// When called, generates the a cert for the machine DNS name with SAN localhost, and installs both certs // returns thumbprint of the machine certs public static X509Certificate2 CreateAndInstallLocalMachineCertificates(CertificateGenerator certificateGenerator) { if (certificateGenerator == null) { throw new ArgumentNullException("certificateGenerator"); } lock (s_certificateLock) { if (s_localCertificate != null) { return(s_localCertificate); } Trace.WriteLine("[CertificateManager] Installing Root and Machine certificates to machine store."); // At this point, we know we haven't generated the certs yet, or the operation is completing on another thread // Certificate generation is time-consuming, so we want to make sure that we don't unnecessarily generate a cert var rootCertificate = certificateGenerator.AuthorityCertificate.Certificate; var fqdn = Dns.GetHostEntry("127.0.0.1").HostName; var hostname = fqdn.Split('.')[0]; // always create a certificate locally for the current machine's fully qualified domain name, // hostname, and "localhost". CertificateCreationSettings certificateCreationSettings = new CertificateCreationSettings() { FriendlyName = "WCF Bridge - Machine certificate generated by the CertificateManager", Subject = fqdn, SubjectAlternativeNames = new string[] { fqdn, hostname, "localhost" } }; var hostCert = certificateGenerator.CreateMachineCertificate(certificateCreationSettings).Certificate; // Since s_myCertificates keys by subject name, we won't install a cert for the same subject twice // only the first-created cert will win InstallCertificateToRootStore(rootCertificate); InstallCertificateToMyStore(hostCert, certificateCreationSettings.ValidityType == CertificateValidityType.Valid); s_localCertificate = hostCert; // Create the PeerTrust cert certificateCreationSettings = new CertificateCreationSettings() { FriendlyName = "WCF Bridge - UserPeerTrustCertificateResource", Subject = fqdn, SubjectAlternativeNames = new string[] { fqdn, hostname, "localhost" } }; var peerCert = certificateGenerator.CreateMachineCertificate(certificateCreationSettings).Certificate; InstallCertificateToTrustedPeopleStore(peerCert, certificateCreationSettings.ValidityType == CertificateValidityType.Valid); } return(s_localCertificate); }
public static void RevokeCertificate(CertificateGenerator certificateGenerator, string serialNum) { if (certificateGenerator == null) { throw new ArgumentNullException("certificateGenerator"); } lock (s_certificateLock) { certificateGenerator.RevokeCertificateBySerialNumber(serialNum); } }
// We generate a local machine certificate for common usage. This method is usded to generate certs for non common usage, such as an expired cert. public static X509Certificate2 CreateAndInstallNonDefaultMachineCertificates(CertificateGenerator certificateGenerator, CertificateCreationSettings certificateCreationSettings, string resourceAddress) { if (certificateCreationSettings == null) { throw new ArgumentException("certificateCreationSettings cannot be null as we are creating a non default certificate"); } if (certificateGenerator == null) { throw new ArgumentNullException("certificateGenerator"); } lock (s_certificateLock) { Trace.WriteLine("[CertificateManager] Installing Non default Machine certificates to machine store."); var rootCertificate = certificateGenerator.AuthorityCertificate.Certificate; var hostCert = certificateGenerator.CreateMachineCertificate(certificateCreationSettings).Certificate; InstallCertificateToRootStore(rootCertificate); InstallCertificateToMyStore(hostCert, certificateCreationSettings.ValidityType == CertificateValidityType.Valid); return(hostCert); } }
private static int Main(string[] args) { ApplyAppSettings(); if (args.Length > 0) { if (string.Compare(args[0], "-Uninstall", true) == 0) { UninstallAllCerts(); return 0; } else if (string.Compare(args[0], "-help", true) == 0) { Usage(); return 0; } else { Usage(); return 1; } } UninstallAllCerts(); CertificateGenerator certificateGenerate = new CertificateGenerator(); certificateGenerate.CertificatePassword = "******"; certificateGenerate.CrlServiceUri = s_fqdn; certificateGenerate.ValidityPeriod = s_ValidatePeriod; if (!string.IsNullOrEmpty(s_testserverbase)) { certificateGenerate.CrlUriRelativePath += "/" + s_testserverbase; } certificateGenerate.CrlUriRelativePath += "/TestHost.svc/Crl"; //Create and install root and server cert CertificateManager.CreateAndInstallLocalMachineCertificates(certificateGenerate); //Create and Install expired cert CertificateCreationSettings certificateCreationSettings = new CertificateCreationSettings() { FriendlyName = "WCF Bridge - TcpExpiredServerCertResource", ValidityType = CertificateValidityType.Expired, ValidityNotBefore = DateTime.UtcNow - TimeSpan.FromDays(4), ValidityNotAfter = DateTime.UtcNow - TimeSpan.FromDays(2), //If you specify multiple subjects, the first one becomes the subject, and all of them become Subject Alt Names. //In this case, the certificate subject is CN=fqdn, OU=..., O=... , and SANs will be fqdn, hostname, localhost //We do this so that a single WCF service setup can deal with all the possible addresses that a client might use. Subject = s_fqdn, SubjectAlternativeNames = new string[] { s_fqdn, s_hostname, "localhost" } }; CreateAndInstallMachineCertificate(certificateGenerate, certificateCreationSettings); //Create and Install TcpCertificateWithServerAltName certificateCreationSettings = new CertificateCreationSettings() { FriendlyName = "WCF Bridge - TcpCertificateWithServerAltNameResource", Subject = "not-real-subject-name", SubjectAlternativeNames = new string[] { "not-real-subject-name", "not-real-subject-name.example.com", s_fqdn, s_hostname, "localhost" } }; CreateAndInstallMachineCertificate(certificateGenerate, certificateCreationSettings); //TcpCertificateWithSubjectCanonicalNameDomainName certificateCreationSettings = new CertificateCreationSettings() { FriendlyName = "WCF Bridge - TcpCertificateWithSubjectCanonicalNameDomainNameResource", Subject = s_hostname, SubjectAlternativeNames = new string[0], ValidityType = CertificateValidityType.NonAuthoritativeForMachine }; CreateAndInstallMachineCertificate(certificateGenerate, certificateCreationSettings); //WCF Bridge - TcpCertificateWithSubjectCanonicalNameFqdn certificateCreationSettings = new CertificateCreationSettings() { FriendlyName = "WCF Bridge - TcpCertificateWithSubjectCanonicalNameFqdnResource", Subject = s_fqdn, SubjectAlternativeNames = new string[0], ValidityType = CertificateValidityType.NonAuthoritativeForMachine }; CreateAndInstallMachineCertificate(certificateGenerate, certificateCreationSettings); //TcpCertificateWithSubjectCanonicalNameLocalhost certificateCreationSettings = new CertificateCreationSettings() { FriendlyName = "WCF Bridge - TcpCertificateWithSubjectCanonicalNameLocalhostResource", Subject = "localhost", SubjectAlternativeNames = new string[0], ValidityType = CertificateValidityType.NonAuthoritativeForMachine }; CreateAndInstallMachineCertificate(certificateGenerate, certificateCreationSettings); //TcpRevokedServerCert certificateCreationSettings = new CertificateCreationSettings() { FriendlyName = "WCF Bridge - TcpRevokedServerCertResource", ValidityType = CertificateValidityType.Revoked, Subject = s_fqdn, SubjectAlternativeNames = new string[] { s_fqdn, s_hostname, "localhost" } }; CreateAndInstallMachineCertificate(certificateGenerate, certificateCreationSettings); //Create and install client cert certificateCreationSettings = new CertificateCreationSettings() { FriendlyName = "WCF Bridge - UserCertificateResource", Subject = "WCF Client Certificate", }; X509Certificate2 certificate = certificateGenerate.CreateUserCertificate(certificateCreationSettings).Certificate; CertificateManager.AddToStoreIfNeeded(StoreName.My, StoreLocation.LocalMachine, certificate); //Create CRL and save it File.WriteAllBytes(s_CrlFileLocation, certificateGenerate.CrlEncoded); return 0; }
private static void CreateAndInstallMachineCertificate(CertificateGenerator certificateGenerate, CertificateCreationSettings certificateCreationSettings) { X509Certificate2 certificate = certificateGenerate.CreateMachineCertificate(certificateCreationSettings).Certificate; CertificateManager.AddToStoreIfNeeded(StoreName.My, StoreLocation.LocalMachine, certificate); }
// We generate a local machine certificate for common usage. This method is usded to generate certs for non common usage, such as an expired cert. public static X509Certificate2 CreateAndInstallNonDefaultMachineCertificates(CertificateGenerator certificateGenerator, CertificateCreationSettings certificateCreationSettings, string resourceAddress) { if (certificateCreationSettings == null) { throw new ArgumentException("certificateCreationSettings cannot be null as we are creating a non default certificate"); } if (certificateGenerator == null) { throw new ArgumentNullException("certificateGenerator"); } lock (s_certificateLock) { Trace.WriteLine("[CertificateManager] Installing Non default Machine certificates to machine store."); var rootCertificate = certificateGenerator.AuthorityCertificate.Certificate; var hostCert = certificateGenerator.CreateMachineCertificate(certificateCreationSettings).Certificate; InstallCertificateToRootStore(rootCertificate); InstallCertificateToMyStore(hostCert, certificateCreationSettings.ValidityType == CertificateValidityType.Valid); return hostCert; } }
// When called, generates the a cert for the machine DNS name with SAN localhost, and installs both certs // returns thumbprint of the machine certs public static X509Certificate2 CreateAndInstallLocalMachineCertificates(CertificateGenerator certificateGenerator) { if (certificateGenerator == null) { throw new ArgumentNullException("certificateGenerator"); } lock (s_certificateLock) { if (s_localCertificate != null) { return s_localCertificate; } Trace.WriteLine("[CertificateManager] Installing Root and Machine certificates to machine store."); // At this point, we know we haven't generated the certs yet, or the operation is completing on another thread // Certificate generation is time-consuming, so we want to make sure that we don't unnecessarily generate a cert var rootCertificate = certificateGenerator.AuthorityCertificate.Certificate; var fqdn = Dns.GetHostEntry("127.0.0.1").HostName; var hostname = fqdn.Split('.')[0]; // always create a certificate locally for the current machine's fully qualified domain name, // hostname, and "localhost". CertificateCreationSettings certificateCreationSettings = new CertificateCreationSettings() { FriendlyName = "WCF Bridge - Machine certificate generated by the CertificateManager", Subject = fqdn, SubjectAlternativeNames = new string[] { fqdn, hostname, "localhost" } }; var hostCert = certificateGenerator.CreateMachineCertificate(certificateCreationSettings).Certificate; // Since s_myCertificates keys by subject name, we won't install a cert for the same subject twice // only the first-created cert will win InstallCertificateToRootStore(rootCertificate); InstallCertificateToMyStore(hostCert, certificateCreationSettings.ValidityType == CertificateValidityType.Valid); s_localCertificate = hostCert; // Create the PeerTrust cert certificateCreationSettings = new CertificateCreationSettings() { FriendlyName = "WCF Bridge - UserPeerTrustCertificateResource", Subject = fqdn, SubjectAlternativeNames = new string[] { fqdn, hostname, "localhost" } }; var peerCert = certificateGenerator.CreateMachineCertificate(certificateCreationSettings).Certificate; InstallCertificateToTrustedPeopleStore(peerCert, certificateCreationSettings.ValidityType == CertificateValidityType.Valid); } return s_localCertificate; }