepudiation ) ) ) }, { Org.BouncyCastle.Asn1.X509.X509Extensions.ExtendedKeyUsage, new Org.BouncyCastle.Asn1.X509.X509Extension(false, new Org.BouncyCastle.Asn1.DerOctetString( new Org.BouncyCastle.Asn1.X509.ExtendedKeyUsage( Org.BouncyCastle.Asn1.X509.KeyPurposeID.IdKPServerAuth, Org.BouncyCastle.Asn1.X509.KeyPurposeID.IdKPClientAuth ) ) ) }, }; // Asn1Set attributes = null; Org.BouncyCastle.Asn1.Asn1Set attributes = new Org.BouncyCastle.Asn1.DerSet( new Org.BouncyCastle.Asn1.Pkcs.AttributePkcs( Org.BouncyCastle.Asn1.Pkcs.PkcsObjectIdentifiers.Pkcs9AtExtensionRequest , new Org.BouncyCastle.Asn1.DerSet(new Org.BouncyCastle.Asn1.X509.X509Extensions(extensions)) ) ); Org.BouncyCastle.Pkcs.Pkcs10CertificationRequest csr = new Org.BouncyCastle.Pkcs.Pkcs10CertificationRequest( signatureFactory, subject, publicKey, attributes, signingKey ); System.Text.StringBuilder csrPem = new System.Text.StringBuilder(); Org.BouncyCastle.OpenSsl.PemWriter csrPemWriter = new Org.BouncyCastle.OpenSsl.PemWriter(new System.IO.StringWriter(csrPem)); csrPemWriter.WriteObject(csr); csrPemWriter.Writer.Flush(); string signingRequest = csrPem.ToString(); csrPem.Clear(); csrPem = null; // System.IO.File.WriteAllText("request.csr", signingRequest, System.Text.Encoding.ASCII); CertificationRequestReader.ReadCertificationRequest(signingRequest); // csr.GetDerEncoded(); System.Console.WriteLine(signingRequest); return(signingRequest); } // End Sub CreateSignatureRequest
// http://stackoverflow.com/questions/36942094/how-can-i-generate-a-self-signed-cert-without-using-obsolete-bouncycastle-1-7-0 public static System.Security.Cryptography.X509Certificates.X509Certificate2 CreateX509Cert2(string certName) { var keypairgen = new Org.BouncyCastle.Crypto.Generators.RsaKeyPairGenerator(); keypairgen.Init(new Org.BouncyCastle.Crypto.KeyGenerationParameters( new Org.BouncyCastle.Security.SecureRandom( new Org.BouncyCastle.Crypto.Prng.CryptoApiRandomGenerator() ) , 1024 ) ); Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair keypair = keypairgen.GenerateKeyPair(); // --- Until here we generate a keypair var random = new Org.BouncyCastle.Security.SecureRandom( new Org.BouncyCastle.Crypto.Prng.CryptoApiRandomGenerator() ); // SHA1WITHRSA // SHA256WITHRSA // SHA384WITHRSA // SHA512WITHRSA // SHA1WITHECDSA // SHA224WITHECDSA // SHA256WITHECDSA // SHA384WITHECDSA // SHA512WITHECDSA Org.BouncyCastle.Crypto.ISignatureFactory signatureFactory = new Org.BouncyCastle.Crypto.Operators.Asn1SignatureFactory("SHA512WITHRSA", keypair.Private, random) ; var gen = new Org.BouncyCastle.X509.X509V3CertificateGenerator(); var CN = new Org.BouncyCastle.Asn1.X509.X509Name("CN=" + certName); var SN = Org.BouncyCastle.Math.BigInteger.ProbablePrime(120, new Random()); gen.SetSerialNumber(SN); gen.SetSubjectDN(CN); gen.SetIssuerDN(CN); gen.SetNotAfter(DateTime.Now.AddYears(1)); gen.SetNotBefore(DateTime.Now.Subtract(new TimeSpan(7, 0, 0, 0))); gen.SetPublicKey(keypair.Public); // -- Are these necessary ? // public static readonly DerObjectIdentifier AuthorityKeyIdentifier = new DerObjectIdentifier("2.5.29.35"); // OID value: 2.5.29.35 // OID description: id-ce-authorityKeyIdentifier // This extension may be used either as a certificate or CRL extension. // It identifies the public key to be used to verify the signature on this certificate or CRL. // It enables distinct keys used by the same CA to be distinguished (e.g., as key updating occurs). // http://stackoverflow.com/questions/14930381/generating-x509-certificate-using-bouncy-castle-java gen.AddExtension( Org.BouncyCastle.Asn1.X509.X509Extensions.AuthorityKeyIdentifier.Id, false, new Org.BouncyCastle.Asn1.X509.AuthorityKeyIdentifier( Org.BouncyCastle.X509.SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(keypair.Public), new Org.BouncyCastle.Asn1.X509.GeneralNames(new Org.BouncyCastle.Asn1.X509.GeneralName(CN)), SN )); // OID value: 1.3.6.1.5.5.7.3.1 // OID description: Indicates that a certificate can be used as an SSL server certificate. gen.AddExtension( Org.BouncyCastle.Asn1.X509.X509Extensions.ExtendedKeyUsage.Id, false, new Org.BouncyCastle.Asn1.X509.ExtendedKeyUsage(new ArrayList() { new Org.BouncyCastle.Asn1.DerObjectIdentifier("1.3.6.1.5.5.7.3.1") })); // -- End are these necessary ? Org.BouncyCastle.X509.X509Certificate bouncyCert = gen.Generate(signatureFactory); byte[] ba = bouncyCert.GetEncoded(); System.Security.Cryptography.X509Certificates.X509Certificate2 msCert = new System.Security.Cryptography.X509Certificates.X509Certificate2(ba); return(msCert); }
// System.Security.Cryptography.X509Certificates.X509Certificate2.Import (string fileName); // https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2.import?view=netframework-4.7.2 // https://gist.github.com/yutopio/a217a4af63cf6bcf0a530c14c074cf8f // https://gist.githubusercontent.com/yutopio/a217a4af63cf6bcf0a530c14c074cf8f/raw/42b2f8cb27f6d22b7e22d65da5bbd0f1ce9b2fff/cert.cs // https://stackoverflow.com/questions/44755155/store-pkcs12-container-pfx-with-bouncycastle // https://github.com/Worlaf/RSADemo/blob/328692e28e48db92340d55563480c8724d916384/RSADemo_WinForms/frmRsaDemo.cs public static void Create( string fileName , Org.BouncyCastle.X509.X509Certificate certificate , Org.BouncyCastle.Crypto.AsymmetricKeyParameter privateKey , string password = "") { // create certificate entry Org.BouncyCastle.Pkcs.X509CertificateEntry certEntry = new Org.BouncyCastle.Pkcs.X509CertificateEntry(certificate); Org.BouncyCastle.Asn1.X509.X509Name name = new Org.BouncyCastle.Asn1.X509.X509Name(certificate.SubjectDN.ToString()); string friendlyName = name .GetValueList(Org.BouncyCastle.Asn1.X509.X509Name.O) .OfType <string>() .FirstOrDefault(); if (System.StringComparer.InvariantCultureIgnoreCase.Equals("Skynet Earth Inc.", friendlyName)) { friendlyName = "Skynet Certification Authority"; } // get bytes of private key. Org.BouncyCastle.Asn1.Pkcs.PrivateKeyInfo keyInfo = Org.BouncyCastle.Pkcs.PrivateKeyInfoFactory.CreatePrivateKeyInfo(privateKey); //byte[] keyBytes = keyInfo.ToAsn1Object().GetEncoded(); Org.BouncyCastle.Pkcs.Pkcs12StoreBuilder builder = new Org.BouncyCastle.Pkcs.Pkcs12StoreBuilder(); builder.SetUseDerEncoding(true); Org.BouncyCastle.Pkcs.Pkcs12Store store = builder.Build(); store.SetCertificateEntry(friendlyName, certEntry); // create store entry store.SetKeyEntry( //keyFriendlyName friendlyName , new Org.BouncyCastle.Pkcs.AsymmetricKeyEntry(privateKey) , new Org.BouncyCastle.Pkcs.X509CertificateEntry[] { certEntry } ); byte[] pfxBytes = null; using (System.IO.MemoryStream stream = new System.IO.MemoryStream()) { // Cert is contained in store // null: no password, "": an empty passwords // note: Linux needs empty password on null... store.Save(stream, password == null ? "".ToCharArray() : password.ToCharArray(), new Org.BouncyCastle.Security.SecureRandom()); // stream.Position = 0; pfxBytes = stream.ToArray(); } // End Using stream #if WITH_MS_PFX WithMsPfx(pfxBytes, fileName, password); #else byte[] result = Org.BouncyCastle.Pkcs.Pkcs12Utilities.ConvertToDefiniteLength(pfxBytes); // this.StoreCertificate(System.Convert.ToBase64String(result)); using (System.IO.BinaryWriter writer = new System.IO.BinaryWriter(System.IO.File.Open(fileName, System.IO.FileMode.Create))) { writer.Write(result); } // End Using writer #endif } // End Sub Create
} // End Function GenerateSslCertificate public static Org.BouncyCastle.X509.X509Certificate GenerateRootCertificate( CertificateInfo certificateInfo , Org.BouncyCastle.Security.SecureRandom secureRandom ) { // The Certificate Generator Org.BouncyCastle.X509.X509V3CertificateGenerator certificateGenerator = new Org.BouncyCastle.X509.X509V3CertificateGenerator(); Org.BouncyCastle.Asn1.X509.X509Name subjectDn = certificateInfo.Subject; Org.BouncyCastle.Asn1.X509.X509Name issuerDn = certificateInfo.Subject; certificateGenerator.SetSubjectDN(issuerDn); certificateGenerator.SetIssuerDN(issuerDn); certificateGenerator.SetNotBefore(certificateInfo.ValidFrom); certificateGenerator.SetNotAfter(certificateInfo.ValidTo); Org.BouncyCastle.Crypto.AsymmetricKeyParameter publicKey = KeyImportExport.ReadPublicKey(certificateInfo.SubjectKeyPair.PublicKey); Org.BouncyCastle.Crypto.AsymmetricKeyParameter privateKey = KeyImportExport.ReadPrivateKey(certificateInfo.SubjectKeyPair.PrivateKey); AddExtensions(certificateGenerator, certificateInfo); Org.BouncyCastle.Crypto.ISignatureFactory signatureFactory = CreateSignatureFactory(privateKey); certificateGenerator.SetPublicKey(publicKey); // Serial Number Org.BouncyCastle.Math.BigInteger serialNumber = Org.BouncyCastle.Utilities.BigIntegers.CreateRandomInRange( Org.BouncyCastle.Math.BigInteger.One , Org.BouncyCastle.Math.BigInteger.ValueOf(long.MaxValue) , secureRandom ); certificateGenerator.SetSerialNumber(serialNumber); certificateGenerator.AddExtension(Org.BouncyCastle.Asn1.X509.X509Extensions.KeyUsage, true , new Org.BouncyCastle.Asn1.X509.KeyUsage( Org.BouncyCastle.Asn1.X509.KeyUsage.DigitalSignature | Org.BouncyCastle.Asn1.X509.KeyUsage.KeyCertSign | Org.BouncyCastle.Asn1.X509.KeyUsage.CrlSign | Org.BouncyCastle.Asn1.X509.KeyUsage.KeyEncipherment | Org.BouncyCastle.Asn1.X509.KeyUsage.DataEncipherment | Org.BouncyCastle.Asn1.X509.KeyUsage.KeyAgreement | Org.BouncyCastle.Asn1.X509.KeyUsage.NonRepudiation ) ); Org.BouncyCastle.Asn1.X509.AuthorityKeyIdentifier authorityKeyIdentifierExtension = new Org.BouncyCastle.Asn1.X509.AuthorityKeyIdentifier( Org.BouncyCastle.X509.SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(publicKey) ); Org.BouncyCastle.Asn1.X509.SubjectKeyIdentifier subjectKeyIdentifierExtension = new Org.BouncyCastle.Asn1.X509.SubjectKeyIdentifier( Org.BouncyCastle.X509.SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(publicKey) ); certificateGenerator.AddExtension( Org.BouncyCastle.Asn1.X509.X509Extensions.SubjectKeyIdentifier.Id , false , subjectKeyIdentifierExtension ); certificateGenerator.AddExtension( Org.BouncyCastle.Asn1.X509.X509Extensions.AuthorityKeyIdentifier.Id , false , authorityKeyIdentifierExtension ); // Set certificate intended purposes to only Server Authentication //certificateGenerator.AddExtension(Org.BouncyCastle.Asn1.X509.X509Extensions.ExtendedKeyUsage.Id // , true // , new Org.BouncyCastle.Asn1.X509.ExtendedKeyUsage(Org.BouncyCastle.Asn1.X509.KeyPurposeID.IdKPServerAuth) //); certificateGenerator.AddExtension(Org.BouncyCastle.Asn1.X509.X509Extensions.ExtendedKeyUsage.Id, true , new Org.BouncyCastle.Asn1.X509.ExtendedKeyUsage(new[] { Org.BouncyCastle.Asn1.X509.KeyPurposeID.IdKPClientAuth, Org.BouncyCastle.Asn1.X509.KeyPurposeID.IdKPServerAuth }) ); // Only if we generate a root-Certificate certificateGenerator.AddExtension(Org.BouncyCastle.Asn1.X509.X509Extensions.BasicConstraints.Id , true , new Org.BouncyCastle.Asn1.X509.BasicConstraints(true) ); return(certificateGenerator.Generate(signatureFactory)); } // End Function GenerateRootCertificate