private X509Certificate2 BuildSelfSignedServerCertificate() { SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddIpAddress(IPAddress.Loopback); sanBuilder.AddIpAddress(IPAddress.IPv6Loopback); sanBuilder.AddDnsName("localhost"); sanBuilder.AddDnsName(Environment.MachineName); X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN=https://issuer.com"); using RSA rsa = RSA.Create(2048); var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add( new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false)); request.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension( new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, false)); request.CertificateExtensions.Add(sanBuilder.Build()); var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(3650))); return(certificate); }
private static byte[] BuildSelfSignedCertificate(string password) { var sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddIpAddress(IPAddress.Loopback); sanBuilder.AddIpAddress(IPAddress.IPv6Loopback); sanBuilder.AddDnsName("localhost"); sanBuilder.AddDnsName(Environment.MachineName); var distinguishedName = new X500DistinguishedName($"CN=SSNCert1"); using (var rsa = RSA.Create(2048)) { var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add( new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyCertSign, false)); request.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension( new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, false)); request.CertificateExtensions.Add(new X509BasicConstraintsExtension(true, false, 0, true)); request.CertificateExtensions.Add(sanBuilder.Build()); var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(3650))); certificate.FriendlyName = "SSNCert1"; return(certificate.Export(X509ContentType.Pfx, password)); } }
/// <summary> /// Generate a new 2048 bit RSA key and cert bundle and self sign the public key with the private key /// https://stackoverflow.com/a/50138133/6620171 /// </summary> /// <param name="CommonName"></param> /// <returns></returns> private static X509Certificate2 BuildSelfSignedServerCertificate(string CommonName, int daysUntilExpire) { SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddIpAddress(IPAddress.Loopback); sanBuilder.AddDnsName("localhost"); sanBuilder.AddDnsName(Environment.MachineName); X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN={CommonName}"); using (RSA rsa = RSA.Create(2048)) { CertificateRequest request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA512, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add( new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false)); request.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension( new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, false)); request.CertificateExtensions.Add(sanBuilder.Build()); X509Certificate2 certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(daysUntilExpire))); //certificate.FriendlyName = CommonName; // Linux: System.PlatformNotSupportedException: The FriendlyName value cannot be set on Unix. return(new X509Certificate2(certificate.Export(X509ContentType.Pfx, "WeNeedASaf3rPassword"), "WeNeedASaf3rPassword", X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable)); } }
public static void EnumerateDnsNames(LoadMode loadMode) { SubjectAlternativeNameBuilder builder = new SubjectAlternativeNameBuilder(); builder.AddDnsName("foo"); builder.AddIpAddress(IPAddress.Loopback); builder.AddUserPrincipalName("*****@*****.**"); builder.AddIpAddress(IPAddress.IPv6Loopback); builder.AddDnsName("*.foo"); X509Extension built = builder.Build(true); X509SubjectAlternativeNameExtension ext; switch (loadMode) { case LoadMode.CopyFrom: ext = new X509SubjectAlternativeNameExtension(); ext.CopyFrom(built); break; case LoadMode.Array: ext = new X509SubjectAlternativeNameExtension(built.RawData); break; case LoadMode.Span: byte[] tmp = new byte[built.RawData.Length + 2]; built.RawData.AsSpan().CopyTo(tmp.AsSpan(1)); ext = new X509SubjectAlternativeNameExtension(tmp.AsSpan()[1..^ 1]);
public static X509Certificate2 GenerateServerNodeCertificate(string nodeName, string password) { using (var rsa = RSA.Create(4096)) { var request = new CertificateRequest($"CN={nodeName}", rsa, HashAlgorithmName.SHA512, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false)); request.CertificateExtensions.Add(new X509EnhancedKeyUsageExtension(new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, false)); var sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddIpAddress(IPAddress.Loopback); sanBuilder.AddIpAddress(IPAddress.IPv6Loopback); sanBuilder.AddDnsName("localhost"); sanBuilder.AddDnsName(Environment.MachineName); request.CertificateExtensions.Add(sanBuilder.Build()); var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(3650))); certificate.FriendlyName = "VanguardServerManagerNodeCertificate"; return(new X509Certificate2(certificate.Export(X509ContentType.Pfx, password), password, X509KeyStorageFlags.MachineKeySet)); } }
private static X509Certificate2 Create() { var sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddIpAddress(IPAddress.Loopback); sanBuilder.AddIpAddress(IPAddress.IPv6Loopback); sanBuilder.AddDnsName("localhost"); sanBuilder.AddDnsName("127.0.0.1"); sanBuilder.AddDnsName(Environment.MachineName); var distinguishedName = new X500DistinguishedName($"CN={CertificateName}"); using var rsa = RSA.Create(2048); var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add( new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false)); request.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension( new OidCollection { new Oid(OidServerAuthentication) }, false)); request.CertificateExtensions.Add(sanBuilder.Build()); X509Certificate2 certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddYears(100))); certificate.FriendlyName = CertificateName; return(new X509Certificate2(certificate.Export(X509ContentType.Pfx, CertificatePass), CertificatePass, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable)); }
private X509Certificate2 GenerateCertificate() { string CertificateName = "sportal.qlikcloud.com"; SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddDnsName("localhost"); sanBuilder.AddDnsName("qlikcloud.com"); X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN={CertificateName}"); using (RSA rsa = RSA.Create(2048)) { var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add( new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false)); request.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension( new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, false)); request.CertificateExtensions.Add(sanBuilder.Build()); X509Certificate2 certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(825))); return(certificate); } }
/// <summary> /// Build a self signed certificate for use in SSL communication /// </summary> /// <param name="certName">Name of certificate</param> /// <param name="password">Password for certificate</param> /// <returns></returns> public static X509Certificate2 BuildSelfSignedCertificate(string certName, string password = "") { SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddIpAddress(IPAddress.Loopback); sanBuilder.AddIpAddress(IPAddress.IPv6Loopback); sanBuilder.AddDnsName("localhost"); sanBuilder.AddDnsName(Environment.MachineName); X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN={certName}"); using (RSA rsa = RSA.Create(2048)) { var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add( new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false)); request.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension( new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, false)); request.CertificateExtensions.Add(sanBuilder.Build()); var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(3650))); certificate.FriendlyName = certName; return(new X509Certificate2(certificate.Export(X509ContentType.Pfx, password), password, X509KeyStorageFlags.MachineKeySet)); } }
public static void DnsNameMatchIgnoresTrailingPeriodFromParameter() { using (ECDsa key = ECDsa.Create()) { CertificateRequest req = new CertificateRequest( "CN=10.0.0.1", key, HashAlgorithmName.SHA256); SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddDnsName("fruit.EXAMPLE"); sanBuilder.AddDnsName("*.FrUIt.eXaMpLE"); sanBuilder.AddEmailAddress("*****@*****.**"); req.CertificateExtensions.Add(sanBuilder.Build()); DateTimeOffset now = DateTimeOffset.UtcNow; DateTimeOffset notBefore = now.AddMinutes(-1); DateTimeOffset notAfter = now.AddMinutes(1); using (X509Certificate2 cert = req.CreateSelfSigned(notBefore, notAfter)) { AssertMatch(true, cert, "aPPlE.fruit.example."); AssertMatch(true, cert, "tOmaTO.FRUIT.example."); AssertMatch(false, cert, "tOmaTO.vegetable.example."); AssertMatch(true, cert, "FRUit.example."); AssertMatch(false, cert, "VEGetaBlE.example."); } } }
public static void WildcardRequiresSuffixToMatch() { using (ECDsa key = ECDsa.Create()) { CertificateRequest req = new CertificateRequest( "CN=potato.vegetable.example", key, HashAlgorithmName.SHA256); SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddDnsName("*"); sanBuilder.AddDnsName("*."); sanBuilder.AddEmailAddress("*****@*****.**"); req.CertificateExtensions.Add(sanBuilder.Build()); DateTimeOffset now = DateTimeOffset.UtcNow; DateTimeOffset notBefore = now.AddMinutes(-1); DateTimeOffset notAfter = now.AddMinutes(1); using (X509Certificate2 cert = req.CreateSelfSigned(notBefore, notAfter)) { AssertMatch(false, cert, "example"); AssertMatch(false, cert, "example."); } } }
public static void SanDnsMeansNoCommonNameFallback() { using (ECDsa key = ECDsa.Create()) { CertificateRequest req = new CertificateRequest( "CN=zalzalak.fruit.example", key, HashAlgorithmName.SHA256); SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddDnsName("yumberry.fruit.example"); sanBuilder.AddDnsName("*.pome.fruit.example"); req.CertificateExtensions.Add(sanBuilder.Build()); DateTimeOffset now = DateTimeOffset.UtcNow; DateTimeOffset notBefore = now.AddMinutes(-1); DateTimeOffset notAfter = now.AddMinutes(1); using (X509Certificate2 cert = req.CreateSelfSigned(notBefore, notAfter)) { AssertMatch(true, cert, "yumberry.fruit.example"); AssertMatch(true, cert, "zalzalak.pome.fruit.example"); // zalzalak is a pome, and our fake DNS knows that, but the certificate doesn't. AssertMatch(false, cert, "zalzalak.fruit.example"); } } }
public static void NoPartialWildcards() { using (ECDsa key = ECDsa.Create()) { CertificateRequest req = new CertificateRequest( "CN=10.0.0.1", key, HashAlgorithmName.SHA256); SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddDnsName("*berry.fruit.example"); sanBuilder.AddDnsName("cran*.fruit.example"); sanBuilder.AddEmailAddress("*****@*****.**"); req.CertificateExtensions.Add(sanBuilder.Build()); DateTimeOffset now = DateTimeOffset.UtcNow; DateTimeOffset notBefore = now.AddMinutes(-1); DateTimeOffset notAfter = now.AddMinutes(1); using (X509Certificate2 cert = req.CreateSelfSigned(notBefore, notAfter)) { AssertMatch(false, cert, "cranberry.fruit.example"); AssertMatch(false, cert, "cranapple.fruit.example"); AssertMatch(false, cert, "strawberry.fruit.example"); } } }
private static X509Extension LocalSubjectAlternativeName() { var builder = new SubjectAlternativeNameBuilder(); builder.AddIpAddress(IPAddress.Loopback); builder.AddIpAddress(IPAddress.IPv6Loopback); builder.AddDnsName("localhost"); builder.AddDnsName(Environment.MachineName); return(builder.Build()); }
public static X509Certificate2 Create(CertificateOptions options) { SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddIpAddress(IPAddress.Loopback); sanBuilder.AddIpAddress(IPAddress.IPv6Loopback); sanBuilder.AddDnsName("localhost"); sanBuilder.AddDnsName(options.Issuer); X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN=" + options.Issuer); var csp = new CspParameters { Flags = CspProviderFlags.UseArchivableKey | CspProviderFlags.UseMachineKeyStore }; using (RSA rsa = new RSACryptoServiceProvider(2048, csp)) { CertificateRequest req = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); req.CertificateExtensions.Add(sanBuilder.Build()); req.CertificateExtensions.Add( new X509BasicConstraintsExtension(false, false, 0, false)); req.CertificateExtensions.Add( new X509KeyUsageExtension(X509KeyUsageFlags.KeyAgreement | X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment, false)); req.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension(new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, true)); req.CertificateExtensions.Add( new X509SubjectKeyIdentifierExtension(req.PublicKey, false)); X509Certificate2 CA = CreateCA(options); X509Certificate2 cert = req.Create( CA, CA.NotBefore, CA.NotAfter, CertHelper.SerialNumber.ToByteArray()); X509Certificate2 certWithPK = cert.CopyWithPrivateKey(rsa); certWithPK.FriendlyName = options.FriendlyName; X509Certificate2 certificate = new X509Certificate2(certWithPK.Export(X509ContentType.Pfx, options.Password), options.Password, X509KeyStorageFlags.MachineKeySet); CertHelper.AddToMyStore(certificate); return(certificate); } }
public static void ArgumentValidation() { SubjectAlternativeNameBuilder builder = new SubjectAlternativeNameBuilder(); AssertExtensions.Throws <ArgumentOutOfRangeException>("dnsName", () => builder.AddDnsName(null)); AssertExtensions.Throws <ArgumentOutOfRangeException>("dnsName", () => builder.AddDnsName(string.Empty)); AssertExtensions.Throws <ArgumentOutOfRangeException>("emailAddress", () => builder.AddEmailAddress(null)); AssertExtensions.Throws <ArgumentOutOfRangeException>("emailAddress", () => builder.AddEmailAddress(string.Empty)); AssertExtensions.Throws <ArgumentNullException>("uri", () => builder.AddUri(null)); AssertExtensions.Throws <ArgumentNullException>("ipAddress", () => builder.AddIpAddress(null)); AssertExtensions.Throws <ArgumentOutOfRangeException>("upn", () => builder.AddUserPrincipalName(null)); AssertExtensions.Throws <ArgumentOutOfRangeException>("upn", () => builder.AddUserPrincipalName(string.Empty)); }
private X509Certificate2 GenerateSelfSignedServerCert(string certificateName) { var certPassword = Configuration["MPY:IdentityServer:X509CertToken:Password"]; if (string.IsNullOrEmpty(certPassword)) { throw new ArgumentNullException("Token Signing Certificate Password needs to be set"); } var dnsName = Configuration["MPY:IdentityServer:X509CertToken:DNSName"]; if (string.IsNullOrEmpty(dnsName)) { throw new ArgumentNullException("Token Signing DNS Name needs to be set."); } SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddIpAddress(IPAddress.Loopback); sanBuilder.AddIpAddress(IPAddress.IPv6Loopback); sanBuilder.AddDnsName(dnsName); sanBuilder.AddDnsName(System.Environment.MachineName); X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN={certificateName}"); using (RSA rsa = RSA.Create(2048)) { var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add( new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false)); request.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension( new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, false)); request.CertificateExtensions.Add(sanBuilder.Build()); //var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(365))); var yesterday = DateTime.Today.AddDays(-1).ToUniversalTime(); var future = DateTime.Today.AddDays(365).ToUniversalTime(); var certificate = request.CreateSelfSigned(new DateTimeOffset(yesterday), new DateTimeOffset(future)); certificate.FriendlyName = certificateName; return(new X509Certificate2(certificate.Export(X509ContentType.Pfx, certPassword), certPassword, X509KeyStorageFlags.MachineKeySet)); } }
/// <summary> /// Create a self signed certificate, optionally providing a locally existente CA certificate /// </summary> /// <param name="subjectName"></param> /// <param name="organization"></param> /// <param name="country"></param> /// <param name="authority">Optional authority cert to sign this one against.</param> /// <param name="expirationDays"></param> /// <returns></returns> public static X509Certificate2 GenerateSelfSignedCertificate( string subjectName, string organization, string country, X509Certificate2 authority = null, int expirationDays = 90) { // Have this certificate work with localhost, etc.. SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddIpAddress(IPAddress.Loopback); sanBuilder.AddIpAddress(IPAddress.IPv6Loopback); sanBuilder.AddDnsName("localhost"); sanBuilder.AddDnsName(Environment.MachineName); X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN={subjectName}, O={organization}, C={country}"); using (RSA rsa = RSA.Create(2048)) { var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add( new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false)); request.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension( new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, false)); request.CertificateExtensions.Add(sanBuilder.Build()); DateTimeOffset notBefore = DateTimeOffset.UtcNow; DateTimeOffset notAfter = notBefore.AddDays(expirationDays); X509Certificate2 certWithPrivateKey; if (authority == null) { certWithPrivateKey = request.CreateSelfSigned(notBefore, notAfter); } else { byte[] serialnumber = Encoding.ASCII.GetBytes(DateTime.UtcNow.ToString("MMMMddyyyyHHmmss")); certWithPrivateKey = request.Create(authority, notBefore, notAfter, serialnumber); } return(certWithPrivateKey); } }
public async Task <(byte[] Cert, RSA PrivateKey)> GetCertificate(CancellationToken token = default(CancellationToken)) { var key = new RSACryptoServiceProvider(4096); var csr = new CertificateRequest("CN=" + _hosts[0], key, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); var san = new SubjectAlternativeNameBuilder(); foreach (var host in _hosts) { san.AddDnsName(host); } csr.CertificateExtensions.Add(san.Build()); var certResponse = await _client.NewCertificateRequestAsync(csr.CreateSigningRequest(), token); _cache.CachedCerts[_hosts[0]] = new CertificateCache { Cert = certResponse.Certificate, Private = key.ExportCspBlob(true) }; lock (Locker) { File.WriteAllText(_path, JsonConvert.SerializeObject(_cache, Formatting.Indented)); } return(certResponse.Certificate, key); }
private static X509Certificate2 CreateSelfSigned13ServerCertificate() { using RSA rsa = RSA.Create(); var sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddDnsName("localhost"); var certReq = new CertificateRequest("CN=localhost", rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); certReq.CertificateExtensions.Add(new X509BasicConstraintsExtension(false, false, 0, false)); certReq.CertificateExtensions.Add(new X509EnhancedKeyUsageExtension(new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, false)); certReq.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature, true)); certReq.CertificateExtensions.Add(sanBuilder.Build()); X509Certificate2 innerCert = certReq.CreateSelfSigned(DateTimeOffset.UtcNow.AddMonths(-1), DateTimeOffset.UtcNow.AddMonths(1)); if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows)) { using (innerCert) { return(new X509Certificate2(innerCert.Export(X509ContentType.Pfx))); } } else { return(innerCert); } }
static X509Certificate2 GenerateCertificate(DateTime?notBefore = null, DateTime?notAfter = null, bool addServerAuthentication = true, bool addClientAuthentication = true) { var name = Guid.NewGuid().ToString("N"); var builder = new SubjectAlternativeNameBuilder(); builder.AddDnsName(name); var dn = new X500DistinguishedName($"CN={name}"); using (var rsa = RSA.Create(2048)) { var request = new CertificateRequest(dn, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); var usage = new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyAgreement, true); request.CertificateExtensions.Add(usage); var oids = new OidCollection(); if (addServerAuthentication) { oids.Add(new Oid("1.3.6.1.5.5.7.3.1")); } if (addClientAuthentication) { oids.Add(new Oid("1.3.6.1.5.5.7.3.2")); } request.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension(oids, false)); request.CertificateExtensions.Add(builder.Build()); return(request.CreateSelfSigned(new DateTimeOffset(notBefore ?? DateTime.UtcNow.AddMinutes(-5)), new DateTimeOffset(notAfter ?? DateTime.UtcNow.AddMinutes(5)))); } }
public void AddSubjectAlternativeName(CertificateRequest request, SubjectAlternativeName subjectAlternativeName) { foreach (var dnsName in subjectAlternativeName.DnsName) { if (UriHostNameType.Unknown == Uri.CheckHostName(dnsName)) { throw new ArgumentException("Must be a valid DNS name", nameof(dnsName)); } } var sanBuilder = new SubjectAlternativeNameBuilder(); foreach (var dnsName in subjectAlternativeName.DnsName) { sanBuilder.AddDnsName(dnsName); } if (!string.IsNullOrEmpty(subjectAlternativeName.Email)) { sanBuilder.AddEmailAddress(subjectAlternativeName.Email); } var sanExtension = sanBuilder.Build(); request.CertificateExtensions.Add(sanExtension); }
protected X509Extension BuildSubjectAlternativeName() { var subjectAlternativeNameBuilder = new SubjectAlternativeNameBuilder(); subjectAlternativeNameBuilder.AddIpAddress(IPAddress.Loopback); subjectAlternativeNameBuilder.AddIpAddress(IPAddress.IPv6Loopback); foreach (var dnsName in _certificateBuilderConfiguration.DnsNames) { subjectAlternativeNameBuilder.AddDnsName(dnsName); } subjectAlternativeNameBuilder.AddDnsName(Environment.MachineName); return(subjectAlternativeNameBuilder.Build()); }
public static void SanDoesNotMatchIPAddressInDnsName() { using (ECDsa key = ECDsa.Create()) { CertificateRequest req = new CertificateRequest( "CN=10.0.0.1", key, HashAlgorithmName.SHA256); SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddDnsName("127.0.0.1"); sanBuilder.AddEmailAddress("*****@*****.**"); req.CertificateExtensions.Add(sanBuilder.Build()); DateTimeOffset now = DateTimeOffset.UtcNow; DateTimeOffset notBefore = now.AddMinutes(-1); DateTimeOffset notAfter = now.AddMinutes(1); using (X509Certificate2 cert = req.CreateSelfSigned(notBefore, notAfter)) { // 127.0.0.1 is an IP Address, but the SAN calls it a dNSName, so it won't match. AssertMatch(false, cert, "127.0.0.1"); // Since the SAN contains no iPAddress values, we fall back to the CN. AssertMatch(true, cert, "10.0.0.1"); } } }
/// <inheritdoc /> public X509Certificate2 GenerateAndSignCertificate(string subjectName) { using (RSA newKey = RSA.Create(_defaultKeyLength)) { // Create the reguest CertificateRequest request = new CertificateRequest(subjectName, newKey, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); var s = new SubjectAlternativeNameBuilder(); s.AddDnsName(subjectName.Substring("CN=".Length)); request.CertificateExtensions.Add(s.Build()); request.CertificateExtensions.Add(new X509SubjectKeyIdentifierExtension(request.PublicKey, true)); // This is no CA request.CertificateExtensions.Add(new X509BasicConstraintsExtension(false, false, 0, false)); // Add default TLS key usages request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyEncipherment, false)); request.CertificateExtensions.Add(new X509EnhancedKeyUsageExtension(new OidCollection { new Oid("1.3.6.1.5.5.7.3.1"), // Server-auth new Oid("1.3.6.1.5.5.7.3.2") // Client-auth }, true)); X509Certificate2 certificate = request.Create(this._caCertificate, DateTimeOffset.UtcNow.AddDays(-1), this._caCertificate.NotAfter.AddDays(-10), GenerateSerialNumber()); return(certificate.CopyWithPrivateKey(newKey)); } }
internal static (X509Certificate2 certificate, X509Certificate2Collection) GenerateCertificates(string name, string?testName = null) { X509Certificate2Collection chain = new X509Certificate2Collection(); X509ExtensionCollection extensions = new X509ExtensionCollection(); SubjectAlternativeNameBuilder builder = new SubjectAlternativeNameBuilder(); builder.AddDnsName(name); extensions.Add(builder.Build()); extensions.Add(s_eeConstraints); extensions.Add(s_eeKeyUsage); extensions.Add(s_tlsServerEku); CertificateAuthority.BuildPrivatePki( PkiOptions.IssuerRevocationViaCrl, out RevocationResponder responder, out CertificateAuthority root, out CertificateAuthority intermediate, out X509Certificate2 endEntity, subjectName: name, testName: testName, keySize: 2048, extensions: extensions); chain.Add(intermediate.CloneIssuerCert()); chain.Add(root.CloneIssuerCert()); responder.Dispose(); root.Dispose(); intermediate.Dispose(); return(endEntity, chain); }
public static X509Certificate2 BuildSelfSignedCertificate(string dns, string ipaddr, string issuer, string password) { SubjectAlternativeNameBuilder sanb = new SubjectAlternativeNameBuilder(); sanb.AddIpAddress(IPAddress.Parse(ipaddr)); sanb.AddDnsName(dns); X500DistinguishedName subject = new X500DistinguishedName($"CN={issuer}"); using (RSA rsa = RSA.Create(2048)) { var request = new CertificateRequest(subject, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add( new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false)); request.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension(new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, false)); request.CertificateExtensions.Add(sanb.Build()); var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(3650))); certificate.FriendlyName = issuer; return(new X509Certificate2(certificate.Export(X509ContentType.Pfx, password), password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable)); } }
public X509Certificate2 GenerateCertificate(DateTime? notBefore = null, DateTime? notAfter = null) { var name = Guid.NewGuid().ToString("N"); var builder = new SubjectAlternativeNameBuilder(); builder.AddDnsName(name); var dn = new X500DistinguishedName($"CN={name}"); using (var rsa = RSA.Create(2048)) { var request = new CertificateRequest(dn, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); var usage = new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyAgreement, true); request.CertificateExtensions.Add(usage); var oids = new OidCollection { new Oid("1.3.6.1.5.5.7.3.1"), // Server authentication new Oid("1.3.6.1.5.5.7.3.2") // Client authentication }; request.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension(oids, false)); request.CertificateExtensions.Add(builder.Build()); var certificate = request.CreateSelfSigned(new DateTimeOffset(notBefore ?? DateTime.UtcNow.AddMinutes(-5)), new DateTimeOffset(notAfter ?? DateTime.UtcNow.AddMinutes(5))); var bytes = certificate.Export(X509ContentType.Pfx); return new X509Certificate2(bytes, null as string, X509KeyStorageFlags.Exportable); // don't ask me why, but this is required for some tests to work; i.e. Mtls tests } }
public static X509Certificate2 BuildTlsSelfSignedServer(string[] domains) { var sanBuilder = new SubjectAlternativeNameBuilder(); foreach (var domain in domains) { sanBuilder.AddDnsName(domain); } using (var rsa = RSA.Create()) { var request = new CertificateRequest("CN=" + domains.First(), rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension( new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, false)); request.CertificateExtensions.Add(sanBuilder.Build()); var cert = request.CreateSelfSigned(DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddDays(90)); // Hack - https://github.com/dotnet/corefx/issues/24454 var buffer = cert.Export(X509ContentType.Pfx, (string)null); return(new X509Certificate2(buffer, (string)null)); } }
internal static (X509Certificate2 certificate, X509Certificate2Collection) GenerateCertificates(string targetName, [CallerMemberName] string?testName = null, bool longChain = false, bool serverCertificate = true) { const int keySize = 2048; if (PlatformDetection.IsWindows && testName != null) { CleanupCertificates(testName); } X509Certificate2Collection chain = new X509Certificate2Collection(); X509ExtensionCollection extensions = new X509ExtensionCollection(); SubjectAlternativeNameBuilder builder = new SubjectAlternativeNameBuilder(); builder.AddDnsName(targetName); extensions.Add(builder.Build()); extensions.Add(s_eeConstraints); extensions.Add(s_eeKeyUsage); extensions.Add(serverCertificate ? s_tlsServerEku : s_tlsClientEku); CertificateAuthority.BuildPrivatePki( PkiOptions.IssuerRevocationViaCrl, out RevocationResponder responder, out CertificateAuthority root, out CertificateAuthority[] intermediates,
/// <summary> /// Build the Subject Alternative name extension /// </summary> /// <param name="uris">The Uris</param> /// <param name="addresses">The domain names. /// DNS Hostnames, IPv4 or IPv6 addresses</param> /// <param name="critical"></param> public static X509Extension BuildSubjectAlternativeName( IEnumerable <string> uris, IEnumerable <string> addresses, bool critical) { var sanBuilder = new SubjectAlternativeNameBuilder(); foreach (var uri in uris) { sanBuilder.AddUri(new Uri(uri)); } foreach (var domainName in addresses) { if (string.IsNullOrWhiteSpace(domainName)) { continue; } if (IPAddress.TryParse(domainName, out var ipAddr)) { sanBuilder.AddIpAddress(ipAddr); } else { sanBuilder.AddDnsName(domainName); } } return(sanBuilder.Build(critical)); }