/// <summary> /// Create a Self signed certificate with all options which can also be used as a root certificate /// </summary> /// <param name="distinguishedName">Distinguished Name used for the subject and the issuer properties</param> /// <param name="validityPeriod">Valid from, Valid to certificate properties</param> /// <param name="subjectAlternativeName">SAN but only DnsNames can be added as a list + Email property</param> /// <param name="enhancedKeyUsages">Defines how the certificate key can be used. /// new Oid("1.3.6.1.5.5.7.3.1") // TLS Server auth /// new Oid("1.3.6.1.5.5.7.3.2") // TLS Client auth /// new Oid("1.3.6.1.5.5.7.3.3") // Code signing /// new Oid("1.3.6.1.5.5.7.3.4") // Email /// new Oid("1.3.6.1.5.5.7.3.8") // Timestamping /// </param> /// <param name="x509KeyUsageFlags">Defines how the certificate key can be used. /// None No key usage parameters. /// EncipherOnly The key can be used for encryption only. /// CrlSign The key can be used to sign a certificate revocation list (CRL). /// KeyCertSign The key can be used to sign certificates. /// KeyAgreement The key can be used to determine key agreement, such as a key created using the Diffie-Hellman key agreement algorithm. /// DataEncipherment The key can be used for data encryption. /// KeyEncipherment The key can be used for key encryption. /// NonRepudiation The key can be used for authentication. /// DecipherOnly The key can be used for decryption only. /// </param> /// <returns>Self signed certificate</returns> public X509Certificate2 NewSelfSignedCertificate( DistinguishedName distinguishedName, BasicConstraints basicConstraints, ValidityPeriod validityPeriod, SubjectAlternativeName subjectAlternativeName, OidCollection enhancedKeyUsages, X509KeyUsageFlags x509KeyUsageFlags) { using var ecdsa = ECDsa.Create("ECDsa"); ecdsa.KeySize = 256; var request = new CertificateRequest( _certificateUtility.CreateIssuerOrSubject(distinguishedName), ecdsa, HashAlgorithmName.SHA256); _certificateUtility.AddBasicConstraints(request, basicConstraints); _certificateUtility.AddExtendedKeyUsages(request, x509KeyUsageFlags); _certificateUtility.AddSubjectAlternativeName(request, subjectAlternativeName); request.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension(enhancedKeyUsages, false)); request.CertificateExtensions.Add( new X509SubjectKeyIdentifierExtension(request.PublicKey, false)); var notbefore = validityPeriod.ValidFrom.AddDays(-1); var notafter = validityPeriod.ValidTo; X509Certificate2 generatedCertificate = request.CreateSelfSigned(notbefore, notafter); return(generatedCertificate); }
/// <summary> /// Create a Self signed certificate with all options which can also be used as a root certificate /// </summary> /// <param name="distinguishedName">Distinguished Name used for the subject and the issuer properties</param> /// <param name="validityPeriod">Valid from, Valid to certificate properties</param> /// <param name="subjectAlternativeName">SAN but only DnsNames can be added as a list + Email property</param> /// <param name="enhancedKeyUsages">Defines how the certificate key can be used. /// new Oid("1.3.6.1.5.5.7.3.1") // TLS Server auth /// new Oid("1.3.6.1.5.5.7.3.2") // TLS Client auth /// new Oid("1.3.6.1.5.5.7.3.3") // Code signing /// new Oid("1.3.6.1.5.5.7.3.4") // Email /// new Oid("1.3.6.1.5.5.7.3.8") // Timestamping /// </param> /// <param name="x509KeyUsageFlags">Defines how the certificate key can be used. /// None No key usage parameters. /// EncipherOnly The key can be used for encryption only. /// CrlSign The key can be used to sign a certificate revocation list (CRL). /// KeyCertSign The key can be used to sign certificates. /// KeyAgreement The key can be used to determine key agreement, such as a key created using the Diffie-Hellman key agreement algorithm. /// DataEncipherment The key can be used for data encryption. /// KeyEncipherment The key can be used for key encryption. /// NonRepudiation The key can be used for authentication. /// DecipherOnly The key can be used for decryption only. /// </param> /// <returns>Self signed certificate</returns> public X509Certificate2 NewECDsaSelfSignedCertificate( DistinguishedName distinguishedName, BasicConstraints basicConstraints, ValidityPeriod validityPeriod, SubjectAlternativeName subjectAlternativeName, OidCollection enhancedKeyUsages, X509KeyUsageFlags x509KeyUsageFlags, ECDsaConfiguration eCDsaConfiguration) { using var ecdsa = ECDsa.Create("ECDsa"); ecdsa.KeySize = eCDsaConfiguration.KeySize; var request = new CertificateRequest( _certificateUtility.CreateIssuerOrSubject(distinguishedName), ecdsa, eCDsaConfiguration.HashAlgorithmName); X509Certificate2 generatedCertificate = SelfSignedConfiguration( basicConstraints, validityPeriod, subjectAlternativeName, enhancedKeyUsages, x509KeyUsageFlags, request); return(generatedCertificate); }
public X509Certificate2 NewClientSelfSignedCertificate( DistinguishedName distinguishedName, ValidityPeriod validityPeriod, string dnsName) { OidCollection enhancedKeyUsages = new OidCollection() { new Oid("1.3.6.1.5.5.7.3.2") }; BasicConstraints basicConstraints = new BasicConstraints() { CertificateAuthority = false, HasPathLengthConstraint = false, PathLengthConstraint = 0, Critical = true }; SubjectAlternativeName subjectAlternativeName = new SubjectAlternativeName() { DnsName = new List <string>() { dnsName } }; X509KeyUsageFlags x509KeyUsageFlags = X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature; return(this._createCertificates.NewECDsaSelfSignedCertificate(distinguishedName, basicConstraints, validityPeriod, subjectAlternativeName, enhancedKeyUsages, x509KeyUsageFlags, new ECDsaConfiguration())); }
public X509Certificate2 NewIntermediateChainedCertificate( DistinguishedName distinguishedName, ValidityPeriod validityPeriod, int pathLengthConstraint, string dnsName, X509Certificate2 parentCertificateAuthority) { OidCollection enhancedKeyUsages = new OidCollection() { new Oid("1.3.6.1.5.5.7.3.2"), new Oid("1.3.6.1.5.5.7.3.1") }; BasicConstraints basicConstraints = new BasicConstraints() { CertificateAuthority = true, HasPathLengthConstraint = true, PathLengthConstraint = pathLengthConstraint, Critical = true }; SubjectAlternativeName subjectAlternativeName = new SubjectAlternativeName() { DnsName = new List <string>() { dnsName } }; X509KeyUsageFlags x509KeyUsageFlags = X509KeyUsageFlags.KeyCertSign; return(this._createCertificates.NewRsaChainedCertificate(distinguishedName, basicConstraints, validityPeriod, subjectAlternativeName, parentCertificateAuthority, enhancedKeyUsages, x509KeyUsageFlags, new RsaConfiguration())); }
private X509Certificate2 NewDeviceChainedCertificate( DistinguishedName distinguishedName, ValidityPeriod validityPeriod, string dnsName, OidCollection enhancedKeyUsages, X509Certificate2 parentCertificateAuthority) { BasicConstraints basicConstraints = new BasicConstraints() { CertificateAuthority = false, HasPathLengthConstraint = false, PathLengthConstraint = 0, Critical = true }; SubjectAlternativeName subjectAlternativeName = new SubjectAlternativeName() { DnsName = new List <string>() { dnsName } }; X509KeyUsageFlags x509KeyUsageFlags = X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature; return(this._createCertificates.NewRsaChainedCertificate(distinguishedName, basicConstraints, validityPeriod, subjectAlternativeName, parentCertificateAuthority, enhancedKeyUsages, x509KeyUsageFlags, new RsaConfiguration())); }
public void AddSubjectAlternativeName(CertificateRequest request, SubjectAlternativeName subjectAlternativeName) { foreach (var dnsName in subjectAlternativeName.DnsName) { if (UriHostNameType.Unknown == Uri.CheckHostName(dnsName)) { throw new ArgumentException("Must be a valid DNS name", nameof(dnsName)); } } var sanBuilder = new SubjectAlternativeNameBuilder(); foreach (var dnsName in subjectAlternativeName.DnsName) { sanBuilder.AddDnsName(dnsName); } if (!string.IsNullOrEmpty(subjectAlternativeName.Email)) { sanBuilder.AddEmailAddress(subjectAlternativeName.Email); } var sanExtension = sanBuilder.Build(); request.CertificateExtensions.Add(sanExtension); }
public X509Certificate2 NewRsaSelfSignedCertificate( DistinguishedName distinguishedName, BasicConstraints basicConstraints, ValidityPeriod validityPeriod, SubjectAlternativeName subjectAlternativeName, OidCollection enhancedKeyUsages, X509KeyUsageFlags x509KeyUsageFlags, RsaConfiguration rsaConfiguration) { using var rsa = RSA.Create(rsaConfiguration.KeySize); // 1024, 2048 or 4096 var request = new CertificateRequest( _certificateUtility.CreateIssuerOrSubject(distinguishedName), rsa, rsaConfiguration.HashAlgorithmName, rsaConfiguration.RSASignaturePadding); X509Certificate2 generatedCertificate = SelfSignedConfiguration( basicConstraints, validityPeriod, subjectAlternativeName, enhancedKeyUsages, x509KeyUsageFlags, request); return(generatedCertificate); }
public static X509Certificate2 CreateRsaCertificate(CreateCertificates createCertificates, int keySize) { var basicConstraints = new BasicConstraints { CertificateAuthority = true, HasPathLengthConstraint = true, PathLengthConstraint = 2, Critical = false }; var subjectAlternativeName = new SubjectAlternativeName { DnsName = new List <string> { "SigningCertificateTest", } }; var x509KeyUsageFlags = X509KeyUsageFlags.KeyCertSign | X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.CrlSign | X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.NonRepudiation | X509KeyUsageFlags.KeyAgreement; // only if mtls is used var enhancedKeyUsages = new OidCollection { //OidLookup.ClientAuthentication, //OidLookup.ServerAuthentication, OidLookup.CodeSigning, OidLookup.SecureEmail, OidLookup.TimeStamping }; var certificate = createCertificates.NewRsaSelfSignedCertificate( new DistinguishedName { CommonName = "SigningCertificateTest" }, basicConstraints, new ValidityPeriod { ValidFrom = DateTimeOffset.UtcNow, ValidTo = DateTimeOffset.UtcNow.AddYears(1) }, subjectAlternativeName, enhancedKeyUsages, x509KeyUsageFlags, new RsaConfiguration { KeySize = keySize, RSASignaturePadding = RSASignaturePadding.Pkcs1, HashAlgorithmName = HashAlgorithmName.SHA256 }); return(certificate); }
public static X509Certificate2 CreateRsaCertificate(CreateCertificates createCertificates, int keySize) { var basicConstraints = new BasicConstraints { CertificateAuthority = true, HasPathLengthConstraint = true, PathLengthConstraint = 2, Critical = false }; var subjectAlternativeName = new SubjectAlternativeName { DnsName = new List <string> { "localhost", } }; var x509KeyUsageFlags = X509KeyUsageFlags.KeyCertSign | X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.CrlSign | X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.NonRepudiation | X509KeyUsageFlags.KeyAgreement; // only if mtls is used var enhancedKeyUsages = new OidCollection { new Oid("1.3.6.1.5.5.7.3.1"), // TLS Server auth new Oid("1.3.6.1.5.5.7.3.2"), // TLS Client auth //new Oid("1.3.6.1.5.5.7.3.3"), // Code signing //new Oid("1.3.6.1.5.5.7.3.4"), // Email //new Oid("1.3.6.1.5.5.7.3.8") // Timestamping }; var certificate = createCertificates.NewRsaSelfSignedCertificate( new DistinguishedName { CommonName = "localhost" }, basicConstraints, new ValidityPeriod { ValidFrom = DateTimeOffset.UtcNow, ValidTo = DateTimeOffset.UtcNow.AddYears(1) }, subjectAlternativeName, enhancedKeyUsages, x509KeyUsageFlags, new RsaConfiguration { KeySize = keySize }); return(certificate); }
/// <summary> /// creates a development certificate /// </summary> /// <param name="dnsName">DNS name ie localhost etc</param> /// <param name="validityPeriodInYears">valid time in years</param> /// <param name="keySize">1024 2048 4096</param> /// <returns></returns> public X509Certificate2 CreateDevelopmentCertificate(string dnsName, int validityPeriodInYears, int keySize = 1024) { var basicConstraints = new BasicConstraints { CertificateAuthority = true, HasPathLengthConstraint = true, PathLengthConstraint = 3, Critical = true }; var subjectAlternativeName = new SubjectAlternativeName { DnsName = new List <string> { dnsName, } }; var x509KeyUsageFlags = X509KeyUsageFlags.KeyCertSign | X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.CrlSign | X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.NonRepudiation | X509KeyUsageFlags.KeyAgreement; var enhancedKeyUsages = new OidCollection { OidLookup.ServerAuthentication, OidLookup.ClientAuthentication, OidLookup.CodeSigning, OidLookup.SecureEmail, OidLookup.TimeStamping }; var certificate = _createCertificates.NewRsaSelfSignedCertificate( new DistinguishedName { CommonName = dnsName }, basicConstraints, new ValidityPeriod { ValidFrom = DateTimeOffset.UtcNow, ValidTo = DateTimeOffset.UtcNow.AddYears(validityPeriodInYears) }, subjectAlternativeName, enhancedKeyUsages, x509KeyUsageFlags, new RsaConfiguration { KeySize = keySize }); return(certificate); }
/// <summary> /// RSA is a more popular choice. /// </summary> /// <param name="dnsName"></param> /// <param name="validityPeriodInYears"></param> /// <returns></returns> private static X509Certificate2 CreateRsaCertificate(string dnsName, int validityPeriodInYears) { var basicConstraints = new BasicConstraints { CertificateAuthority = false, HasPathLengthConstraint = false, PathLengthConstraint = 0, Critical = false }; var subjectAlternativeName = new SubjectAlternativeName { DnsName = new List <string> { dnsName, } }; var x509KeyUsageFlags = X509KeyUsageFlags.DigitalSignature; // only if certification authentication is used var enhancedKeyUsages = new OidCollection { OidLookup.ClientAuthentication, OidLookup.ServerAuthentication // OidLookup.CodeSigning, // OidLookup.SecureEmail, // OidLookup.TimeStamping }; var certificate = _cc.NewRsaSelfSignedCertificate( new DistinguishedName { CommonName = dnsName }, basicConstraints, new ValidityPeriod { ValidFrom = DateTimeOffset.UtcNow, ValidTo = DateTimeOffset.UtcNow.AddYears(validityPeriodInYears) }, subjectAlternativeName, enhancedKeyUsages, x509KeyUsageFlags, new RsaConfiguration { KeySize = 2048, HashAlgorithmName = HashAlgorithmName.SHA512 }); return(certificate); }
public static X509Certificate2 CreateRsaCertificateChained(CreateCertificates createCertificates, int keySize, X509Certificate2 parentCert) { var basicConstraints = new BasicConstraints { CertificateAuthority = false, HasPathLengthConstraint = false, PathLengthConstraint = 0, Critical = false }; var subjectAlternativeName = new SubjectAlternativeName { DnsName = new List <string> { "localhost", } }; var x509KeyUsageFlags = X509KeyUsageFlags.DigitalSignature; // only if mtls is used var enhancedKeyUsages = new OidCollection { OidLookup.ClientAuthentication, OidLookup.ServerAuthentication // OidLookup.CodeSigning, // OidLookup.SecureEmail, // OidLookup.TimeStamping }; var certificate = createCertificates.NewRsaChainedCertificate( new DistinguishedName { CommonName = "localhost" }, basicConstraints, new ValidityPeriod { ValidFrom = DateTimeOffset.UtcNow, ValidTo = DateTimeOffset.UtcNow.AddYears(1) }, subjectAlternativeName, parentCert, enhancedKeyUsages, x509KeyUsageFlags, new RsaConfiguration { KeySize = keySize }); return(certificate); }
public string CreateRSACertificatePFX(string dnsName, DateTimeOffset validFrom, DateTimeOffset validTo, string password) { var basicConstraints = new BasicConstraints { CertificateAuthority = false, HasPathLengthConstraint = false, PathLengthConstraint = 0, Critical = false }; var subjectAlternativeName = new SubjectAlternativeName { DnsName = new List <string> { dnsName } }; var x509KeyUsageFlags = X509KeyUsageFlags.DigitalSignature; // only if certification authentication is used var enhancedKeyUsages = new OidCollection { new Oid("1.3.6.1.5.5.7.3.1"), // TLS Server auth new Oid("1.3.6.1.5.5.7.3.2"), // TLS Client auth }; var certificate = _createCertificates.NewRsaSelfSignedCertificate( new DistinguishedName { CommonName = dnsName }, basicConstraints, new ValidityPeriod { ValidFrom = validFrom, ValidTo = validTo }, subjectAlternativeName, enhancedKeyUsages, x509KeyUsageFlags, new RsaConfiguration { KeySize = (int)2048 } ); var rsaCertPfxBytes = _importExportCertificate.ExportSelfSignedCertificatePfx(password, certificate); var pfxBase64 = Convert.ToBase64String(rsaCertPfxBytes); return(pfxBase64); }
public static X509Certificate2 CreateRsaCertificate(string dnsName, int validityPeriodInYears) { var basicConstraints = new BasicConstraints { CertificateAuthority = false, HasPathLengthConstraint = false, PathLengthConstraint = 0, Critical = false }; var subjectAlternativeName = new SubjectAlternativeName { DnsName = new List <string> { dnsName, } }; var x509KeyUsageFlags = X509KeyUsageFlags.DigitalSignature; // only if certification authentication is used var enhancedKeyUsages = new OidCollection { new Oid("1.3.6.1.5.5.7.3.1"), // TLS Server auth new Oid("1.3.6.1.5.5.7.3.2"), // TLS Client auth //new Oid("1.3.6.1.5.5.7.3.3"), // Code signing //new Oid("1.3.6.1.5.5.7.3.4"), // Email //new Oid("1.3.6.1.5.5.7.3.8") // Timestamping }; var certificate = _cc.NewRsaSelfSignedCertificate( new DistinguishedName { CommonName = dnsName }, basicConstraints, new ValidityPeriod { ValidFrom = DateTimeOffset.UtcNow, ValidTo = DateTimeOffset.UtcNow.AddYears(validityPeriodInYears) }, subjectAlternativeName, enhancedKeyUsages, x509KeyUsageFlags, new RsaConfiguration { KeySize = 2048 }); return(certificate); }
public static X509Certificate2 CreateRsaCertificate( string dnsName, int validityPeriodInYears) { BasicConstraints basicConstraints = new BasicConstraints { CertificateAuthority = false, HasPathLengthConstraint = false, PathLengthConstraint = 0, Critical = false }; SubjectAlternativeName subjectAlternativeName = new SubjectAlternativeName { DnsName = new List <string> { dnsName } }; X509KeyUsageFlags x509KeyUsageFlags = X509KeyUsageFlags.DigitalSignature; OidCollection enhancedKeyUsages = new System.Security.Cryptography.OidCollection { new Oid("1.3.6.1.5.5.7.3.1"), // TLS Server auth new Oid("1.3.6.1.5.5.7.3.2"), // TLS Client auth }; X509Certificate2 certificate = _cc.NewRsaSelfSignedCertificate( new DistinguishedName { CommonName = dnsName }, basicConstraints, new ValidityPeriod { ValidFrom = DateTimeOffset.UtcNow, ValidTo = DateTimeOffset.UtcNow.AddYears(validityPeriodInYears) }, subjectAlternativeName, enhancedKeyUsages, x509KeyUsageFlags, new RsaConfiguration { KeySize = 2048 } ); return(certificate); }
public X509Certificate2 NewECDsaSelfSignedCertificate( BasicConstraints basicConstraints, ValidityPeriod validityPeriod, SubjectAlternativeName subjectAlternativeName, OidCollection enhancedKeyUsages, X509KeyUsageFlags x509KeyUsageFlags, CertificateRequest request) { X509Certificate2 generatedCertificate = SelfSignedConfiguration( basicConstraints, validityPeriod, subjectAlternativeName, enhancedKeyUsages, x509KeyUsageFlags, request); return(generatedCertificate); }
public override int GetHashCode() { unchecked { var hashCode = (ThumbPrint != null ? ThumbPrint.GetHashCode() : 0); hashCode = (hashCode * 397) ^ (Issuer != null ? Issuer.GetHashCode() : 0); hashCode = (hashCode * 397) ^ (Subject != null ? Subject.GetHashCode() : 0); hashCode = (hashCode * 397) ^ ValidFrom.GetHashCode(); hashCode = (hashCode * 397) ^ ValidTo.GetHashCode(); hashCode = (hashCode * 397) ^ (KeyAlgoritm != null ? KeyAlgoritm.GetHashCode() : 0); hashCode = (hashCode * 397) ^ KeyLength; hashCode = (hashCode * 397) ^ (SerialNumber != null ? SerialNumber.GetHashCode() : 0); hashCode = (hashCode * 397) ^ (Version != null ? Version.GetHashCode() : 0); hashCode = (hashCode * 397) ^ (SubjectAlternativeName != null ? SubjectAlternativeName.GetHashCode() : 0); hashCode = (hashCode * 397) ^ (CommonName != null ? CommonName.GetHashCode() : 0); return(hashCode); } }
public static X509Certificate2 CreateSubjectAlternativeNameDetails( SubjectAlternativeName subjectAlternativeName, CreateCertificates createCertificates) { var distinguishedName = new DistinguishedName { CommonName = "root dev", Country = "IT", Locality = "DD", Organisation = "SS", OrganisationUnit = "unit", StateProvince = "yes" }; var enhancedKeyUsages = new OidCollection { OidLookup.ClientAuthentication, OidLookup.ServerAuthentication }; var basicConstraints = new BasicConstraints { CertificateAuthority = true, HasPathLengthConstraint = true, PathLengthConstraint = 3, Critical = true }; var validityPeriod = new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }; var x509KeyUsageFlags = X509KeyUsageFlags.KeyCertSign; var rootCert = createCertificates.NewECDsaSelfSignedCertificate( distinguishedName, basicConstraints, validityPeriod, subjectAlternativeName, enhancedKeyUsages, x509KeyUsageFlags, new ECDsaConfiguration()); return(rootCert); }
/// <summary> /// Create an intermediate chained certificate for Client and Server TLS Auth /// </summary> /// <param name="distinguishedName">Distinguished Name used for the subject and the issuer properties</param> /// <param name="validityPeriod">Valid from, Valid to certificate properties</param> /// <param name="pathLengthConstraint">path length for the amount of chained certificates</param> /// <param name="dnsName">Dns name use the certificate validation</param> /// <param name="parentCertificateAuthority"> Parent cert to create the chain from</param> /// <returns>X509Certificate2 intermediate chained certificate</returns> public X509Certificate2 NewIntermediateChainedCertificate( DistinguishedName distinguishedName, ValidityPeriod validityPeriod, int pathLengthConstraint, string dnsName, X509Certificate2 parentCertificateAuthority) { var enhancedKeyUsages = new OidCollection { OidLookup.ClientAuthentication, OidLookup.ServerAuthentication }; var basicConstraints = new BasicConstraints { CertificateAuthority = true, HasPathLengthConstraint = true, PathLengthConstraint = pathLengthConstraint, Critical = true }; var subjectAlternativeName = new SubjectAlternativeName { DnsName = new List <string> { dnsName, } }; var x509KeyUsageFlags = X509KeyUsageFlags.KeyCertSign; var intermediateCert = _createCertificates.NewECDsaChainedCertificate( distinguishedName, basicConstraints, validityPeriod, subjectAlternativeName, parentCertificateAuthority, enhancedKeyUsages, x509KeyUsageFlags, new ECDsaConfiguration()); return(intermediateCert); }
/// <summary> /// Create an intermediate chained certificate for Client and Server TLS Auth /// </summary> /// <param name="distinguishedName">Distinguished Name used for the subject and the issuer properties</param> /// <param name="validityPeriod">Valid from, Valid to certificate properties</param> /// <param name="pathLengthConstraint">path length for the amount of chained certificates</param> /// <param name="dnsName">Dns name use the certificate validation</param> /// <param name="parentCertificateAuthority"> Parent cert to create the chain from</param> /// <returns>X509Certificate2 intermediate chained certificate</returns> public X509Certificate2 NewIntermediateChainedCertificate( DistinguishedName distinguishedName, ValidityPeriod validityPeriod, int pathLengthConstraint, string dnsName, X509Certificate2 parentCertificateAuthority) { var enhancedKeyUsages = new OidCollection { new Oid("1.3.6.1.5.5.7.3.2"), // TLS Client auth new Oid("1.3.6.1.5.5.7.3.1") // TLS Server auth }; var basicConstraints = new BasicConstraints { CertificateAuthority = true, HasPathLengthConstraint = true, PathLengthConstraint = pathLengthConstraint, Critical = true }; var subjectAlternativeName = new SubjectAlternativeName { DnsName = new List<string> { dnsName, } }; var x509KeyUsageFlags = X509KeyUsageFlags.KeyCertSign; var intermediateCert = _createCertificates.NewChainedCertificate( distinguishedName, basicConstraints, validityPeriod, subjectAlternativeName, parentCertificateAuthority, enhancedKeyUsages, x509KeyUsageFlags); return intermediateCert; }
public X509Certificate2 NewClientSelfSignedCertificate( DistinguishedName distinguishedName, ValidityPeriod validityPeriod, string dnsName) { var enhancedKeyUsages = new OidCollection { OidLookup.ClientAuthentication }; var basicConstraints = new BasicConstraints { CertificateAuthority = false, HasPathLengthConstraint = false, PathLengthConstraint = 0, Critical = true }; var subjectAlternativeName = new SubjectAlternativeName { DnsName = new List <string> { dnsName, } }; var x509KeyUsageFlags = X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyEncipherment; var clientCertSelfSigned = _createCertificates.NewECDsaSelfSignedCertificate( distinguishedName, basicConstraints, validityPeriod, subjectAlternativeName, enhancedKeyUsages, x509KeyUsageFlags, new ECDsaConfiguration()); return(clientCertSelfSigned); }
private X509Certificate2 NewRsaDeviceChainedCertificate( DistinguishedName distinguishedName, ValidityPeriod validityPeriod, string dnsName, OidCollection enhancedKeyUsages, X509Certificate2 parentCertificateAuthority, RsaConfiguration rsaConfiguration = null) { var basicConstraints = new BasicConstraints { CertificateAuthority = false, HasPathLengthConstraint = false, PathLengthConstraint = 0, Critical = true }; var subjectAlternativeName = new SubjectAlternativeName { DnsName = new List <string> { dnsName, } }; var x509KeyUsageFlags = X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyEncipherment; var deviceCert = _createCertificates.NewRsaChainedCertificate( distinguishedName, basicConstraints, validityPeriod, subjectAlternativeName, parentCertificateAuthority, enhancedKeyUsages, x509KeyUsageFlags, rsaConfiguration ?? new RsaConfiguration()); return(deviceCert); }
public X509Certificate2 NewClientSelfSignedCertificate( DistinguishedName distinguishedName, ValidityPeriod validityPeriod, string dnsName) { var enhancedKeyUsages = new OidCollection { new Oid("1.3.6.1.5.5.7.3.2"), // TLS Client auth }; var basicConstraints = new BasicConstraints { CertificateAuthority = false, HasPathLengthConstraint = false, PathLengthConstraint = 0, Critical = true }; var subjectAlternativeName = new SubjectAlternativeName { DnsName = new List<string> { dnsName, } }; var x509KeyUsageFlags = X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyEncipherment; var clientCertSelfSigned = _createCertificates.NewSelfSignedCertificate( distinguishedName, basicConstraints, validityPeriod, subjectAlternativeName, enhancedKeyUsages, x509KeyUsageFlags); return clientCertSelfSigned; }
public X509Certificate2 NewECDsaChainedCertificate( BasicConstraints basicConstraints, ValidityPeriod validityPeriod, SubjectAlternativeName subjectAlternativeName, X509Certificate2 signingCertificate, OidCollection enhancedKeyUsages, X509KeyUsageFlags x509KeyUsageFlags, CertificateRequest request, ECDsa ecdsa) { if (signingCertificate == null) { throw new ArgumentNullException(nameof(signingCertificate)); } if (!signingCertificate.HasPrivateKey) { throw new Exception("Signing cert must have private key"); } X509Certificate2 cert = ChainedConfiguration( basicConstraints, validityPeriod, subjectAlternativeName, signingCertificate, enhancedKeyUsages, x509KeyUsageFlags, request); if (ecdsa == null) { return(cert); } else { return(cert.CopyWithPrivateKey(ecdsa)); } }
public X509Certificate2 NewRsaChainedCertificate( DistinguishedName distinguishedName, BasicConstraints basicConstraints, ValidityPeriod validityPeriod, SubjectAlternativeName subjectAlternativeName, X509Certificate2 signingCertificate, OidCollection enhancedKeyUsages, X509KeyUsageFlags x509KeyUsageFlags, RsaConfiguration rsaConfiguration) { if (signingCertificate == null) { throw new ArgumentNullException(nameof(signingCertificate)); } if (!signingCertificate.HasPrivateKey) { throw new Exception("Signing cert must have private key"); } using var rsa = RSA.Create(rsaConfiguration.KeySize); var request = new CertificateRequest( _certificateUtility.CreateIssuerOrSubject(distinguishedName), rsa, rsaConfiguration.HashAlgorithmName, rsaConfiguration.RSASignaturePadding); X509Certificate2 cert = ChainedConfiguration( basicConstraints, validityPeriod, subjectAlternativeName, signingCertificate, enhancedKeyUsages, x509KeyUsageFlags, request); return(cert.CopyWithPrivateKey(rsa)); }
static void Main(string[] args) { var serviceProvider = new ServiceCollection() .AddCertificateManager() .BuildServiceProvider(); var createCertificates = serviceProvider.GetService <CreateCertificates>(); var certificateUtility = serviceProvider.GetService <CertificateUtility>(); string password = "******"; var signingCertificate = new X509Certificate2("root.cert.pfx", password); var enhancedKeyUsages = new OidCollection { OidLookup.ClientAuthentication, OidLookup.ServerAuthentication }; var basicConstraints = new CertificateManager.Models.BasicConstraints { CertificateAuthority = false, HasPathLengthConstraint = true, PathLengthConstraint = 3, Critical = true }; var x509KeyUsageFlags = X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.NonRepudiation; // Read in CSR data from a file Pkcs10CertificationRequest decodedCsr = (Pkcs10CertificationRequest) new PemReader(new StringReader(File.ReadAllText(args[0]))).ReadObject(); // Get Common Name (CN) from CSR Subject CertificationRequestInfo csrData = decodedCsr.GetCertificationRequestInfo(); var subjectKeyPairs = csrData.Subject.ToString().Split(',') .Select(x => x.Split('=')) .Where(x => x.Length == 2) .ToDictionary(x => x.First(), x => x.Last()); var commonName = subjectKeyPairs["CN"]; var subjectAlternativeName = new SubjectAlternativeName { DnsName = new List <string> { commonName, } }; // Get Public key data from CSR and create RSA data based on that RsaKeyParameters rsaKeyParams = (RsaKeyParameters)decodedCsr.GetPublicKey(); var rsaParams = new RSAParameters(); rsaParams.Modulus = rsaKeyParams.Modulus.ToByteArray(); rsaParams.Exponent = rsaKeyParams.Exponent.ToByteArray(); var rsa = RSA.Create(); rsa.ImportParameters(rsaParams); // Create Certificate Request with the data extracted from csr file earlier var rsaConfiguration = new RsaConfiguration(); var request = new CertificateRequest( certificateUtility.CreateIssuerOrSubject(new DistinguishedName { CommonName = commonName }), rsa, rsaConfiguration.HashAlgorithmName, rsaConfiguration.RSASignaturePadding); // Sign the csr var device1Certificate = createCertificates.NewRsaChainedCertificate( basicConstraints, new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(1) }, subjectAlternativeName, signingCertificate, enhancedKeyUsages, x509KeyUsageFlags, request, null); // Export content of certificates into files var importExportCertificate = serviceProvider.GetService <ImportExportCertificate>(); var deviceCertificatePem = importExportCertificate.PemExportPublicKeyCertificate(device1Certificate); var signingCertificatePem = importExportCertificate.PemExportPublicKeyCertificate(signingCertificate); File.WriteAllText("device1.cert.pem", deviceCertificatePem); File.WriteAllText("device1-full-chain.cert.pem", String.Concat(deviceCertificatePem, signingCertificatePem)); Console.WriteLine("Certificates exported to pem files"); }
private X509Certificate2 ChainedConfiguration(BasicConstraints basicConstraints, ValidityPeriod validityPeriod, SubjectAlternativeName subjectAlternativeName, X509Certificate2 signingCertificate, OidCollection enhancedKeyUsages, X509KeyUsageFlags x509KeyUsageFlags, CertificateRequest request) { _certificateUtility.AddBasicConstraints(request, basicConstraints); _certificateUtility.AddExtendedKeyUsages(request, x509KeyUsageFlags); // set the AuthorityKeyIdentifier. There is no built-in // support, so it needs to be copied from the Subject Key // Identifier of the signing certificate and massaged slightly. // AuthorityKeyIdentifier is "KeyID=<subject key identifier>" foreach (var item in signingCertificate.Extensions) { if (item.Oid.Value == "2.5.29.14") // "Subject Key Identifier" { var issuerSubjectKey = item.RawData; //var issuerSubjectKey = signingCertificate.Extensions["Subject Key Identifier"].RawData; var segment = new ArraySegment <byte>(issuerSubjectKey, 2, issuerSubjectKey.Length - 2); var authorityKeyIdentifier = new byte[segment.Count + 4]; // "KeyID" bytes authorityKeyIdentifier[0] = 0x30; authorityKeyIdentifier[1] = 0x16; authorityKeyIdentifier[2] = 0x80; authorityKeyIdentifier[3] = 0x14; segment.CopyTo(authorityKeyIdentifier, 4); request.CertificateExtensions.Add(new X509Extension("2.5.29.35", authorityKeyIdentifier, false)); break; } } _certificateUtility.AddSubjectAlternativeName(request, subjectAlternativeName); // Enhanced key usages request.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension(enhancedKeyUsages, false)); // add this subject key identifier request.CertificateExtensions.Add( new X509SubjectKeyIdentifierExtension(request.PublicKey, false)); // certificate expiry: Valid from Yesterday to Now+365 days // Unless the signing cert's validity is less. It's not possible // to create a cert with longer validity than the signing cert. var notbefore = validityPeriod.ValidFrom.AddDays(-1); if (notbefore < signingCertificate.NotBefore) { notbefore = new DateTimeOffset(signingCertificate.NotBefore); } var notafter = validityPeriod.ValidTo; if (notafter > signingCertificate.NotAfter) { notafter = new DateTimeOffset(signingCertificate.NotAfter); } // cert serial is the epoch/unix timestamp var epoch = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc); var unixTime = Convert.ToInt64((DateTime.UtcNow - epoch).TotalSeconds); var serial = BitConverter.GetBytes(unixTime); var cert = request.Create( signingCertificate, notbefore, notafter, serial); return(cert); }
private X509Certificate2 SelfSignedConfiguration(BasicConstraints basicConstraints, ValidityPeriod validityPeriod, SubjectAlternativeName subjectAlternativeName, OidCollection enhancedKeyUsages, X509KeyUsageFlags x509KeyUsageFlags, CertificateRequest request) { _certificateUtility.AddBasicConstraints(request, basicConstraints); _certificateUtility.AddExtendedKeyUsages(request, x509KeyUsageFlags); _certificateUtility.AddSubjectAlternativeName(request, subjectAlternativeName); request.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension(enhancedKeyUsages, false)); request.CertificateExtensions.Add( new X509SubjectKeyIdentifierExtension(request.PublicKey, false)); var notbefore = validityPeriod.ValidFrom.AddDays(-1); var notafter = validityPeriod.ValidTo; X509Certificate2 generatedCertificate = request.CreateSelfSigned(notbefore, notafter); return(generatedCertificate); }
public X509Certificate2 NewChainedCertificate( DistinguishedName distinguishedName, BasicConstraints basicConstraints, ValidityPeriod validityPeriod, SubjectAlternativeName subjectAlternativeName, X509Certificate2 signingCertificate, OidCollection enhancedKeyUsages, X509KeyUsageFlags x509KeyUsageFlags) { if (signingCertificate == null) { throw new ArgumentNullException(nameof(signingCertificate)); } if (!signingCertificate.HasPrivateKey) { throw new Exception("Signing cert must have private key"); } using var ecdsa = ECDsa.Create("ECDsa"); ecdsa.KeySize = 256; var request = new CertificateRequest( _certificateUtility.CreateIssuerOrSubject(distinguishedName), ecdsa, HashAlgorithmName.SHA256); _certificateUtility.AddBasicConstraints(request, basicConstraints); _certificateUtility.AddExtendedKeyUsages(request, x509KeyUsageFlags); // set the AuthorityKeyIdentifier. There is no built-in // support, so it needs to be copied from the Subject Key // Identifier of the signing certificate and massaged slightly. // AuthorityKeyIdentifier is "KeyID=<subject key identifier>" var issuerSubjectKey = signingCertificate.Extensions["Subject Key Identifier"].RawData; var segment = new ArraySegment <byte>(issuerSubjectKey, 2, issuerSubjectKey.Length - 2); var authorityKeyIdentifier = new byte[segment.Count + 4]; // "KeyID" bytes authorityKeyIdentifier[0] = 0x30; authorityKeyIdentifier[1] = 0x16; authorityKeyIdentifier[2] = 0x80; authorityKeyIdentifier[3] = 0x14; segment.CopyTo(authorityKeyIdentifier, 4); request.CertificateExtensions.Add(new X509Extension("2.5.29.35", authorityKeyIdentifier, false)); _certificateUtility.AddSubjectAlternativeName(request, subjectAlternativeName); // Enhanced key usages request.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension(enhancedKeyUsages, false)); // add this subject key identifier request.CertificateExtensions.Add( new X509SubjectKeyIdentifierExtension(request.PublicKey, false)); // certificate expiry: Valid from Yesterday to Now+365 days // Unless the signing cert's validity is less. It's not possible // to create a cert with longer validity than the signing cert. var notbefore = validityPeriod.ValidFrom.AddDays(-1); if (notbefore < signingCertificate.NotBefore) { notbefore = new DateTimeOffset(signingCertificate.NotBefore); } var notafter = validityPeriod.ValidTo; if (notafter > signingCertificate.NotAfter) { notafter = new DateTimeOffset(signingCertificate.NotAfter); } // cert serial is the epoch/unix timestamp var epoch = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc); var unixTime = Convert.ToInt64((DateTime.UtcNow - epoch).TotalSeconds); var serial = BitConverter.GetBytes(unixTime); // create and return the generated and signed using var cert = request.Create( signingCertificate, notbefore, notafter, serial); return(cert.CopyWithPrivateKey(ecdsa)); }