// When called, generates the a cert for the machine DNS name with SAN localhost, and installs both certs
// returns thumbprint of the machine certs
public static X509Certificate2 CreateAndInstallLocalMachineCertificates(CertificateGenerator certificateGenerator)
{
if (certificateGenerator == null)
{
throw new ArgumentNullException("certificateGenerator");
}
lock (s_certificateLock)
{
if (s_localCertificate != null)
{
return(s_localCertificate);
}
Trace.WriteLine("[CertificateManager] Installing Root and Machine certificates to machine store.");
// At this point, we know we haven't generated the certs yet, or the operation is completing on another thread
// Certificate generation is time-consuming, so we want to make sure that we don't unnecessarily generate a cert
var rootCertificate = certificateGenerator.AuthorityCertificate.Certificate;
var fqdn = Dns.GetHostEntry("127.0.0.1").HostName;
var hostname = fqdn.Split('.')[0];
// always create a certificate locally for the current machine's fully qualified domain name,
// hostname, and "localhost".
CertificateCreationSettings certificateCreationSettings = new CertificateCreationSettings()
{
FriendlyName = "WCF Bridge - Machine certificate generated by the CertificateManager",
Subject = fqdn,
SubjectAlternativeNames = new string[] { fqdn, hostname, "localhost" }
};
var hostCert = certificateGenerator.CreateMachineCertificate(certificateCreationSettings).Certificate;
// Since s_myCertificates keys by subject name, we won't install a cert for the same subject twice
// only the first-created cert will win
InstallCertificateToRootStore(rootCertificate);
InstallCertificateToMyStore(hostCert, certificateCreationSettings.ValidityType == CertificateValidityType.Valid);
s_localCertificate = hostCert;
// Create the PeerTrust cert
certificateCreationSettings = new CertificateCreationSettings()
{
FriendlyName = "WCF Bridge - UserPeerTrustCertificateResource",
Subject = fqdn,
SubjectAlternativeNames = new string[] { fqdn, hostname, "localhost" }
};
var peerCert = certificateGenerator.CreateMachineCertificate(certificateCreationSettings).Certificate;
InstallCertificateToTrustedPeopleStore(peerCert, certificateCreationSettings.ValidityType == CertificateValidityType.Valid);
}
return(s_localCertificate);
}
public static void RevokeCertificate(CertificateGenerator certificateGenerator, string serialNum)
{
if (certificateGenerator == null)
{
throw new ArgumentNullException("certificateGenerator");
}
lock (s_certificateLock)
{
certificateGenerator.RevokeCertificateBySerialNumber(serialNum);
}
}
// We generate a local machine certificate for common usage. This method is usded to generate certs for non common usage, such as an expired cert.
public static X509Certificate2 CreateAndInstallNonDefaultMachineCertificates(CertificateGenerator certificateGenerator, CertificateCreationSettings certificateCreationSettings, string resourceAddress)
{
if (certificateCreationSettings == null)
{
throw new ArgumentException("certificateCreationSettings cannot be null as we are creating a non default certificate");
}
if (certificateGenerator == null)
{
throw new ArgumentNullException("certificateGenerator");
}
lock (s_certificateLock)
{
Trace.WriteLine("[CertificateManager] Installing Non default Machine certificates to machine store.");
var rootCertificate = certificateGenerator.AuthorityCertificate.Certificate;
var hostCert = certificateGenerator.CreateMachineCertificate(certificateCreationSettings).Certificate;
InstallCertificateToRootStore(rootCertificate);
InstallCertificateToMyStore(hostCert, certificateCreationSettings.ValidityType == CertificateValidityType.Valid);
return(hostCert);
}
}
private static int Main(string[] args)
{
ApplyAppSettings();
if (args.Length > 0)
{
if (string.Compare(args[0], "-Uninstall", true) == 0)
{
UninstallAllCerts();
return 0;
}
else if (string.Compare(args[0], "-help", true) == 0)
{
Usage();
return 0;
}
else
{
Usage();
return 1;
}
}
UninstallAllCerts();
CertificateGenerator certificateGenerate = new CertificateGenerator();
certificateGenerate.CertificatePassword = "******";
certificateGenerate.CrlServiceUri = s_fqdn;
certificateGenerate.ValidityPeriod = s_ValidatePeriod;
if (!string.IsNullOrEmpty(s_testserverbase))
{
certificateGenerate.CrlUriRelativePath += "/" + s_testserverbase;
}
certificateGenerate.CrlUriRelativePath += "/TestHost.svc/Crl";
//Create and install root and server cert
CertificateManager.CreateAndInstallLocalMachineCertificates(certificateGenerate);
//Create and Install expired cert
CertificateCreationSettings certificateCreationSettings = new CertificateCreationSettings()
{
FriendlyName = "WCF Bridge - TcpExpiredServerCertResource",
ValidityType = CertificateValidityType.Expired,
ValidityNotBefore = DateTime.UtcNow - TimeSpan.FromDays(4),
ValidityNotAfter = DateTime.UtcNow - TimeSpan.FromDays(2),
//If you specify multiple subjects, the first one becomes the subject, and all of them become Subject Alt Names.
//In this case, the certificate subject is CN=fqdn, OU=..., O=... , and SANs will be fqdn, hostname, localhost
//We do this so that a single WCF service setup can deal with all the possible addresses that a client might use.
Subject = s_fqdn,
SubjectAlternativeNames = new string[] { s_fqdn, s_hostname, "localhost" }
};
CreateAndInstallMachineCertificate(certificateGenerate, certificateCreationSettings);
//Create and Install TcpCertificateWithServerAltName
certificateCreationSettings = new CertificateCreationSettings()
{
FriendlyName = "WCF Bridge - TcpCertificateWithServerAltNameResource",
Subject = "not-real-subject-name",
SubjectAlternativeNames = new string[] { "not-real-subject-name", "not-real-subject-name.example.com", s_fqdn, s_hostname, "localhost" }
};
CreateAndInstallMachineCertificate(certificateGenerate, certificateCreationSettings);
//TcpCertificateWithSubjectCanonicalNameDomainName
certificateCreationSettings = new CertificateCreationSettings()
{
FriendlyName = "WCF Bridge - TcpCertificateWithSubjectCanonicalNameDomainNameResource",
Subject = s_hostname,
SubjectAlternativeNames = new string[0],
ValidityType = CertificateValidityType.NonAuthoritativeForMachine
};
CreateAndInstallMachineCertificate(certificateGenerate, certificateCreationSettings);
//WCF Bridge - TcpCertificateWithSubjectCanonicalNameFqdn
certificateCreationSettings = new CertificateCreationSettings()
{
FriendlyName = "WCF Bridge - TcpCertificateWithSubjectCanonicalNameFqdnResource",
Subject = s_fqdn,
SubjectAlternativeNames = new string[0],
ValidityType = CertificateValidityType.NonAuthoritativeForMachine
};
CreateAndInstallMachineCertificate(certificateGenerate, certificateCreationSettings);
//TcpCertificateWithSubjectCanonicalNameLocalhost
certificateCreationSettings = new CertificateCreationSettings()
{
FriendlyName = "WCF Bridge - TcpCertificateWithSubjectCanonicalNameLocalhostResource",
Subject = "localhost",
SubjectAlternativeNames = new string[0],
ValidityType = CertificateValidityType.NonAuthoritativeForMachine
};
CreateAndInstallMachineCertificate(certificateGenerate, certificateCreationSettings);
//TcpRevokedServerCert
certificateCreationSettings = new CertificateCreationSettings()
{
FriendlyName = "WCF Bridge - TcpRevokedServerCertResource",
ValidityType = CertificateValidityType.Revoked,
Subject = s_fqdn,
SubjectAlternativeNames = new string[] { s_fqdn, s_hostname, "localhost" }
};
CreateAndInstallMachineCertificate(certificateGenerate, certificateCreationSettings);
//Create and install client cert
certificateCreationSettings = new CertificateCreationSettings()
{
FriendlyName = "WCF Bridge - UserCertificateResource",
Subject = "WCF Client Certificate",
};
X509Certificate2 certificate = certificateGenerate.CreateUserCertificate(certificateCreationSettings).Certificate;
CertificateManager.AddToStoreIfNeeded(StoreName.My, StoreLocation.LocalMachine, certificate);
//Create CRL and save it
File.WriteAllBytes(s_CrlFileLocation, certificateGenerate.CrlEncoded);
return 0;
}
private static void CreateAndInstallMachineCertificate(CertificateGenerator certificateGenerate, CertificateCreationSettings certificateCreationSettings)
{
X509Certificate2 certificate = certificateGenerate.CreateMachineCertificate(certificateCreationSettings).Certificate;
CertificateManager.AddToStoreIfNeeded(StoreName.My, StoreLocation.LocalMachine, certificate);
}
public static void RevokeCertificate(CertificateGenerator certificateGenerator, string serialNum)
{
if (certificateGenerator == null)
{
throw new ArgumentNullException("certificateGenerator");
}
lock (s_certificateLock)
{
certificateGenerator.RevokeCertificateBySerialNumber(serialNum);
}
}
// We generate a local machine certificate for common usage. This method is usded to generate certs for non common usage, such as an expired cert.
public static X509Certificate2 CreateAndInstallNonDefaultMachineCertificates(CertificateGenerator certificateGenerator, CertificateCreationSettings certificateCreationSettings, string resourceAddress)
{
if (certificateCreationSettings == null)
{
throw new ArgumentException("certificateCreationSettings cannot be null as we are creating a non default certificate");
}
if (certificateGenerator == null)
{
throw new ArgumentNullException("certificateGenerator");
}
lock (s_certificateLock)
{
Trace.WriteLine("[CertificateManager] Installing Non default Machine certificates to machine store.");
var rootCertificate = certificateGenerator.AuthorityCertificate.Certificate;
var hostCert = certificateGenerator.CreateMachineCertificate(certificateCreationSettings).Certificate;
InstallCertificateToRootStore(rootCertificate);
InstallCertificateToMyStore(hostCert, certificateCreationSettings.ValidityType == CertificateValidityType.Valid);
return hostCert;
}
}
// When called, generates the a cert for the machine DNS name with SAN localhost, and installs both certs
// returns thumbprint of the machine certs
public static X509Certificate2 CreateAndInstallLocalMachineCertificates(CertificateGenerator certificateGenerator)
{
if (certificateGenerator == null)
{
throw new ArgumentNullException("certificateGenerator");
}
lock (s_certificateLock)
{
if (s_localCertificate != null)
{
return s_localCertificate;
}
Trace.WriteLine("[CertificateManager] Installing Root and Machine certificates to machine store.");
// At this point, we know we haven't generated the certs yet, or the operation is completing on another thread
// Certificate generation is time-consuming, so we want to make sure that we don't unnecessarily generate a cert
var rootCertificate = certificateGenerator.AuthorityCertificate.Certificate;
var fqdn = Dns.GetHostEntry("127.0.0.1").HostName;
var hostname = fqdn.Split('.')[0];
// always create a certificate locally for the current machine's fully qualified domain name,
// hostname, and "localhost".
CertificateCreationSettings certificateCreationSettings = new CertificateCreationSettings()
{
FriendlyName = "WCF Bridge - Machine certificate generated by the CertificateManager",
Subject = fqdn,
SubjectAlternativeNames = new string[] { fqdn, hostname, "localhost" }
};
var hostCert = certificateGenerator.CreateMachineCertificate(certificateCreationSettings).Certificate;
// Since s_myCertificates keys by subject name, we won't install a cert for the same subject twice
// only the first-created cert will win
InstallCertificateToRootStore(rootCertificate);
InstallCertificateToMyStore(hostCert, certificateCreationSettings.ValidityType == CertificateValidityType.Valid);
s_localCertificate = hostCert;
// Create the PeerTrust cert
certificateCreationSettings = new CertificateCreationSettings()
{
FriendlyName = "WCF Bridge - UserPeerTrustCertificateResource",
Subject = fqdn,
SubjectAlternativeNames = new string[] { fqdn, hostname, "localhost" }
};
var peerCert = certificateGenerator.CreateMachineCertificate(certificateCreationSettings).Certificate;
InstallCertificateToTrustedPeopleStore(peerCert, certificateCreationSettings.ValidityType == CertificateValidityType.Valid);
}
return s_localCertificate;
}
