/// <summary>
/// Create a Self signed certificate with all options which can also be used as a root certificate
/// </summary>
/// <param name="distinguishedName">Distinguished Name used for the subject and the issuer properties</param>
/// <param name="validityPeriod">Valid from, Valid to certificate properties</param>
/// <param name="subjectAlternativeName">SAN but only DnsNames can be added as a list + Email property</param>
/// <param name="enhancedKeyUsages">Defines how the certificate key can be used.
/// new Oid("1.3.6.1.5.5.7.3.1") // TLS Server auth
/// new Oid("1.3.6.1.5.5.7.3.2") // TLS Client auth
/// new Oid("1.3.6.1.5.5.7.3.3") // Code signing
/// new Oid("1.3.6.1.5.5.7.3.4") // Email
/// new Oid("1.3.6.1.5.5.7.3.8") // Timestamping
/// </param>
/// <param name="x509KeyUsageFlags">Defines how the certificate key can be used.
/// None No key usage parameters.
/// EncipherOnly The key can be used for encryption only.
/// CrlSign The key can be used to sign a certificate revocation list (CRL).
/// KeyCertSign The key can be used to sign certificates.
/// KeyAgreement The key can be used to determine key agreement, such as a key created using the Diffie-Hellman key agreement algorithm.
/// DataEncipherment The key can be used for data encryption.
/// KeyEncipherment The key can be used for key encryption.
/// NonRepudiation The key can be used for authentication.
/// DecipherOnly The key can be used for decryption only.
/// </param>
/// <returns>Self signed certificate</returns>
public X509Certificate2 NewSelfSignedCertificate(
DistinguishedName distinguishedName,
BasicConstraints basicConstraints,
ValidityPeriod validityPeriod,
SubjectAlternativeName subjectAlternativeName,
OidCollection enhancedKeyUsages,
X509KeyUsageFlags x509KeyUsageFlags)
{
using var ecdsa = ECDsa.Create("ECDsa");
ecdsa.KeySize = 256;
var request = new CertificateRequest(
_certificateUtility.CreateIssuerOrSubject(distinguishedName),
ecdsa,
HashAlgorithmName.SHA256);
_certificateUtility.AddBasicConstraints(request, basicConstraints);
_certificateUtility.AddExtendedKeyUsages(request, x509KeyUsageFlags);
_certificateUtility.AddSubjectAlternativeName(request, subjectAlternativeName);
request.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(enhancedKeyUsages, false));
request.CertificateExtensions.Add(
new X509SubjectKeyIdentifierExtension(request.PublicKey, false));
var notbefore = validityPeriod.ValidFrom.AddDays(-1);
var notafter = validityPeriod.ValidTo;
X509Certificate2 generatedCertificate = request.CreateSelfSigned(notbefore, notafter);
return(generatedCertificate);
}
/// <summary>
/// Create a Self signed certificate with all options which can also be used as a root certificate
/// </summary>
/// <param name="distinguishedName">Distinguished Name used for the subject and the issuer properties</param>
/// <param name="validityPeriod">Valid from, Valid to certificate properties</param>
/// <param name="subjectAlternativeName">SAN but only DnsNames can be added as a list + Email property</param>
/// <param name="enhancedKeyUsages">Defines how the certificate key can be used.
/// new Oid("1.3.6.1.5.5.7.3.1") // TLS Server auth
/// new Oid("1.3.6.1.5.5.7.3.2") // TLS Client auth
/// new Oid("1.3.6.1.5.5.7.3.3") // Code signing
/// new Oid("1.3.6.1.5.5.7.3.4") // Email
/// new Oid("1.3.6.1.5.5.7.3.8") // Timestamping
/// </param>
/// <param name="x509KeyUsageFlags">Defines how the certificate key can be used.
/// None No key usage parameters.
/// EncipherOnly The key can be used for encryption only.
/// CrlSign The key can be used to sign a certificate revocation list (CRL).
/// KeyCertSign The key can be used to sign certificates.
/// KeyAgreement The key can be used to determine key agreement, such as a key created using the Diffie-Hellman key agreement algorithm.
/// DataEncipherment The key can be used for data encryption.
/// KeyEncipherment The key can be used for key encryption.
/// NonRepudiation The key can be used for authentication.
/// DecipherOnly The key can be used for decryption only.
/// </param>
/// <returns>Self signed certificate</returns>
public X509Certificate2 NewECDsaSelfSignedCertificate(
DistinguishedName distinguishedName,
BasicConstraints basicConstraints,
ValidityPeriod validityPeriod,
SubjectAlternativeName subjectAlternativeName,
OidCollection enhancedKeyUsages,
X509KeyUsageFlags x509KeyUsageFlags,
ECDsaConfiguration eCDsaConfiguration)
{
using var ecdsa = ECDsa.Create("ECDsa");
ecdsa.KeySize = eCDsaConfiguration.KeySize;
var request = new CertificateRequest(
_certificateUtility.CreateIssuerOrSubject(distinguishedName),
ecdsa,
eCDsaConfiguration.HashAlgorithmName);
X509Certificate2 generatedCertificate = SelfSignedConfiguration(
basicConstraints,
validityPeriod,
subjectAlternativeName,
enhancedKeyUsages,
x509KeyUsageFlags,
request);
return(generatedCertificate);
}
public X509Certificate2 NewClientSelfSignedCertificate(
DistinguishedName distinguishedName,
ValidityPeriod validityPeriod,
string dnsName)
{
OidCollection enhancedKeyUsages = new OidCollection()
{
new Oid("1.3.6.1.5.5.7.3.2")
};
BasicConstraints basicConstraints = new BasicConstraints()
{
CertificateAuthority = false,
HasPathLengthConstraint = false,
PathLengthConstraint = 0,
Critical = true
};
SubjectAlternativeName subjectAlternativeName = new SubjectAlternativeName()
{
DnsName = new List <string>()
{
dnsName
}
};
X509KeyUsageFlags x509KeyUsageFlags = X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature;
return(this._createCertificates.NewECDsaSelfSignedCertificate(distinguishedName, basicConstraints, validityPeriod, subjectAlternativeName, enhancedKeyUsages, x509KeyUsageFlags, new ECDsaConfiguration()));
}
public X509Certificate2 NewIntermediateChainedCertificate(
DistinguishedName distinguishedName,
ValidityPeriod validityPeriod,
int pathLengthConstraint,
string dnsName,
X509Certificate2 parentCertificateAuthority)
{
OidCollection enhancedKeyUsages = new OidCollection()
{
new Oid("1.3.6.1.5.5.7.3.2"),
new Oid("1.3.6.1.5.5.7.3.1")
};
BasicConstraints basicConstraints = new BasicConstraints()
{
CertificateAuthority = true,
HasPathLengthConstraint = true,
PathLengthConstraint = pathLengthConstraint,
Critical = true
};
SubjectAlternativeName subjectAlternativeName = new SubjectAlternativeName()
{
DnsName = new List <string>()
{
dnsName
}
};
X509KeyUsageFlags x509KeyUsageFlags = X509KeyUsageFlags.KeyCertSign;
return(this._createCertificates.NewRsaChainedCertificate(distinguishedName, basicConstraints, validityPeriod, subjectAlternativeName, parentCertificateAuthority, enhancedKeyUsages, x509KeyUsageFlags, new RsaConfiguration()));
}
private X509Certificate2 NewDeviceChainedCertificate(
DistinguishedName distinguishedName,
ValidityPeriod validityPeriod,
string dnsName,
OidCollection enhancedKeyUsages,
X509Certificate2 parentCertificateAuthority)
{
BasicConstraints basicConstraints = new BasicConstraints()
{
CertificateAuthority = false,
HasPathLengthConstraint = false,
PathLengthConstraint = 0,
Critical = true
};
SubjectAlternativeName subjectAlternativeName = new SubjectAlternativeName()
{
DnsName = new List <string>()
{
dnsName
}
};
X509KeyUsageFlags x509KeyUsageFlags = X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature;
return(this._createCertificates.NewRsaChainedCertificate(distinguishedName, basicConstraints, validityPeriod, subjectAlternativeName, parentCertificateAuthority, enhancedKeyUsages, x509KeyUsageFlags, new RsaConfiguration()));
}
public void AddSubjectAlternativeName(CertificateRequest request, SubjectAlternativeName subjectAlternativeName)
{
foreach (var dnsName in subjectAlternativeName.DnsName)
{
if (UriHostNameType.Unknown == Uri.CheckHostName(dnsName))
{
throw new ArgumentException("Must be a valid DNS name", nameof(dnsName));
}
}
var sanBuilder = new SubjectAlternativeNameBuilder();
foreach (var dnsName in subjectAlternativeName.DnsName)
{
sanBuilder.AddDnsName(dnsName);
}
if (!string.IsNullOrEmpty(subjectAlternativeName.Email))
{
sanBuilder.AddEmailAddress(subjectAlternativeName.Email);
}
var sanExtension = sanBuilder.Build();
request.CertificateExtensions.Add(sanExtension);
}
public X509Certificate2 NewRsaSelfSignedCertificate(
DistinguishedName distinguishedName,
BasicConstraints basicConstraints,
ValidityPeriod validityPeriod,
SubjectAlternativeName subjectAlternativeName,
OidCollection enhancedKeyUsages,
X509KeyUsageFlags x509KeyUsageFlags,
RsaConfiguration rsaConfiguration)
{
using var rsa = RSA.Create(rsaConfiguration.KeySize); // 1024, 2048 or 4096
var request = new CertificateRequest(
_certificateUtility.CreateIssuerOrSubject(distinguishedName),
rsa,
rsaConfiguration.HashAlgorithmName,
rsaConfiguration.RSASignaturePadding);
X509Certificate2 generatedCertificate = SelfSignedConfiguration(
basicConstraints,
validityPeriod,
subjectAlternativeName,
enhancedKeyUsages,
x509KeyUsageFlags,
request);
return(generatedCertificate);
}
public static X509Certificate2 CreateRsaCertificate(CreateCertificates createCertificates, int keySize)
{
var basicConstraints = new BasicConstraints
{
CertificateAuthority = true,
HasPathLengthConstraint = true,
PathLengthConstraint = 2,
Critical = false
};
var subjectAlternativeName = new SubjectAlternativeName
{
DnsName = new List <string>
{
"SigningCertificateTest",
}
};
var x509KeyUsageFlags = X509KeyUsageFlags.KeyCertSign
| X509KeyUsageFlags.DigitalSignature
| X509KeyUsageFlags.KeyEncipherment
| X509KeyUsageFlags.CrlSign
| X509KeyUsageFlags.DataEncipherment
| X509KeyUsageFlags.NonRepudiation
| X509KeyUsageFlags.KeyAgreement;
// only if mtls is used
var enhancedKeyUsages = new OidCollection
{
//OidLookup.ClientAuthentication,
//OidLookup.ServerAuthentication,
OidLookup.CodeSigning,
OidLookup.SecureEmail,
OidLookup.TimeStamping
};
var certificate = createCertificates.NewRsaSelfSignedCertificate(
new DistinguishedName {
CommonName = "SigningCertificateTest"
},
basicConstraints,
new ValidityPeriod
{
ValidFrom = DateTimeOffset.UtcNow,
ValidTo = DateTimeOffset.UtcNow.AddYears(1)
},
subjectAlternativeName,
enhancedKeyUsages,
x509KeyUsageFlags,
new RsaConfiguration
{
KeySize = keySize,
RSASignaturePadding = RSASignaturePadding.Pkcs1,
HashAlgorithmName = HashAlgorithmName.SHA256
});
return(certificate);
}
public static X509Certificate2 CreateRsaCertificate(CreateCertificates createCertificates, int keySize)
{
var basicConstraints = new BasicConstraints
{
CertificateAuthority = true,
HasPathLengthConstraint = true,
PathLengthConstraint = 2,
Critical = false
};
var subjectAlternativeName = new SubjectAlternativeName
{
DnsName = new List <string>
{
"localhost",
}
};
var x509KeyUsageFlags = X509KeyUsageFlags.KeyCertSign
| X509KeyUsageFlags.DigitalSignature
| X509KeyUsageFlags.KeyEncipherment
| X509KeyUsageFlags.CrlSign
| X509KeyUsageFlags.DataEncipherment
| X509KeyUsageFlags.NonRepudiation
| X509KeyUsageFlags.KeyAgreement;
// only if mtls is used
var enhancedKeyUsages = new OidCollection
{
new Oid("1.3.6.1.5.5.7.3.1"), // TLS Server auth
new Oid("1.3.6.1.5.5.7.3.2"), // TLS Client auth
//new Oid("1.3.6.1.5.5.7.3.3"), // Code signing
//new Oid("1.3.6.1.5.5.7.3.4"), // Email
//new Oid("1.3.6.1.5.5.7.3.8") // Timestamping
};
var certificate = createCertificates.NewRsaSelfSignedCertificate(
new DistinguishedName {
CommonName = "localhost"
},
basicConstraints,
new ValidityPeriod
{
ValidFrom = DateTimeOffset.UtcNow,
ValidTo = DateTimeOffset.UtcNow.AddYears(1)
},
subjectAlternativeName,
enhancedKeyUsages,
x509KeyUsageFlags,
new RsaConfiguration
{
KeySize = keySize
});
return(certificate);
}
/// <summary>
/// creates a development certificate
/// </summary>
/// <param name="dnsName">DNS name ie localhost etc</param>
/// <param name="validityPeriodInYears">valid time in years</param>
/// <param name="keySize">1024 2048 4096</param>
/// <returns></returns>
public X509Certificate2 CreateDevelopmentCertificate(string dnsName, int validityPeriodInYears, int keySize = 1024)
{
var basicConstraints = new BasicConstraints
{
CertificateAuthority = true,
HasPathLengthConstraint = true,
PathLengthConstraint = 3,
Critical = true
};
var subjectAlternativeName = new SubjectAlternativeName
{
DnsName = new List <string>
{
dnsName,
}
};
var x509KeyUsageFlags = X509KeyUsageFlags.KeyCertSign
| X509KeyUsageFlags.DigitalSignature
| X509KeyUsageFlags.KeyEncipherment
| X509KeyUsageFlags.CrlSign
| X509KeyUsageFlags.DataEncipherment
| X509KeyUsageFlags.NonRepudiation
| X509KeyUsageFlags.KeyAgreement;
var enhancedKeyUsages = new OidCollection {
OidLookup.ServerAuthentication,
OidLookup.ClientAuthentication,
OidLookup.CodeSigning,
OidLookup.SecureEmail,
OidLookup.TimeStamping
};
var certificate = _createCertificates.NewRsaSelfSignedCertificate(
new DistinguishedName {
CommonName = dnsName
},
basicConstraints,
new ValidityPeriod
{
ValidFrom = DateTimeOffset.UtcNow,
ValidTo = DateTimeOffset.UtcNow.AddYears(validityPeriodInYears)
},
subjectAlternativeName,
enhancedKeyUsages,
x509KeyUsageFlags,
new RsaConfiguration
{
KeySize = keySize
});
return(certificate);
}
/// <summary>
/// RSA is a more popular choice.
/// </summary>
/// <param name="dnsName"></param>
/// <param name="validityPeriodInYears"></param>
/// <returns></returns>
private static X509Certificate2 CreateRsaCertificate(string dnsName, int validityPeriodInYears)
{
var basicConstraints = new BasicConstraints
{
CertificateAuthority = false,
HasPathLengthConstraint = false,
PathLengthConstraint = 0,
Critical = false
};
var subjectAlternativeName = new SubjectAlternativeName
{
DnsName = new List <string>
{
dnsName,
}
};
var x509KeyUsageFlags = X509KeyUsageFlags.DigitalSignature;
// only if certification authentication is used
var enhancedKeyUsages = new OidCollection
{
OidLookup.ClientAuthentication,
OidLookup.ServerAuthentication
// OidLookup.CodeSigning,
// OidLookup.SecureEmail,
// OidLookup.TimeStamping
};
var certificate = _cc.NewRsaSelfSignedCertificate(
new DistinguishedName {
CommonName = dnsName
},
basicConstraints,
new ValidityPeriod
{
ValidFrom = DateTimeOffset.UtcNow,
ValidTo = DateTimeOffset.UtcNow.AddYears(validityPeriodInYears)
},
subjectAlternativeName,
enhancedKeyUsages,
x509KeyUsageFlags,
new RsaConfiguration
{
KeySize = 2048,
HashAlgorithmName = HashAlgorithmName.SHA512
});
return(certificate);
}
public static X509Certificate2 CreateRsaCertificateChained(CreateCertificates createCertificates, int keySize, X509Certificate2 parentCert)
{
var basicConstraints = new BasicConstraints
{
CertificateAuthority = false,
HasPathLengthConstraint = false,
PathLengthConstraint = 0,
Critical = false
};
var subjectAlternativeName = new SubjectAlternativeName
{
DnsName = new List <string>
{
"localhost",
}
};
var x509KeyUsageFlags = X509KeyUsageFlags.DigitalSignature;
// only if mtls is used
var enhancedKeyUsages = new OidCollection
{
OidLookup.ClientAuthentication,
OidLookup.ServerAuthentication
// OidLookup.CodeSigning,
// OidLookup.SecureEmail,
// OidLookup.TimeStamping
};
var certificate = createCertificates.NewRsaChainedCertificate(
new DistinguishedName {
CommonName = "localhost"
},
basicConstraints,
new ValidityPeriod
{
ValidFrom = DateTimeOffset.UtcNow,
ValidTo = DateTimeOffset.UtcNow.AddYears(1)
},
subjectAlternativeName,
parentCert,
enhancedKeyUsages,
x509KeyUsageFlags,
new RsaConfiguration
{
KeySize = keySize
});
return(certificate);
}
public string CreateRSACertificatePFX(string dnsName, DateTimeOffset validFrom, DateTimeOffset validTo, string password)
{
var basicConstraints = new BasicConstraints
{
CertificateAuthority = false,
HasPathLengthConstraint = false,
PathLengthConstraint = 0,
Critical = false
};
var subjectAlternativeName = new SubjectAlternativeName
{
DnsName = new List <string> {
dnsName
}
};
var x509KeyUsageFlags = X509KeyUsageFlags.DigitalSignature;
// only if certification authentication is used
var enhancedKeyUsages = new OidCollection
{
new Oid("1.3.6.1.5.5.7.3.1"), // TLS Server auth
new Oid("1.3.6.1.5.5.7.3.2"), // TLS Client auth
};
var certificate = _createCertificates.NewRsaSelfSignedCertificate(
new DistinguishedName {
CommonName = dnsName
},
basicConstraints,
new ValidityPeriod
{
ValidFrom = validFrom,
ValidTo = validTo
},
subjectAlternativeName,
enhancedKeyUsages,
x509KeyUsageFlags,
new RsaConfiguration {
KeySize = (int)2048
}
);
var rsaCertPfxBytes = _importExportCertificate.ExportSelfSignedCertificatePfx(password, certificate);
var pfxBase64 = Convert.ToBase64String(rsaCertPfxBytes);
return(pfxBase64);
}
public static X509Certificate2 CreateRsaCertificate(string dnsName, int validityPeriodInYears)
{
var basicConstraints = new BasicConstraints
{
CertificateAuthority = false,
HasPathLengthConstraint = false,
PathLengthConstraint = 0,
Critical = false
};
var subjectAlternativeName = new SubjectAlternativeName
{
DnsName = new List <string>
{
dnsName,
}
};
var x509KeyUsageFlags = X509KeyUsageFlags.DigitalSignature;
// only if certification authentication is used
var enhancedKeyUsages = new OidCollection
{
new Oid("1.3.6.1.5.5.7.3.1"), // TLS Server auth
new Oid("1.3.6.1.5.5.7.3.2"), // TLS Client auth
//new Oid("1.3.6.1.5.5.7.3.3"), // Code signing
//new Oid("1.3.6.1.5.5.7.3.4"), // Email
//new Oid("1.3.6.1.5.5.7.3.8") // Timestamping
};
var certificate = _cc.NewRsaSelfSignedCertificate(
new DistinguishedName {
CommonName = dnsName
},
basicConstraints,
new ValidityPeriod
{
ValidFrom = DateTimeOffset.UtcNow,
ValidTo = DateTimeOffset.UtcNow.AddYears(validityPeriodInYears)
},
subjectAlternativeName,
enhancedKeyUsages,
x509KeyUsageFlags,
new RsaConfiguration
{
KeySize = 2048
});
return(certificate);
}
public static X509Certificate2 CreateRsaCertificate(
string dnsName, int validityPeriodInYears)
{
BasicConstraints basicConstraints = new BasicConstraints
{
CertificateAuthority = false,
HasPathLengthConstraint = false,
PathLengthConstraint = 0,
Critical = false
};
SubjectAlternativeName subjectAlternativeName = new SubjectAlternativeName
{
DnsName = new List <string> {
dnsName
}
};
X509KeyUsageFlags x509KeyUsageFlags = X509KeyUsageFlags.DigitalSignature;
OidCollection enhancedKeyUsages = new System.Security.Cryptography.OidCollection
{
new Oid("1.3.6.1.5.5.7.3.1"), // TLS Server auth
new Oid("1.3.6.1.5.5.7.3.2"), // TLS Client auth
};
X509Certificate2 certificate = _cc.NewRsaSelfSignedCertificate(
new DistinguishedName {
CommonName = dnsName
},
basicConstraints,
new ValidityPeriod
{
ValidFrom = DateTimeOffset.UtcNow,
ValidTo = DateTimeOffset.UtcNow.AddYears(validityPeriodInYears)
},
subjectAlternativeName,
enhancedKeyUsages,
x509KeyUsageFlags,
new RsaConfiguration {
KeySize = 2048
}
);
return(certificate);
}
public X509Certificate2 NewECDsaSelfSignedCertificate(
BasicConstraints basicConstraints,
ValidityPeriod validityPeriod,
SubjectAlternativeName subjectAlternativeName,
OidCollection enhancedKeyUsages,
X509KeyUsageFlags x509KeyUsageFlags,
CertificateRequest request)
{
X509Certificate2 generatedCertificate = SelfSignedConfiguration(
basicConstraints,
validityPeriod,
subjectAlternativeName,
enhancedKeyUsages,
x509KeyUsageFlags,
request);
return(generatedCertificate);
}
public override int GetHashCode()
{
unchecked
{
var hashCode = (ThumbPrint != null ? ThumbPrint.GetHashCode() : 0);
hashCode = (hashCode * 397) ^ (Issuer != null ? Issuer.GetHashCode() : 0);
hashCode = (hashCode * 397) ^ (Subject != null ? Subject.GetHashCode() : 0);
hashCode = (hashCode * 397) ^ ValidFrom.GetHashCode();
hashCode = (hashCode * 397) ^ ValidTo.GetHashCode();
hashCode = (hashCode * 397) ^ (KeyAlgoritm != null ? KeyAlgoritm.GetHashCode() : 0);
hashCode = (hashCode * 397) ^ KeyLength;
hashCode = (hashCode * 397) ^ (SerialNumber != null ? SerialNumber.GetHashCode() : 0);
hashCode = (hashCode * 397) ^ (Version != null ? Version.GetHashCode() : 0);
hashCode = (hashCode * 397) ^ (SubjectAlternativeName != null ? SubjectAlternativeName.GetHashCode() : 0);
hashCode = (hashCode * 397) ^ (CommonName != null ? CommonName.GetHashCode() : 0);
return(hashCode);
}
}
public static X509Certificate2 CreateSubjectAlternativeNameDetails(
SubjectAlternativeName subjectAlternativeName,
CreateCertificates createCertificates)
{
var distinguishedName = new DistinguishedName
{
CommonName = "root dev",
Country = "IT",
Locality = "DD",
Organisation = "SS",
OrganisationUnit = "unit",
StateProvince = "yes"
};
var enhancedKeyUsages = new OidCollection {
OidLookup.ClientAuthentication,
OidLookup.ServerAuthentication
};
var basicConstraints = new BasicConstraints
{
CertificateAuthority = true,
HasPathLengthConstraint = true,
PathLengthConstraint = 3,
Critical = true
};
var validityPeriod = new ValidityPeriod {
ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10)
};
var x509KeyUsageFlags = X509KeyUsageFlags.KeyCertSign;
var rootCert = createCertificates.NewECDsaSelfSignedCertificate(
distinguishedName,
basicConstraints,
validityPeriod,
subjectAlternativeName,
enhancedKeyUsages,
x509KeyUsageFlags,
new ECDsaConfiguration());
return(rootCert);
}
/// <summary>
/// Create an intermediate chained certificate for Client and Server TLS Auth
/// </summary>
/// <param name="distinguishedName">Distinguished Name used for the subject and the issuer properties</param>
/// <param name="validityPeriod">Valid from, Valid to certificate properties</param>
/// <param name="pathLengthConstraint">path length for the amount of chained certificates</param>
/// <param name="dnsName">Dns name use the certificate validation</param>
/// <param name="parentCertificateAuthority"> Parent cert to create the chain from</param>
/// <returns>X509Certificate2 intermediate chained certificate</returns>
public X509Certificate2 NewIntermediateChainedCertificate(
DistinguishedName distinguishedName,
ValidityPeriod validityPeriod,
int pathLengthConstraint,
string dnsName,
X509Certificate2 parentCertificateAuthority)
{
var enhancedKeyUsages = new OidCollection {
OidLookup.ClientAuthentication,
OidLookup.ServerAuthentication
};
var basicConstraints = new BasicConstraints
{
CertificateAuthority = true,
HasPathLengthConstraint = true,
PathLengthConstraint = pathLengthConstraint,
Critical = true
};
var subjectAlternativeName = new SubjectAlternativeName
{
DnsName = new List <string>
{
dnsName,
}
};
var x509KeyUsageFlags = X509KeyUsageFlags.KeyCertSign;
var intermediateCert = _createCertificates.NewECDsaChainedCertificate(
distinguishedName,
basicConstraints,
validityPeriod,
subjectAlternativeName,
parentCertificateAuthority,
enhancedKeyUsages,
x509KeyUsageFlags,
new ECDsaConfiguration());
return(intermediateCert);
}
/// <summary>
/// Create an intermediate chained certificate for Client and Server TLS Auth
/// </summary>
/// <param name="distinguishedName">Distinguished Name used for the subject and the issuer properties</param>
/// <param name="validityPeriod">Valid from, Valid to certificate properties</param>
/// <param name="pathLengthConstraint">path length for the amount of chained certificates</param>
/// <param name="dnsName">Dns name use the certificate validation</param>
/// <param name="parentCertificateAuthority"> Parent cert to create the chain from</param>
/// <returns>X509Certificate2 intermediate chained certificate</returns>
public X509Certificate2 NewIntermediateChainedCertificate(
DistinguishedName distinguishedName,
ValidityPeriod validityPeriod,
int pathLengthConstraint,
string dnsName,
X509Certificate2 parentCertificateAuthority)
{
var enhancedKeyUsages = new OidCollection {
new Oid("1.3.6.1.5.5.7.3.2"), // TLS Client auth
new Oid("1.3.6.1.5.5.7.3.1") // TLS Server auth
};
var basicConstraints = new BasicConstraints
{
CertificateAuthority = true,
HasPathLengthConstraint = true,
PathLengthConstraint = pathLengthConstraint,
Critical = true
};
var subjectAlternativeName = new SubjectAlternativeName
{
DnsName = new List<string>
{
dnsName,
}
};
var x509KeyUsageFlags = X509KeyUsageFlags.KeyCertSign;
var intermediateCert = _createCertificates.NewChainedCertificate(
distinguishedName,
basicConstraints,
validityPeriod,
subjectAlternativeName,
parentCertificateAuthority,
enhancedKeyUsages,
x509KeyUsageFlags);
return intermediateCert;
}
public X509Certificate2 NewClientSelfSignedCertificate(
DistinguishedName distinguishedName,
ValidityPeriod validityPeriod,
string dnsName)
{
var enhancedKeyUsages = new OidCollection {
OidLookup.ClientAuthentication
};
var basicConstraints = new BasicConstraints
{
CertificateAuthority = false,
HasPathLengthConstraint = false,
PathLengthConstraint = 0,
Critical = true
};
var subjectAlternativeName = new SubjectAlternativeName
{
DnsName = new List <string>
{
dnsName,
}
};
var x509KeyUsageFlags =
X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyEncipherment;
var clientCertSelfSigned = _createCertificates.NewECDsaSelfSignedCertificate(
distinguishedName,
basicConstraints,
validityPeriod,
subjectAlternativeName,
enhancedKeyUsages,
x509KeyUsageFlags,
new ECDsaConfiguration());
return(clientCertSelfSigned);
}
private X509Certificate2 NewRsaDeviceChainedCertificate(
DistinguishedName distinguishedName,
ValidityPeriod validityPeriod,
string dnsName,
OidCollection enhancedKeyUsages,
X509Certificate2 parentCertificateAuthority,
RsaConfiguration rsaConfiguration = null)
{
var basicConstraints = new BasicConstraints
{
CertificateAuthority = false,
HasPathLengthConstraint = false,
PathLengthConstraint = 0,
Critical = true
};
var subjectAlternativeName = new SubjectAlternativeName
{
DnsName = new List <string>
{
dnsName,
}
};
var x509KeyUsageFlags =
X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyEncipherment;
var deviceCert = _createCertificates.NewRsaChainedCertificate(
distinguishedName,
basicConstraints,
validityPeriod,
subjectAlternativeName,
parentCertificateAuthority,
enhancedKeyUsages,
x509KeyUsageFlags,
rsaConfiguration ?? new RsaConfiguration());
return(deviceCert);
}
public X509Certificate2 NewClientSelfSignedCertificate(
DistinguishedName distinguishedName,
ValidityPeriod validityPeriod,
string dnsName)
{
var enhancedKeyUsages = new OidCollection {
new Oid("1.3.6.1.5.5.7.3.2"), // TLS Client auth
};
var basicConstraints = new BasicConstraints
{
CertificateAuthority = false,
HasPathLengthConstraint = false,
PathLengthConstraint = 0,
Critical = true
};
var subjectAlternativeName = new SubjectAlternativeName
{
DnsName = new List<string>
{
dnsName,
}
};
var x509KeyUsageFlags =
X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyEncipherment;
var clientCertSelfSigned = _createCertificates.NewSelfSignedCertificate(
distinguishedName,
basicConstraints,
validityPeriod,
subjectAlternativeName,
enhancedKeyUsages,
x509KeyUsageFlags);
return clientCertSelfSigned;
}
public X509Certificate2 NewECDsaChainedCertificate(
BasicConstraints basicConstraints,
ValidityPeriod validityPeriod,
SubjectAlternativeName subjectAlternativeName,
X509Certificate2 signingCertificate,
OidCollection enhancedKeyUsages,
X509KeyUsageFlags x509KeyUsageFlags,
CertificateRequest request,
ECDsa ecdsa)
{
if (signingCertificate == null)
{
throw new ArgumentNullException(nameof(signingCertificate));
}
if (!signingCertificate.HasPrivateKey)
{
throw new Exception("Signing cert must have private key");
}
X509Certificate2 cert = ChainedConfiguration(
basicConstraints,
validityPeriod,
subjectAlternativeName,
signingCertificate,
enhancedKeyUsages,
x509KeyUsageFlags,
request);
if (ecdsa == null)
{
return(cert);
}
else
{
return(cert.CopyWithPrivateKey(ecdsa));
}
}
public X509Certificate2 NewRsaChainedCertificate(
DistinguishedName distinguishedName,
BasicConstraints basicConstraints,
ValidityPeriod validityPeriod,
SubjectAlternativeName subjectAlternativeName,
X509Certificate2 signingCertificate,
OidCollection enhancedKeyUsages,
X509KeyUsageFlags x509KeyUsageFlags,
RsaConfiguration rsaConfiguration)
{
if (signingCertificate == null)
{
throw new ArgumentNullException(nameof(signingCertificate));
}
if (!signingCertificate.HasPrivateKey)
{
throw new Exception("Signing cert must have private key");
}
using var rsa = RSA.Create(rsaConfiguration.KeySize);
var request = new CertificateRequest(
_certificateUtility.CreateIssuerOrSubject(distinguishedName),
rsa,
rsaConfiguration.HashAlgorithmName,
rsaConfiguration.RSASignaturePadding);
X509Certificate2 cert = ChainedConfiguration(
basicConstraints,
validityPeriod,
subjectAlternativeName,
signingCertificate,
enhancedKeyUsages,
x509KeyUsageFlags,
request);
return(cert.CopyWithPrivateKey(rsa));
}
static void Main(string[] args)
{
var serviceProvider = new ServiceCollection()
.AddCertificateManager()
.BuildServiceProvider();
var createCertificates = serviceProvider.GetService <CreateCertificates>();
var certificateUtility = serviceProvider.GetService <CertificateUtility>();
string password = "******";
var signingCertificate = new X509Certificate2("root.cert.pfx", password);
var enhancedKeyUsages = new OidCollection {
OidLookup.ClientAuthentication,
OidLookup.ServerAuthentication
};
var basicConstraints = new CertificateManager.Models.BasicConstraints
{
CertificateAuthority = false,
HasPathLengthConstraint = true,
PathLengthConstraint = 3,
Critical = true
};
var x509KeyUsageFlags = X509KeyUsageFlags.DigitalSignature
| X509KeyUsageFlags.KeyEncipherment
| X509KeyUsageFlags.NonRepudiation;
// Read in CSR data from a file
Pkcs10CertificationRequest decodedCsr = (Pkcs10CertificationRequest) new PemReader(new StringReader(File.ReadAllText(args[0]))).ReadObject();
// Get Common Name (CN) from CSR Subject
CertificationRequestInfo csrData = decodedCsr.GetCertificationRequestInfo();
var subjectKeyPairs = csrData.Subject.ToString().Split(',')
.Select(x => x.Split('='))
.Where(x => x.Length == 2)
.ToDictionary(x => x.First(), x => x.Last());
var commonName = subjectKeyPairs["CN"];
var subjectAlternativeName = new SubjectAlternativeName
{
DnsName = new List <string>
{
commonName,
}
};
// Get Public key data from CSR and create RSA data based on that
RsaKeyParameters rsaKeyParams = (RsaKeyParameters)decodedCsr.GetPublicKey();
var rsaParams = new RSAParameters();
rsaParams.Modulus = rsaKeyParams.Modulus.ToByteArray();
rsaParams.Exponent = rsaKeyParams.Exponent.ToByteArray();
var rsa = RSA.Create();
rsa.ImportParameters(rsaParams);
// Create Certificate Request with the data extracted from csr file earlier
var rsaConfiguration = new RsaConfiguration();
var request = new CertificateRequest(
certificateUtility.CreateIssuerOrSubject(new DistinguishedName {
CommonName = commonName
}),
rsa,
rsaConfiguration.HashAlgorithmName,
rsaConfiguration.RSASignaturePadding);
// Sign the csr
var device1Certificate = createCertificates.NewRsaChainedCertificate(
basicConstraints,
new ValidityPeriod {
ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(1)
},
subjectAlternativeName,
signingCertificate,
enhancedKeyUsages,
x509KeyUsageFlags,
request,
null);
// Export content of certificates into files
var importExportCertificate = serviceProvider.GetService <ImportExportCertificate>();
var deviceCertificatePem = importExportCertificate.PemExportPublicKeyCertificate(device1Certificate);
var signingCertificatePem = importExportCertificate.PemExportPublicKeyCertificate(signingCertificate);
File.WriteAllText("device1.cert.pem", deviceCertificatePem);
File.WriteAllText("device1-full-chain.cert.pem", String.Concat(deviceCertificatePem, signingCertificatePem));
Console.WriteLine("Certificates exported to pem files");
}
private X509Certificate2 ChainedConfiguration(BasicConstraints basicConstraints, ValidityPeriod validityPeriod, SubjectAlternativeName subjectAlternativeName, X509Certificate2 signingCertificate, OidCollection enhancedKeyUsages, X509KeyUsageFlags x509KeyUsageFlags, CertificateRequest request)
{
_certificateUtility.AddBasicConstraints(request, basicConstraints);
_certificateUtility.AddExtendedKeyUsages(request, x509KeyUsageFlags);
// set the AuthorityKeyIdentifier. There is no built-in
// support, so it needs to be copied from the Subject Key
// Identifier of the signing certificate and massaged slightly.
// AuthorityKeyIdentifier is "KeyID=<subject key identifier>"
foreach (var item in signingCertificate.Extensions)
{
if (item.Oid.Value == "2.5.29.14") // "Subject Key Identifier"
{
var issuerSubjectKey = item.RawData;
//var issuerSubjectKey = signingCertificate.Extensions["Subject Key Identifier"].RawData;
var segment = new ArraySegment <byte>(issuerSubjectKey, 2, issuerSubjectKey.Length - 2);
var authorityKeyIdentifier = new byte[segment.Count + 4];
// "KeyID" bytes
authorityKeyIdentifier[0] = 0x30;
authorityKeyIdentifier[1] = 0x16;
authorityKeyIdentifier[2] = 0x80;
authorityKeyIdentifier[3] = 0x14;
segment.CopyTo(authorityKeyIdentifier, 4);
request.CertificateExtensions.Add(new X509Extension("2.5.29.35", authorityKeyIdentifier, false));
break;
}
}
_certificateUtility.AddSubjectAlternativeName(request, subjectAlternativeName);
// Enhanced key usages
request.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(enhancedKeyUsages, false));
// add this subject key identifier
request.CertificateExtensions.Add(
new X509SubjectKeyIdentifierExtension(request.PublicKey, false));
// certificate expiry: Valid from Yesterday to Now+365 days
// Unless the signing cert's validity is less. It's not possible
// to create a cert with longer validity than the signing cert.
var notbefore = validityPeriod.ValidFrom.AddDays(-1);
if (notbefore < signingCertificate.NotBefore)
{
notbefore = new DateTimeOffset(signingCertificate.NotBefore);
}
var notafter = validityPeriod.ValidTo;
if (notafter > signingCertificate.NotAfter)
{
notafter = new DateTimeOffset(signingCertificate.NotAfter);
}
// cert serial is the epoch/unix timestamp
var epoch = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc);
var unixTime = Convert.ToInt64((DateTime.UtcNow - epoch).TotalSeconds);
var serial = BitConverter.GetBytes(unixTime);
var cert = request.Create(
signingCertificate,
notbefore,
notafter,
serial);
return(cert);
}
private X509Certificate2 SelfSignedConfiguration(BasicConstraints basicConstraints, ValidityPeriod validityPeriod, SubjectAlternativeName subjectAlternativeName, OidCollection enhancedKeyUsages, X509KeyUsageFlags x509KeyUsageFlags, CertificateRequest request)
{
_certificateUtility.AddBasicConstraints(request, basicConstraints);
_certificateUtility.AddExtendedKeyUsages(request, x509KeyUsageFlags);
_certificateUtility.AddSubjectAlternativeName(request, subjectAlternativeName);
request.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(enhancedKeyUsages, false));
request.CertificateExtensions.Add(
new X509SubjectKeyIdentifierExtension(request.PublicKey, false));
var notbefore = validityPeriod.ValidFrom.AddDays(-1);
var notafter = validityPeriod.ValidTo;
X509Certificate2 generatedCertificate = request.CreateSelfSigned(notbefore, notafter);
return(generatedCertificate);
}
public X509Certificate2 NewChainedCertificate(
DistinguishedName distinguishedName,
BasicConstraints basicConstraints,
ValidityPeriod validityPeriod,
SubjectAlternativeName subjectAlternativeName,
X509Certificate2 signingCertificate,
OidCollection enhancedKeyUsages,
X509KeyUsageFlags x509KeyUsageFlags)
{
if (signingCertificate == null)
{
throw new ArgumentNullException(nameof(signingCertificate));
}
if (!signingCertificate.HasPrivateKey)
{
throw new Exception("Signing cert must have private key");
}
using var ecdsa = ECDsa.Create("ECDsa");
ecdsa.KeySize = 256;
var request = new CertificateRequest(
_certificateUtility.CreateIssuerOrSubject(distinguishedName),
ecdsa,
HashAlgorithmName.SHA256);
_certificateUtility.AddBasicConstraints(request, basicConstraints);
_certificateUtility.AddExtendedKeyUsages(request, x509KeyUsageFlags);
// set the AuthorityKeyIdentifier. There is no built-in
// support, so it needs to be copied from the Subject Key
// Identifier of the signing certificate and massaged slightly.
// AuthorityKeyIdentifier is "KeyID=<subject key identifier>"
var issuerSubjectKey = signingCertificate.Extensions["Subject Key Identifier"].RawData;
var segment = new ArraySegment <byte>(issuerSubjectKey, 2, issuerSubjectKey.Length - 2);
var authorityKeyIdentifier = new byte[segment.Count + 4];
// "KeyID" bytes
authorityKeyIdentifier[0] = 0x30;
authorityKeyIdentifier[1] = 0x16;
authorityKeyIdentifier[2] = 0x80;
authorityKeyIdentifier[3] = 0x14;
segment.CopyTo(authorityKeyIdentifier, 4);
request.CertificateExtensions.Add(new X509Extension("2.5.29.35", authorityKeyIdentifier, false));
_certificateUtility.AddSubjectAlternativeName(request, subjectAlternativeName);
// Enhanced key usages
request.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(enhancedKeyUsages, false));
// add this subject key identifier
request.CertificateExtensions.Add(
new X509SubjectKeyIdentifierExtension(request.PublicKey, false));
// certificate expiry: Valid from Yesterday to Now+365 days
// Unless the signing cert's validity is less. It's not possible
// to create a cert with longer validity than the signing cert.
var notbefore = validityPeriod.ValidFrom.AddDays(-1);
if (notbefore < signingCertificate.NotBefore)
{
notbefore = new DateTimeOffset(signingCertificate.NotBefore);
}
var notafter = validityPeriod.ValidTo;
if (notafter > signingCertificate.NotAfter)
{
notafter = new DateTimeOffset(signingCertificate.NotAfter);
}
// cert serial is the epoch/unix timestamp
var epoch = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc);
var unixTime = Convert.ToInt64((DateTime.UtcNow - epoch).TotalSeconds);
var serial = BitConverter.GetBytes(unixTime);
// create and return the generated and signed
using var cert = request.Create(
signingCertificate,
notbefore,
notafter,
serial);
return(cert.CopyWithPrivateKey(ecdsa));
}
