/// <summary> /// Build a self signed certificate for use in SSL communication /// </summary> /// <param name="certName">Name of certificate</param> /// <param name="password">Password for certificate</param> /// <returns></returns> public static X509Certificate2 BuildSelfSignedCertificate(string certName, string password = "") { SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddIpAddress(IPAddress.Loopback); sanBuilder.AddIpAddress(IPAddress.IPv6Loopback); sanBuilder.AddDnsName("localhost"); sanBuilder.AddDnsName(Environment.MachineName); X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN={certName}"); using (RSA rsa = RSA.Create(2048)) { var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add( new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false)); request.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension( new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, false)); request.CertificateExtensions.Add(sanBuilder.Build()); var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(3650))); certificate.FriendlyName = certName; return(new X509Certificate2(certificate.Export(X509ContentType.Pfx, password), password, X509KeyStorageFlags.MachineKeySet)); } }
public static void CreateCertificate(string ip) { try { var cr = new CertificateRequest(new X500DistinguishedName("cn=ispy-local"), RSA.Create(), HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); SubjectAlternativeNameBuilder subjectAlternativeNameBuilder = new SubjectAlternativeNameBuilder(); subjectAlternativeNameBuilder.AddIpAddress(IPAddress.Parse(ip)); var locals = MainForm.AddressListIPv4; foreach (var lip in locals) { subjectAlternativeNameBuilder.AddIpAddress(lip); } cr.CertificateExtensions.Add(subjectAlternativeNameBuilder.Build()); string pw = "123abc!!D"; var cert = cr.CreateSelfSigned(DateTime.UtcNow.AddDays(-1), DateTime.UtcNow.AddYears(+1)); var cert2 = new X509Certificate2(cert.Export(X509ContentType.Pfx, pw), pw); X509Store store = new X509Store(StoreName.Root, StoreLocation.LocalMachine); store.Open(OpenFlags.ReadWrite); X509Certificate2Collection col = store.Certificates.Find(X509FindType.FindBySubjectName, "ispy-local", false); if (col.Count > 0) { store.RemoveRange(col); } store.Add(cert2); store.Close(); _sslCertificate = cert2; } catch (Exception ex) { Logger.LogException(ex, "X509 Create"); } }
private static X509Certificate2 Create() { var sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddIpAddress(IPAddress.Loopback); sanBuilder.AddIpAddress(IPAddress.IPv6Loopback); sanBuilder.AddDnsName("localhost"); sanBuilder.AddDnsName("127.0.0.1"); sanBuilder.AddDnsName(Environment.MachineName); var distinguishedName = new X500DistinguishedName($"CN={CertificateName}"); using var rsa = RSA.Create(2048); var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add( new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false)); request.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension( new OidCollection { new Oid(OidServerAuthentication) }, false)); request.CertificateExtensions.Add(sanBuilder.Build()); X509Certificate2 certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddYears(100))); certificate.FriendlyName = CertificateName; return(new X509Certificate2(certificate.Export(X509ContentType.Pfx, CertificatePass), CertificatePass, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable)); }
public static async Task Generate_Fake_Apple_Pay_Merchant_Certificate() { // Arrange string certificateName = "applepay.local"; string certificatePassword = "******"; string certificateFileName = "CHANGE_ME"; var builder = new SubjectAlternativeNameBuilder(); builder.AddIpAddress(IPAddress.Loopback); builder.AddIpAddress(IPAddress.IPv6Loopback); builder.AddDnsName("localhost"); var distinguishedName = new X500DistinguishedName($"CN={certificateName}"); using var key = RSA.Create(2048); var request = new CertificateRequest(distinguishedName, key, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.KeyAgreement | X509KeyUsageFlags.KeyEncipherment, false)); request.CertificateExtensions.Add(new X509Extension("1.2.840.113635.100.6.32", Guid.NewGuid().ToByteArray(), false)); request.CertificateExtensions.Add(builder.Build()); var utcNow = DateTimeOffset.UtcNow; X509Certificate2 certificate = request.CreateSelfSigned(utcNow.AddDays(-1), utcNow.AddDays(3650)); certificate.FriendlyName = certificateName; byte[] pfxBytes = certificate.Export(X509ContentType.Pfx, certificatePassword); File.Delete(certificateFileName); await File.WriteAllBytesAsync(certificateFileName, pfxBytes); }
private X509Certificate2 BuildSelfSignedServerCertificate() { SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddIpAddress(IPAddress.Loopback); sanBuilder.AddIpAddress(IPAddress.IPv6Loopback); sanBuilder.AddDnsName("localhost"); sanBuilder.AddDnsName(Environment.MachineName); X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN=https://issuer.com"); using RSA rsa = RSA.Create(2048); var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add( new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false)); request.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension( new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, false)); request.CertificateExtensions.Add(sanBuilder.Build()); var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(3650))); return(certificate); }
private static byte[] BuildSelfSignedCertificate(string password) { var sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddIpAddress(IPAddress.Loopback); sanBuilder.AddIpAddress(IPAddress.IPv6Loopback); sanBuilder.AddDnsName("localhost"); sanBuilder.AddDnsName(Environment.MachineName); var distinguishedName = new X500DistinguishedName($"CN=SSNCert1"); using (var rsa = RSA.Create(2048)) { var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add( new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyCertSign, false)); request.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension( new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, false)); request.CertificateExtensions.Add(new X509BasicConstraintsExtension(true, false, 0, true)); request.CertificateExtensions.Add(sanBuilder.Build()); var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(3650))); certificate.FriendlyName = "SSNCert1"; return(certificate.Export(X509ContentType.Pfx, password)); } }
public static X509Certificate2 GenerateServerNodeCertificate(string nodeName, string password) { using (var rsa = RSA.Create(4096)) { var request = new CertificateRequest($"CN={nodeName}", rsa, HashAlgorithmName.SHA512, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false)); request.CertificateExtensions.Add(new X509EnhancedKeyUsageExtension(new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, false)); var sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddIpAddress(IPAddress.Loopback); sanBuilder.AddIpAddress(IPAddress.IPv6Loopback); sanBuilder.AddDnsName("localhost"); sanBuilder.AddDnsName(Environment.MachineName); request.CertificateExtensions.Add(sanBuilder.Build()); var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(3650))); certificate.FriendlyName = "VanguardServerManagerNodeCertificate"; return(new X509Certificate2(certificate.Export(X509ContentType.Pfx, password), password, X509KeyStorageFlags.MachineKeySet)); } }
public static void EnumerateDnsNames(LoadMode loadMode) { SubjectAlternativeNameBuilder builder = new SubjectAlternativeNameBuilder(); builder.AddDnsName("foo"); builder.AddIpAddress(IPAddress.Loopback); builder.AddUserPrincipalName("*****@*****.**"); builder.AddIpAddress(IPAddress.IPv6Loopback); builder.AddDnsName("*.foo"); X509Extension built = builder.Build(true); X509SubjectAlternativeNameExtension ext; switch (loadMode) { case LoadMode.CopyFrom: ext = new X509SubjectAlternativeNameExtension(); ext.CopyFrom(built); break; case LoadMode.Array: ext = new X509SubjectAlternativeNameExtension(built.RawData); break; case LoadMode.Span: byte[] tmp = new byte[built.RawData.Length + 2]; built.RawData.AsSpan().CopyTo(tmp.AsSpan(1)); ext = new X509SubjectAlternativeNameExtension(tmp.AsSpan()[1..^ 1]);
public static X509Certificate2 Create(CertificateOptions options) { SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddIpAddress(IPAddress.Loopback); sanBuilder.AddIpAddress(IPAddress.IPv6Loopback); sanBuilder.AddDnsName("localhost"); sanBuilder.AddDnsName(options.Issuer); X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN=" + options.Issuer); var csp = new CspParameters { Flags = CspProviderFlags.UseArchivableKey | CspProviderFlags.UseMachineKeyStore }; using (RSA rsa = new RSACryptoServiceProvider(2048, csp)) { CertificateRequest req = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); req.CertificateExtensions.Add(sanBuilder.Build()); req.CertificateExtensions.Add( new X509BasicConstraintsExtension(false, false, 0, false)); req.CertificateExtensions.Add( new X509KeyUsageExtension(X509KeyUsageFlags.KeyAgreement | X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment, false)); req.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension(new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, true)); req.CertificateExtensions.Add( new X509SubjectKeyIdentifierExtension(req.PublicKey, false)); X509Certificate2 CA = CreateCA(options); X509Certificate2 cert = req.Create( CA, CA.NotBefore, CA.NotAfter, CertHelper.SerialNumber.ToByteArray()); X509Certificate2 certWithPK = cert.CopyWithPrivateKey(rsa); certWithPK.FriendlyName = options.FriendlyName; X509Certificate2 certificate = new X509Certificate2(certWithPK.Export(X509ContentType.Pfx, options.Password), options.Password, X509KeyStorageFlags.MachineKeySet); CertHelper.AddToMyStore(certificate); return(certificate); } }
private static X509Extension LocalSubjectAlternativeName() { var builder = new SubjectAlternativeNameBuilder(); builder.AddIpAddress(IPAddress.Loopback); builder.AddIpAddress(IPAddress.IPv6Loopback); builder.AddDnsName("localhost"); builder.AddDnsName(Environment.MachineName); return(builder.Build()); }
private X509Certificate2 GenerateSelfSignedServerCert(string certificateName) { var certPassword = Configuration["MPY:IdentityServer:X509CertToken:Password"]; if (string.IsNullOrEmpty(certPassword)) { throw new ArgumentNullException("Token Signing Certificate Password needs to be set"); } var dnsName = Configuration["MPY:IdentityServer:X509CertToken:DNSName"]; if (string.IsNullOrEmpty(dnsName)) { throw new ArgumentNullException("Token Signing DNS Name needs to be set."); } SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddIpAddress(IPAddress.Loopback); sanBuilder.AddIpAddress(IPAddress.IPv6Loopback); sanBuilder.AddDnsName(dnsName); sanBuilder.AddDnsName(System.Environment.MachineName); X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN={certificateName}"); using (RSA rsa = RSA.Create(2048)) { var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add( new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false)); request.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension( new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, false)); request.CertificateExtensions.Add(sanBuilder.Build()); //var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(365))); var yesterday = DateTime.Today.AddDays(-1).ToUniversalTime(); var future = DateTime.Today.AddDays(365).ToUniversalTime(); var certificate = request.CreateSelfSigned(new DateTimeOffset(yesterday), new DateTimeOffset(future)); certificate.FriendlyName = certificateName; return(new X509Certificate2(certificate.Export(X509ContentType.Pfx, certPassword), certPassword, X509KeyStorageFlags.MachineKeySet)); } }
/// <summary> /// Create a self signed certificate, optionally providing a locally existente CA certificate /// </summary> /// <param name="subjectName"></param> /// <param name="organization"></param> /// <param name="country"></param> /// <param name="authority">Optional authority cert to sign this one against.</param> /// <param name="expirationDays"></param> /// <returns></returns> public static X509Certificate2 GenerateSelfSignedCertificate( string subjectName, string organization, string country, X509Certificate2 authority = null, int expirationDays = 90) { // Have this certificate work with localhost, etc.. SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddIpAddress(IPAddress.Loopback); sanBuilder.AddIpAddress(IPAddress.IPv6Loopback); sanBuilder.AddDnsName("localhost"); sanBuilder.AddDnsName(Environment.MachineName); X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN={subjectName}, O={organization}, C={country}"); using (RSA rsa = RSA.Create(2048)) { var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add( new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false)); request.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension( new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, false)); request.CertificateExtensions.Add(sanBuilder.Build()); DateTimeOffset notBefore = DateTimeOffset.UtcNow; DateTimeOffset notAfter = notBefore.AddDays(expirationDays); X509Certificate2 certWithPrivateKey; if (authority == null) { certWithPrivateKey = request.CreateSelfSigned(notBefore, notAfter); } else { byte[] serialnumber = Encoding.ASCII.GetBytes(DateTime.UtcNow.ToString("MMMMddyyyyHHmmss")); certWithPrivateKey = request.Create(authority, notBefore, notAfter, serialnumber); } return(certWithPrivateKey); } }
/// <summary> /// Build the Subject Alternative name extension /// </summary> /// <param name="uris">The Uris</param> /// <param name="addresses">The domain names. /// DNS Hostnames, IPv4 or IPv6 addresses</param> /// <param name="critical"></param> public static X509Extension BuildSubjectAlternativeName( IEnumerable <string> uris, IEnumerable <string> addresses, bool critical) { var sanBuilder = new SubjectAlternativeNameBuilder(); foreach (var uri in uris) { sanBuilder.AddUri(new Uri(uri)); } foreach (var domainName in addresses) { if (string.IsNullOrWhiteSpace(domainName)) { continue; } if (IPAddress.TryParse(domainName, out var ipAddr)) { sanBuilder.AddIpAddress(ipAddr); } else { sanBuilder.AddDnsName(domainName); } } return(sanBuilder.Build(critical)); }
protected X509Extension BuildSubjectAlternativeName() { var subjectAlternativeNameBuilder = new SubjectAlternativeNameBuilder(); subjectAlternativeNameBuilder.AddIpAddress(IPAddress.Loopback); subjectAlternativeNameBuilder.AddIpAddress(IPAddress.IPv6Loopback); foreach (var dnsName in _certificateBuilderConfiguration.DnsNames) { subjectAlternativeNameBuilder.AddDnsName(dnsName); } subjectAlternativeNameBuilder.AddDnsName(Environment.MachineName); return(subjectAlternativeNameBuilder.Build()); }
public static void SanWithNoDnsMeansDoCommonNameFallback() { using (ECDsa key = ECDsa.Create()) { CertificateRequest req = new CertificateRequest( "CN=zalzalak.fruit.example", key, HashAlgorithmName.SHA256); SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddIpAddress(IPAddress.Loopback); sanBuilder.AddEmailAddress("*****@*****.**"); req.CertificateExtensions.Add(sanBuilder.Build()); DateTimeOffset now = DateTimeOffset.UtcNow; DateTimeOffset notBefore = now.AddMinutes(-1); DateTimeOffset notAfter = now.AddMinutes(1); using (X509Certificate2 cert = req.CreateSelfSigned(notBefore, notAfter)) { AssertMatch(false, cert, "yumberry.fruit.example"); AssertMatch(true, cert, "127.0.0.1"); // Since the SAN contains no dNSName values, we fall back to the CN. AssertMatch(true, cert, "zalzalak.fruit.example"); AssertMatch(false, cert, "zalzalak.fruit.example", allowCommonName: false); } } }
private static X509ExtensionCollection BuildTlsCertExtensions(string targetName, bool serverCertificate) { X509ExtensionCollection extensions = new X509ExtensionCollection(); SubjectAlternativeNameBuilder builder = new SubjectAlternativeNameBuilder(); builder.AddDnsName(targetName); builder.AddIpAddress(IPAddress.Loopback); builder.AddIpAddress(IPAddress.IPv6Loopback); extensions.Add(builder.Build()); extensions.Add(s_eeConstraints); extensions.Add(s_eeKeyUsage); extensions.Add(serverCertificate ? s_tlsServerEku : s_tlsClientEku); return(extensions); }
public static X509Certificate2 BuildSelfSignedCertificate(string dns, string ipaddr, string issuer, string password) { SubjectAlternativeNameBuilder sanb = new SubjectAlternativeNameBuilder(); sanb.AddIpAddress(IPAddress.Parse(ipaddr)); sanb.AddDnsName(dns); X500DistinguishedName subject = new X500DistinguishedName($"CN={issuer}"); using (RSA rsa = RSA.Create(2048)) { var request = new CertificateRequest(subject, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add( new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false)); request.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension(new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, false)); request.CertificateExtensions.Add(sanb.Build()); var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(3650))); certificate.FriendlyName = issuer; return(new X509Certificate2(certificate.Export(X509ContentType.Pfx, password), password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable)); } }
/// <summary> /// Generate a new 2048 bit RSA key and cert bundle and self sign the public key with the private key /// https://stackoverflow.com/a/50138133/6620171 /// </summary> /// <param name="CommonName"></param> /// <returns></returns> private static X509Certificate2 BuildSelfSignedServerCertificate(string CommonName, int daysUntilExpire) { SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddIpAddress(IPAddress.Loopback); sanBuilder.AddDnsName("localhost"); sanBuilder.AddDnsName(Environment.MachineName); X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN={CommonName}"); using (RSA rsa = RSA.Create(2048)) { CertificateRequest request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA512, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add( new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false)); request.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension( new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, false)); request.CertificateExtensions.Add(sanBuilder.Build()); X509Certificate2 certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(daysUntilExpire))); //certificate.FriendlyName = CommonName; // Linux: System.PlatformNotSupportedException: The FriendlyName value cannot be set on Unix. return(new X509Certificate2(certificate.Export(X509ContentType.Pfx, "WeNeedASaf3rPassword"), "WeNeedASaf3rPassword", X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable)); } }
public static void SanWithIPAddressMeansNoCommonNameFallback() { using (ECDsa key = ECDsa.Create()) { CertificateRequest req = new CertificateRequest( "CN=10.0.0.1", key, HashAlgorithmName.SHA256); SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddIpAddress(IPAddress.Loopback); sanBuilder.AddIpAddress(IPAddress.IPv6Loopback); sanBuilder.AddIpAddress(IPAddress.Parse("[fe80::1]")); sanBuilder.AddEmailAddress("*****@*****.**"); req.CertificateExtensions.Add(sanBuilder.Build()); DateTimeOffset now = DateTimeOffset.UtcNow; DateTimeOffset notBefore = now.AddMinutes(-1); DateTimeOffset notAfter = now.AddMinutes(1); using (X509Certificate2 cert = req.CreateSelfSigned(notBefore, notAfter)) { AssertMatch(true, cert, "127.0.0.1"); // Various text forms of IPv6Loopback AssertMatch(true, cert, "[::1]"); AssertMatch(true, cert, "::1"); AssertMatch(true, cert, "[::01]"); AssertMatch(true, cert, "[0000::1]"); // Various text forms of fe80::1 AssertMatch(true, cert, "[fe80::1]"); AssertMatch(true, cert, "[FE80::1]"); AssertMatch(true, cert, "fe80::1"); AssertMatch(true, cert, "[fe80:0000::1]"); AssertMatch(true, cert, "[fe80:0000::01]"); // Various text forms of fe80:: AssertMatch(false, cert, "[fe80::]"); AssertMatch(false, cert, "fe80::"); AssertMatch(false, cert, "[fe80::0]"); AssertMatch(false, cert, "[fe80:0000::]"); // Since the SAN has an iPAddress value, we do not fall back to the CN. AssertMatch(false, cert, "10.0.0.1"); } } }
/// <summary> /// 生成CA,TODO 2 如何通过根证书生成接下来的证书 /// </summary> /// <param name="CertificateName"></param> /// <param name="hosts"></param> /// <returns></returns> public static X509Certificate2 GenerateCA(string CertificateName, string hosts = null) { SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddIpAddress(IPAddress.Loopback); sanBuilder.AddIpAddress(IPAddress.IPv6Loopback); sanBuilder.AddDnsName("localhost"); if (hosts != null) { string[] strings = hosts.Split(','); foreach (var str in strings) { sanBuilder.AddDnsName(str); } } sanBuilder.AddDnsName(Environment.MachineName); X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN={CertificateName}"); using (RSA rsa = RSA.Create(2048)) { var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add( new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false)); request.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension( new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, false)); request.CertificateExtensions.Add(sanBuilder.Build()); var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(3650))); //certificate.FriendlyName = CertificateName; //return certificate; return(new X509Certificate2(certificate.Export(X509ContentType.Pfx, "WeNeedASaf3rPassword"), "WeNeedASaf3rPassword", X509KeyStorageFlags.Exportable)); } }
private static X509Certificate2 BuildSelfSignedServerCertificate() { const string CertificateName = "ErpNet.FP"; SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddIpAddress(IPAddress.Loopback); sanBuilder.AddIpAddress(IPAddress.IPv6Loopback); sanBuilder.AddDnsName(Environment.MachineName); sanBuilder.AddDnsName("localhost"); var addresses = GetLocalV4Addresses(); foreach (var address in addresses) { sanBuilder.AddIpAddress(address); } X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN={CertificateName}"); using (RSA rsa = RSA.Create(2048)) { var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add( new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false)); request.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension( new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, false)); request.CertificateExtensions.Add(sanBuilder.Build()); var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(3650))); // For now, in .net core 3 the property FriendlyName is not implemented for POSIX systems, like linux and macOS // certificate.FriendlyName = CertificateName; return(new X509Certificate2(certificate.Export(X509ContentType.Pfx, "ErpNet.FP.Password"), "ErpNet.FP.Password", X509KeyStorageFlags.MachineKeySet)); } }
public X509Certificate2 CreateSignedCertificate(string certificateName, string dnsName, X509Certificate2 issuerCertificate) { var sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddIpAddress(IPAddress.Loopback); sanBuilder.AddIpAddress(IPAddress.IPv6Loopback); sanBuilder.AddDnsName(dnsName); sanBuilder.AddDnsName(Environment.MachineName); var distinguishedName = new X500DistinguishedName($"CN={certificateName}"); using var rsa = RSA.Create(2048); var request = new CertificateRequest( distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add( new X509KeyUsageExtension( X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false)); request.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension( new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, false)); request.CertificateExtensions.Add(sanBuilder.Build()); var notBefore = issuerCertificate.NotBefore; var notAfter = issuerCertificate.NotAfter.AddDays(-1); // cert serial is the epoch/unix timestamp var epoch = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc); var unixTime = Convert.ToInt64((DateTime.UtcNow - epoch).TotalSeconds); var serial = BitConverter.GetBytes(unixTime); var certificate = request.Create(issuerCertificate, notBefore, notAfter, serial); return(certificate.CopyWithPrivateKey(rsa)); }
private static X509Certificate2 GenerateSelfSignedCertificate(string name) { var distinguishedName = new X500DistinguishedName($"CN={name}"); using (var rsa = RSA.Create(2048)) { var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add( new X509KeyUsageExtension( X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false)); request.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension( new OidCollection { new Oid("1.3.6.1.5.5.7.3.1"), // server auth new Oid("1.3.6.1.5.5.7.3.2") // client auth }, false)); // When creating the localhost certificate, add the other names if (string.Equals(name, "localhost", StringComparison.OrdinalIgnoreCase)) { var sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddIpAddress(IPAddress.Loopback); sanBuilder.AddIpAddress(IPAddress.IPv6Loopback); sanBuilder.AddDnsName("localhost"); sanBuilder.AddDnsName(Environment.MachineName); request.CertificateExtensions.Add(sanBuilder.Build()); } var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(90))); var tempPwd = Guid.NewGuid().ToString(); return(new X509Certificate2(certificate.Export(X509ContentType.Pfx, tempPwd), tempPwd, X509KeyStorageFlags.MachineKeySet)); } }
/// <summary> /// Generate a root CA certificate and store it as a PFX file. /// </summary> /// <param name="outputDir">Output directory (if null or empty, then the certificate isn't stored as a PFX file)</param> /// <param name="certificateName">Certificate name</param> /// <param name="friendlyName">Friendly certificate name</param> /// <param name="password">PFX password</param> /// <param name="keySize">Key size (e.g. 4096)</param> /// <param name="expirationDate">Expiration date</param> /// <param name="dnsNames">List of DNS names</param> /// <param name="ipAddresses">List of IP addresses</param> public static X509Certificate2 GenerateRootCaPfx(string outputDir, string certificateName, string friendlyName, string password, int keySize, DateTime expirationDate, string[] dnsNames, IPAddress[] ipAddresses = null) { SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder(); if (ipAddresses != null && ipAddresses.Length != 0) { foreach (var ip in ipAddresses) { sanBuilder.AddIpAddress(ip); } } foreach (var dns in dnsNames) { sanBuilder.AddDnsName(dns); } X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN={certificateName}"); using RSA rsa = RSA.Create(keySize); var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA512, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add(new X509BasicConstraintsExtension(true, false, 0, true)); request.CertificateExtensions.Add(sanBuilder.Build()); var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(expirationDate)); certificate.FriendlyName = friendlyName; var newCert = new X509Certificate2(certificate.Export(X509ContentType.Pfx, password), password, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet); if (!string.IsNullOrEmpty(outputDir)) { var certBytes = newCert.Export(X509ContentType.Pfx, password); if (!Directory.Exists($"{outputDir}")) { Directory.CreateDirectory($"{outputDir}"); } var fileName = $"{outputDir}{Path.DirectorySeparatorChar}{certificateName}.pfx"; if (!File.Exists(fileName)) { File.WriteAllBytes(fileName, certBytes); } } return(newCert); }
private X509Certificate2 buildSelfSignedServerCertificate(string name) { SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddIpAddress(IPAddress.Loopback); sanBuilder.AddIpAddress(IPAddress.IPv6Loopback); sanBuilder.AddDnsName("localhost"); sanBuilder.AddDnsName(Environment.MachineName); X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN={name}"); using RSA rsa = RSA.Create(2048); var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add( new X509KeyUsageExtension( X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false)); request.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension( new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, false)); request.CertificateExtensions.Add(sanBuilder.Build()); var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(3650))); // try // { // certificate.FriendlyName = name; // } // catch (Exception) { } return(new X509Certificate2(certificate.Export(X509ContentType.Pfx, "WeNeedASaf3rPassword"), "WeNeedASaf3rPassword", X509KeyStorageFlags.UserKeySet)); }
public static void SingleValue_IPAddress_v4() { SubjectAlternativeNameBuilder builder = new SubjectAlternativeNameBuilder(); builder.AddIpAddress(IPAddress.Loopback); X509Extension extension = builder.Build(); Assert.Equal(SubjectAltNameOid, extension.Oid.Value); Assert.Equal("300687047F000001", extension.RawData.ByteArrayToHex()); }
public static void CreateBrokerTlsCert(this X509Certificate2 CACertificate, string domainname, IPAddress iP, string pubfile, string pivfile, string email) { var build = new SubjectAlternativeNameBuilder(); build.AddDnsName(domainname); build.AddIpAddress(iP); build.AddEmailAddress(email ?? "*****@*****.**"); string name = $"C=CN,CN={iP.ToString()},ST=IoTSharp,O={Dns.GetHostName()},OU= CA_{MethodBase.GetCurrentMethod().Module.Assembly.GetName().Name}"; var broker = CACertificate.CreateTlsClientRSA(name, build); broker.SavePem(pubfile, pivfile); }
public static void MultipleBuilds_WithModification() { SubjectAlternativeNameBuilder builder = new SubjectAlternativeNameBuilder(); builder.AddIpAddress(IPAddress.Loopback); X509Extension extension = builder.Build(); Assert.Equal(SubjectAltNameOid, extension.Oid.Value); builder.AddIpAddress(IPAddress.IPv6Loopback); X509Extension secondExtension = builder.Build(); Assert.NotSame(extension, secondExtension); Assert.Equal(extension.Oid.Value, secondExtension.Oid.Value); Assert.Equal(extension.Critical, secondExtension.Critical); Assert.True( secondExtension.RawData.Length > extension.RawData.Length, $"secondExtension.RawData.Length > extension.RawData.Length"); }
public X509Certificate2 CreateSelfSignedCertificate(string certificateName, string dnsName) { var sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddIpAddress(IPAddress.Loopback); sanBuilder.AddIpAddress(IPAddress.IPv6Loopback); sanBuilder.AddDnsName(dnsName); sanBuilder.AddDnsName(Environment.MachineName); var distinguishedName = new X500DistinguishedName($"CN={certificateName}"); using var rsa = RSA.Create(2048); var request = new CertificateRequest( distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add( new X509KeyUsageExtension( X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false)); request.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension( new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, false)); request.CertificateExtensions.Add(sanBuilder.Build()); var certificate = request.CreateSelfSigned( new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddYears(10))); certificate.FriendlyName = certificateName; return(certificate); }
private static IEnumerable <object[]> GetThumbprintsGenerated() { var sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddIpAddress(IPAddress.Loopback); sanBuilder.AddIpAddress(IPAddress.IPv6Loopback); sanBuilder.AddDnsName("localhost"); sanBuilder.AddDnsName(Environment.MachineName); var distinguishedName = new X500DistinguishedName($"CN={CertificateName}"); X509Certificate2 newCert; using (var rsa = RSA.Create(2048)) { var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add( new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false)); request.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension( new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, false)); request.CertificateExtensions.Add(sanBuilder.Build()); var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(3650))); newCert = new X509Certificate2(certificate.Export(X509ContentType.Pfx, "WeNeedASaf3rPassword"), "WeNeedASaf3rPassword", X509KeyStorageFlags.MachineKeySet); } using (var store = new X509Store(StoreName.My, StoreLocation.CurrentUser, OpenFlags.ReadWrite)) { store.Add(newCert); } yield return(new object[] { newCert.Thumbprint }); }