public string CreateRequest(string cn, string ou, string o, string l, string s, string c, string oid, int keylength)
{
var objCSPs = new CCspInformations();
objCSPs.AddAvailableCsps();
var objPrivateKey = new CX509PrivateKey();
objPrivateKey.Length = keylength;
objPrivateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; //http://msdn.microsoft.com/en-us/library/windows/desktop/aa379409(v=vs.85).aspx
objPrivateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES; //http://msdn.microsoft.com/en-us/library/windows/desktop/aa379417(v=vs.85).aspx
objPrivateKey.MachineContext = false; //http://msdn.microsoft.com/en-us/library/windows/desktop/aa379024(v=vs.85).aspx
objPrivateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG; //http://msdn.microsoft.com/en-us/library/windows/desktop/aa379412(v=vs.85).aspx
objPrivateKey.CspInformations = objCSPs;
objPrivateKey.Create();
var objPkcs10 = new CX509CertificateRequestPkcs10();
objPkcs10.InitializeFromPrivateKey(
X509CertificateEnrollmentContext.ContextUser, //http://msdn.microsoft.com/en-us/library/windows/desktop/aa379399(v=vs.85).aspx
objPrivateKey,
string.Empty);
var objExtensionKeyUsage = new CX509ExtensionKeyUsage();
objExtensionKeyUsage.InitializeEncode(
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE | // http://msdn.microsoft.com/en-us/library/windows/desktop/aa379410(v=vs.85).aspx
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE | // http://msdn.microsoft.com/en-us/library/windows/desktop/aa379410(v=vs.85).aspx
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE | // http://msdn.microsoft.com/en-us/library/windows/desktop/aa379410(v=vs.85).aspx
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE); // http://msdn.microsoft.com/en-us/library/windows/desktop/aa379410(v=vs.85).aspx
objPkcs10.X509Extensions.Add((CX509Extension)objExtensionKeyUsage);
var objObjectId = new CObjectId();
var objObjectIds = new CObjectIds();
var objX509ExtensionEnhancedKeyUsage = new CX509ExtensionEnhancedKeyUsage();
//objObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.1");
objObjectId.InitializeFromValue(oid); //Some info about OIDS: http://www.alvestrand.no/objectid/1.3.6.1.5.5.7.3.html
objObjectIds.Add(objObjectId);
objX509ExtensionEnhancedKeyUsage.InitializeEncode(objObjectIds);
objPkcs10.X509Extensions.Add((CX509Extension)objX509ExtensionEnhancedKeyUsage);
// TODO: Create CERTS with SAN: http://msdn.microsoft.com/en-us/library/windows/desktop/aa378081(v=vs.85).aspx
/*
var test3 = new CX509ExtensionAlternativeNames();
var test4 = new CAlternativeName();
var test2 = new CAlternativeNames();
test4.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME,"CRAP.no");
test2.Add(test4);
test3.InitializeEncode(test2);
*/
//objPkcs10.X509Extensions.Add((CX509Extension));
var objDN = new CX500DistinguishedName();
var subjectName = "CN = " + cn + ",OU = " + ou + ",O = " + o + ",L = " + l + ",S = " + s + ",C = " + c;
objDN.Encode(subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE); //http://msdn.microsoft.com/en-us/library/windows/desktop/aa379394(v=vs.85).aspx
objPkcs10.Subject = objDN;
var objEnroll = new CX509Enrollment();
objEnroll.InitializeFromRequest(objPkcs10);
var strRequest = objEnroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64); //http://msdn.microsoft.com/en-us/library/windows/desktop/aa374936(v=vs.85).aspx
return strRequest;
}
/// <summary>
/// Submit a certificate signing request to a certificate authority, such as a server running Active Directory Certificate Services, and return the certificate or response.
/// </summary>
/// <param name="csr">Certificate signing request to be submitted.</param>
/// <param name="friendlyName">The friendly name of the certificate.</param>
/// <param name="caServer">The certificate authority server instance.</param>
/// <param name="csrResponse">Response from the certificate signing request, represented as a CsrResponse enum.</param>
/// <param name="dispositionMessage">Message returned when a certificate signing fails.</param>
public X509Certificate2 SubmitCertificateSigningRequest(CX509CertificateRequestCertificate csr, string friendlyName, string caServer, out CsrResponse csrResponse, out string dispositionMessage)
{
// Convert the certificate signing request to base-64..
CX509Enrollment enrollment = new CX509Enrollment();
enrollment.InitializeFromRequest(csr);
enrollment.CertificateFriendlyName = friendlyName;
string csrText = enrollment.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64);
// Submit the request to the certificate authority.
CCertRequest certRequest = new CCertRequest();
int csrResponseCode = certRequest.Submit(CR_IN_BASE64 | CR_IN_FORMATANY, csrText, string.Empty, caServer);
// React to our response response from the certificate authority.
switch (csrResponseCode)
{
case 3: // Issued.
csrResponse = CsrResponse.CR_DISP_ISSUED;
dispositionMessage = "";
return new X509Certificate2(Encoding.UTF8.GetBytes(certRequest.GetCertificate(CR_OUT_BASE64 | CR_OUT_CHAIN)));
case 5: // Pending.
csrResponse = CsrResponse.CR_DISP_UNDER_SUBMISSION;
dispositionMessage = "";
return null;
default: // Failure.
csrResponse = CsrResponse.CR_DISP_FAILED;
dispositionMessage = certRequest.GetDispositionMessage();
return null;
}
}
/// <summary>
/// Load the response from the CA -- just the signed certificate, not the signers.
/// </summary>
/// <param name="pem_response">Signed certificate</param>
/// <returns>The full certificate</returns>
public static X509Certificate2 LoadResponse(string pem_response, StoreLocation loc)
{
X509Certificate2 cert;
CX509Enrollment objEnroll = new CX509Enrollment();
if (loc == StoreLocation.LocalMachine)
{
objEnroll.Initialize(X509CertificateEnrollmentContext.ContextMachine);
}
else
{
objEnroll.Initialize(X509CertificateEnrollmentContext.ContextUser);
}
objEnroll.InstallResponse(
InstallResponseRestrictionFlags.AllowUntrustedRoot,
pem_response,
EncodingType.XCN_CRYPT_STRING_BASE64HEADER,
null
);
string pfx_string = objEnroll.CreatePFX("dummypw", PFXExportOptions.PFXExportEEOnly, EncodingType.XCN_CRYPT_STRING_BASE64);
byte[] pfx_binary_data = System.Convert.FromBase64String(pfx_string);
cert = new X509Certificate2(pfx_binary_data, "dummypw", X509KeyStorageFlags.Exportable);
//CreatedCert = cert;
return(cert);
}
private string CreateCertificate(string publisherName)
{
var cert = CreateCertificateRequest(publisherName);
AddKeyUsage(cert);
AddExtendedKeyUsage(cert);
AddBasicConstraints(cert);
// Specify the hashing algorithm
var hashobj = new CObjectId();
hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY,
AlgorithmFlags.AlgorithmFlagsNone, "SHA256");
cert.HashAlgorithm = hashobj;
cert.Encode();
// Do the final enrollment process
var enrollment = new CX509Enrollment();
enrollment.InitializeFromRequest(cert); // load the certificate
enrollment.CertificateFriendlyName = cert.Subject.Name;
var request = enrollment.CreateRequest();
enrollment.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, request, EncodingType.XCN_CRYPT_STRING_BASE64, "");
var base64Encoded = enrollment.CreatePFX("", PFXExportOptions.PFXExportChainWithRoot);
return(base64Encoded);
}
/// <summary>
/// Generate a self-signed certificate and add it to the Windows certificate store.
/// </summary>
/// <param name="subjectName">The subject name of the certificate.</param>
/// <param name="friendlyName">The friendly name of the certificate.</param>
/// <param name="location">Location of the certificate; either the Current User or Local Machine.</param>
/// <param name="addAsTrustedRoot">Whether to add the generated certificate as a trusted root.</param>
/// <param name="keyLength">Size of the key in bits.</param>
/// <param name="durationYears">Duration of the certificate, specified in years.</param>
/// <param name="oids">Collection of OIDs identifying certificate usage.</param>
public static X509Certificate2 CreateSelfSignedCertificate(string subjectName, string friendlyName, StoreLocation location, bool addAsTrustedRoot, int keyLength, int durationYears, List <string> oids)
{
// Create the self-signing request.
CX509CertificateRequestCertificate cert = CreateCertificateSigningRequest(subjectName, keyLength, durationYears, oids);
// Enroll based on the certificate signing request.
CX509Enrollment enrollment = new CX509Enrollment();
enrollment.InitializeFromRequest(cert);
enrollment.CertificateFriendlyName = friendlyName;
string csrText = enrollment.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64);
// Install the certificate chain. Note that no password is specified.
enrollment.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csrText, EncodingType.XCN_CRYPT_STRING_BASE64, "");
// Base-64 encode the PKCS#12 certificate in order to re-import it.
string pfx = enrollment.CreatePFX("", PFXExportOptions.PFXExportChainWithRoot);
// Instantiate the PKCS#12 certificate.
X509Certificate2 certificate = new X509Certificate2(System.Convert.FromBase64String(pfx), "", X509KeyStorageFlags.Exportable);
// If specified, also install the certificate to the trusted root store.
if (addAsTrustedRoot)
{
X509Store rootStore = new X509Store(StoreName.Root, location);
rootStore.Open(OpenFlags.ReadWrite);
rootStore.Add(certificate);
rootStore.Close();
}
return(certificate);
}
static void Main()
{
CX509Enrollment enroll = new CX509Enrollment();
CX509PrivateKey pri = new CX509PrivateKey();
CX509CertificateRequestPkcs10 request = new CX509CertificateRequestPkcs10();
CX500DistinguishedName dn = new CX500DistinguishedName();
pri.ProviderName = "eToken Base Cryptographic Provider";
pri.Length = 2048;
pri.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE;
//pri.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_DECRYPT_FLAG;
pri.ProviderType = X509ProviderType.XCN_PROV_RSA_FULL;
pri.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_NONE;
request.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextUser, pri, "");
dn.Encode("CN=KimiNoNaWa", X500NameFlags.XCN_CERT_NAME_STR_DISABLE_UTF8_DIR_STR_FLAG);
request.Subject = dn;
enroll.InitializeFromRequest(request);
string pkcs10 = enroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64);
Console.WriteLine(pkcs10);
//Do Enrollment
//Install certificate
//enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedRoot, pkcs10, EncodingType.XCN_CRYPT_STRING_BASE64REQUESTHEADER, "");
}
/// <summary>
/// Installs the certificate
/// </summary>
/// <returns></returns>
public X509Certificate2 InstallCertficate()
{
CX509Enrollment objEnroll = new CX509Enrollment();
try
{
// Install the certificate
objEnroll.InitializeFromRequest(objCertRequest);
objEnroll.InstallResponse(
this.InstallResponseRestrictionFlags,
stringResponse,
this.EncodingType,
this.Password
);
var base64encoded = objEnroll.CreatePFX(this.Password, PFXExportOptions.PFXExportChainWithRoot);
return(new System.Security.Cryptography.X509Certificates.X509Certificate2(
System.Convert.FromBase64String(base64encoded), this.Password,
this.ExportableFlags));
}
catch (Exception ex)
{
throw ex;
}
}
/// <summary>
/// Submit a certificate signing request to a certificate authority, such as a server running Active Directory Certificate Services, and return the certificate or response.
/// </summary>
/// <param name="csr">Certificate signing request to be submitted.</param>
/// <param name="friendlyName">The friendly name of the certificate.</param>
/// <param name="caServer">The certificate authority server instance.</param>
/// <param name="csrResponse">Response from the certificate signing request, represented as a CsrResponse enum.</param>
/// <param name="dispositionMessage">Message returned when a certificate signing fails.</param>
public X509Certificate2 SubmitCertificateSigningRequest(CX509CertificateRequestCertificate csr, string friendlyName, string caServer, out CsrResponse csrResponse, out string dispositionMessage)
{
// Convert the certificate signing request to base-64..
CX509Enrollment enrollment = new CX509Enrollment();
enrollment.InitializeFromRequest(csr);
enrollment.CertificateFriendlyName = friendlyName;
string csrText = enrollment.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64);
// Submit the request to the certificate authority.
CCertRequest certRequest = new CCertRequest();
int csrResponseCode = certRequest.Submit(CR_IN_BASE64 | CR_IN_FORMATANY, csrText, string.Empty, caServer);
// React to our response response from the certificate authority.
switch (csrResponseCode)
{
case 3: // Issued.
csrResponse = CsrResponse.CR_DISP_ISSUED;
dispositionMessage = "";
return(new X509Certificate2(Encoding.UTF8.GetBytes(certRequest.GetCertificate(CR_OUT_BASE64 | CR_OUT_CHAIN))));
case 5: // Pending.
csrResponse = CsrResponse.CR_DISP_UNDER_SUBMISSION;
dispositionMessage = "";
return(null);
default: // Failure.
csrResponse = CsrResponse.CR_DISP_FAILED;
dispositionMessage = certRequest.GetDispositionMessage();
return(null);
}
}
private string BuildEncodedCsr(CX509CertificateRequestPkcs10 pkcs10)
{
CX509Enrollment enrollment = new CX509Enrollment();
enrollment.InitializeFromRequest(pkcs10);
return(enrollment.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64));
}
/// <summary>
/// Creates a self signed certificate given the parameters.
/// </summary>
/// <param name="subject"></param>
/// <param name="cipher"></param>
/// <param name="keysize"></param>
/// <param name="api"></param>
/// <returns></returns>
public X509Certificate2 CreateSelfSignedCertificate(CertificateSubject subject, CipherAlgorithm cipher, int keysize, WindowsApi api)
{
CX509PrivateKey privateKey = CreatePrivateKey(cipher, keysize);
CX509CertificateRequestCertificate pkcs10 = NewCertificateRequestCrc(subject, privateKey);
pkcs10.Issuer = pkcs10.Subject;
pkcs10.NotBefore = DateTime.Now.AddDays(-1);
pkcs10.NotAfter = DateTime.Now.AddYears(20);
var sigoid = new CObjectId();
var alg = new Oid("SHA256");
sigoid.InitializeFromValue(alg.Value);
pkcs10.SignatureInformation.HashAlgorithm = sigoid;
pkcs10.Encode();
CX509Enrollment enrollment = new CX509Enrollment();
enrollment.InitializeFromRequest(pkcs10);
string csr = enrollment.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64);
InstallResponseRestrictionFlags restrictionFlags = InstallResponseRestrictionFlags.AllowUntrustedCertificate;
enrollment.InstallResponse(restrictionFlags, csr, EncodingType.XCN_CRYPT_STRING_BASE64, string.Empty);
string pwd = secret.NewSecret(16);
string pfx = enrollment.CreatePFX(pwd, PFXExportOptions.PFXExportChainWithRoot, EncodingType.XCN_CRYPT_STRING_BASE64);
return(new X509Certificate2(Convert.FromBase64String(pfx), pwd));
}
// create a certificate for testing
// https://stackoverflow.com/q/18339706
static public X509Certificate2 CreateSelfSignedCertificate(string subjectName, TimeSpan expirationLength)
{
// create DN for subject and issuer
var dn = new CX500DistinguishedName();
dn.Encode("CN=" + subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);
CX509PrivateKey privateKey = new CX509PrivateKey
{
ProviderName = "Microsoft Strong Cryptographic Provider",
Length = 2048,
KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE,
KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_DECRYPT_FLAG | X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_KEY_AGREEMENT_FLAG,
MachineContext = true,
ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG
};
privateKey.Create();
// Use the stronger SHA512 hashing algorithm
var hashobj = new CObjectId();
hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY,
AlgorithmFlags.AlgorithmFlagsNone, "SHA512");
// Create the self signing request
var cert = new CX509CertificateRequestCertificate();
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, "");
cert.Subject = dn;
cert.Issuer = dn; // the issuer and the subject are the same
cert.NotBefore = DateTime.Now.Date;
// this cert expires immediately. Change to whatever makes sense for you
cert.NotAfter = cert.NotBefore + expirationLength;
cert.HashAlgorithm = hashobj; // Specify the hashing algorithm
cert.Encode(); // encode the certificate
// Do the final enrollment process
var enroll = new CX509Enrollment();
enroll.InitializeFromRequest(cert); // load the certificate
enroll.CertificateFriendlyName = subjectName; // Optional: add a friendly name
string csr = enroll.CreateRequest(); // Output the request in base64
// and install it back as the response
enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate,
csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password
// output a base64 encoded PKCS#12 so we can import it back to the .Net security classes
var base64encoded = enroll.CreatePFX("", // no password, this is for internal consumption
PFXExportOptions.PFXExportChainWithRoot);
// instantiate the target class with the PKCS#12 data (and the empty password)
return(new System.Security.Cryptography.X509Certificates.X509Certificate2(
System.Convert.FromBase64String(base64encoded), "",
// mark the private key as exportable (this is usually what you want to do)
// mark private key to go into the Machine store instead of the current users store
X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet
));
}
public static X509Certificate2 CreateSelfSignedCertificate(string issuer, string name)
{
try
{
// create a DN for issuer and subject
var dn = new CX500DistinguishedName();
dn.Encode("CN=" + issuer, X500NameFlags.XCN_CERT_NAME_STR_NONE);
// create a private key for the certificate
var privateKey = new CX509PrivateKey();
privateKey.ProviderName = "Microsoft Base Cryptographic Provider v1.0";
privateKey.MachineContext = true;
privateKey.Length = 2048;
privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE;
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
privateKey.Create();
// use the stronger SHA512 hashing algorithm
var hashobj = new CObjectId();
hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, "SHA512");
// add extended key usage (look at MSDN for a list of possible OIDs)
var oid = new CObjectId();
oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // SSL server
var oidlist = new CObjectIds();
oidlist.Add(oid);
var eku = new CX509ExtensionEnhancedKeyUsage();
eku.InitializeEncode(oidlist);
// create the self signing request
var cert = new CX509CertificateRequestCertificate();
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, "");
cert.Issuer = dn;
cert.Subject = dn;
cert.NotBefore = DateTime.Now;
cert.NotAfter = DateTime.Now.AddYears(1); // 1 year expiration
cert.X509Extensions.Add((CX509Extension)eku);
cert.HashAlgorithm = hashobj;
cert.Encode();
// do the final enrollment process
var enroll = new CX509Enrollment();
enroll.InitializeFromRequest(cert);
enroll.CertificateFriendlyName = name;
string csr = enroll.CreateRequest();
// output a base64 encoded PKCS#12
enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, "");
var base64encoded = enroll.CreatePFX("", PFXExportOptions.PFXExportChainWithRoot);
// return the certificate
return(new X509Certificate2(Convert.FromBase64String(base64encoded), "", X509KeyStorageFlags.Exportable));
}
catch (Exception exc)
{
Trace.TraceError("Failed to create a self-signed certificate ({0})", exc);
throw;
}
}
public static X509Certificate2 CreateSelfSignedCertificate(string subjectName)
{
//To make a certificate was used system library from CERTENROLLLib
//This lib provides methods for creation certificates in windows envinronment
//Defines the subject and issuer of the cert
CX500DistinguishedName dn = new CX500DistinguishedName();
dn.Encode("CN=" + subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);
//Create a new private key for the certificate
//Was decided not to make them variably in this progr
CX509PrivateKey privateKey = new CX509PrivateKey();
privateKey.ProviderName = "Microsoft Base Cryptographic Provider v1.0"; //issuer for a selfsigned certificate
privateKey.MachineContext = true;
privateKey.Length = 2048;
privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; //Use is not limited
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
privateKey.Create();
//Use trong SHA512 hashing algorithm
var hashobj = new CObjectId();
hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY,
AlgorithmFlags.AlgorithmFlagsNone, "SHA512");
// Create the self signing request
var cert = new CX509CertificateRequestCertificate();
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, "");
cert.Subject = dn;
cert.Issuer = dn; // The issuer and the subject are the same
cert.NotBefore = DateTime.Now;
cert.NotAfter = new DateTime(2018, 12, 31); // I don't think that anybody cares about using this cert longer than this period
cert.HashAlgorithm = hashobj; // Specify the hashing algorithm
cert.Encode(); // Encode the certificate
// Do the final stuff
//Enroll is
var enroll = new CX509Enrollment();
enroll.InitializeFromRequest(cert); // load the certificate
string csr = enroll.CreateRequest(); // Output the request in base64
// and install it back as the response
enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate,
csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password
// output a base64 encoded PKCS#12 so we can import it back to the .Net security classes
var base64encoded = enroll.CreatePFX("", // password isn't possible
PFXExportOptions.PFXExportChainWithRoot);
// instantiate the target class with the PKCS#12 data (and the empty password)
return(new X509Certificate2(Convert.FromBase64String(base64encoded), "",
// mark the private key as exportable, coz we want to put it into registry
X509KeyStorageFlags.Exportable));
}
public static X509Certificate2 CreateSelfSignedCertificate(string subjectName, DateTime startDate, DateTime endDate, String password)
{
// Create DistinguishedName for subject and issuer
var name = new CX500DistinguishedName();
name.Encode("CN=" + subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);
// Create a new Private Key for the certificate
CX509PrivateKey privateKey = new CX509PrivateKey();
privateKey.ProviderName = "Microsoft RSA SChannel Cryptographic Provider";
privateKey.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE;
privateKey.Length = 2048;
privateKey.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)";
privateKey.MachineContext = true;
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG;
privateKey.Create();
// Define the hashing algorithm
var serverauthoid = new CObjectId();
serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // Server Authentication
var ekuoids = new CObjectIds();
ekuoids.Add(serverauthoid);
var ekuext = new CX509ExtensionEnhancedKeyUsage();
ekuext.InitializeEncode(ekuoids);
// Create the self signing request
var cert = new CX509CertificateRequestCertificate();
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, String.Empty);
cert.Subject = name;
cert.Issuer = cert.Subject;
cert.NotBefore = startDate;
cert.NotAfter = endDate;
cert.X509Extensions.Add((CX509Extension)ekuext);
cert.Encode();
// Enroll the certificate
var enroll = new CX509Enrollment();
enroll.InitializeFromRequest(cert);
string certData = enroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64HEADER);
enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate,
certData, EncodingType.XCN_CRYPT_STRING_BASE64HEADER, String.Empty);
var base64encoded = enroll.CreatePFX(password, PFXExportOptions.PFXExportChainWithRoot);
// Instantiate the target class with the PKCS#12 data
return(new X509Certificate2(
System.Convert.FromBase64String(base64encoded), password,
System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.Exportable));
}
public void InstallResponse(string strCert, string strRequest)
{
// Create Objects
var objEnroll = new CX509Enrollment();
// Install the cert
objEnroll.Initialize(X509CertificateEnrollmentContext.ContextMachine);
objEnroll.InstallResponse(InstallResponseRestrictionFlags.AllowNone,
strCert, EncodingType.XCN_CRYPT_STRING_BASE64, null);
}
internal static Pkcs10CertificationRequest createKeyPair()
{
var objCSPs = new CCspInformations();
objCSPs.AddAvailableCsps();
var objPrivateKey = new CX509PrivateKey();
objPrivateKey.Length = 1024;
objPrivateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE;
objPrivateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES;
objPrivateKey.MachineContext = false;
objPrivateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG;
objPrivateKey.CspInformations = objCSPs;
objPrivateKey.Create();
var objPkcs10 = new CX509CertificateRequestPkcs10();
objPkcs10.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextUser,
objPrivateKey,
string.Empty);
//var objExtensionKeyUsage = new CX509ExtensionKeyUsage();
//objExtensionKeyUsage.InitializeEncode(
// CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_CERT_SIGN_KEY_USAGE |
// CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_CRL_SIGN_KEY_USAGE);
//objPkcs10.X509Extensions.Add((CX509Extension)objExtensionKeyUsage);
//var objObjectId = new CObjectId();
//var objObjectIds = new CObjectIds();
//var objX509ExtensionEnhancedKeyUsage = new CX509ExtensionEnhancedKeyUsage();
//objObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.2");
//objObjectIds.Add(objObjectId);
//objX509ExtensionEnhancedKeyUsage.InitializeEncode(objObjectIds);
//objPkcs10.X509Extensions.Add((CX509Extension)objX509ExtensionEnhancedKeyUsage);
var objDN = new CX500DistinguishedName();
var subjectName = "CN = shaunxu.me, OU = ADCS, O = Blog, L = Beijng, S = Beijing, C = CN";
objDN.Encode(subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);
objPkcs10.Subject = objDN;
var objEnroll = new CX509Enrollment();
objEnroll.InitializeFromRequest(objPkcs10);
var strRequest = objEnroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64);
Pkcs10CertificationRequest p10 = new Pkcs10CertificationRequest(Convert.FromBase64String(strRequest));
return(p10);
}
private X509Certificate2 CreateNewCertificate(CX509CertificateRequestCertificate cert)
{
var enr = new CX509Enrollment
{
CertificateFriendlyName = FriendlyName
};
enr.InitializeFromRequest(cert);
string endCert = enr.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64);
enr.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, endCert, EncodingType.XCN_CRYPT_STRING_BASE64, string.Empty);
byte[] certBytes = Convert.FromBase64String(endCert);
return(new X509Certificate2(certBytes));
}
protected static string GenerateCSR()
{
var objPrivateKey = new CX509PrivateKey();
objPrivateKey.MachineContext = false;
objPrivateKey.Length = 2048;
objPrivateKey.ProviderType = X509ProviderType.XCN_PROV_RSA_AES;
objPrivateKey.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE;
objPrivateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES;
objPrivateKey.CspInformations = new CCspInformations();
objPrivateKey.CspInformations.AddAvailableCsps();
objPrivateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG;
objPrivateKey.Create();
var cert = new CX509CertificateRequestPkcs10();
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextUser, objPrivateKey, string.Empty);
var objExtensionKeyUsage = new CX509ExtensionKeyUsage();
objExtensionKeyUsage.InitializeEncode((X509KeyUsageFlags)X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE |
X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE |
X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE |
X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE
);
cert.X509Extensions.Add((CX509Extension)objExtensionKeyUsage);
var cobjectId = new CObjectId();
cobjectId.InitializeFromName(CERTENROLL_OBJECTID.XCN_OID_PKIX_KP_CLIENT_AUTH);
var cobjectIds = new CObjectIds();
cobjectIds.Add(cobjectId);
var pValue = cobjectIds;
var cx509ExtensionEnhancedKeyUsage = new CX509ExtensionEnhancedKeyUsage();
cx509ExtensionEnhancedKeyUsage.InitializeEncode(pValue);
cert.X509Extensions.Add((CX509Extension)cx509ExtensionEnhancedKeyUsage);
var cx509Enrollment = new CX509Enrollment();
cx509Enrollment.InitializeFromRequest(cert);
var output = cx509Enrollment.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64);
return(output);
}
protected static void ExportCertificate(byte[] certificateData, string outputPath, string password)
{
var certificateEnrollmentContext = X509CertificateEnrollmentContext.ContextUser;
CX509Enrollment cx509Enrollment = new CX509Enrollment();
cx509Enrollment.Initialize(certificateEnrollmentContext);
cx509Enrollment.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, Convert.ToBase64String(certificateData), EncodingType.XCN_CRYPT_STRING_BASE64, null);
var pfx = cx509Enrollment.CreatePFX(password, PFXExportOptions.PFXExportChainNoRoot, EncodingType.XCN_CRYPT_STRING_BASE64);
using (var fs = File.OpenWrite(outputPath))
{
var decoded = Convert.FromBase64String(pfx);
fs.Write(decoded, 0, decoded.Length);
}
}
//rennew certficiate that expired
public int RenewCert(string Cert, int reqid)
{
int iDisposition;
string CertifcateStr;
string status;
string HostName;
CX509CertificateRequestPkcs10 objPkcs10 = new CX509CertificateRequestPkcs10();
CX509Enrollment objEnroll = new CX509Enrollment();
CCertConfig objCertConfig = new CCertConfig();
CX500DistinguishedName objDN = new CX500DistinguishedName();
CCertAdmin objCertAdmin = new CCertAdmin();
string strCAConfig;
var inheritOptions = X509RequestInheritOptions.InheritPrivateKey | X509RequestInheritOptions.InheritSubjectFlag | X509RequestInheritOptions.InheritExtensionsFlag | X509RequestInheritOptions.InheritSubjectAltNameFlag;
try
{
strCAConfig = objCertConfig.GetConfig(CC_DEFAULTCONFIG); //connect to the ca
InstallCert(Cert);
objPkcs10.InitializeFromCertificate(X509CertificateEnrollmentContext.ContextUser, Cert, EncodingType.XCN_CRYPT_STRING_BASE64HEADER, inheritOptions); //create new cert request from exists expired cert
objDN = objPkcs10.Subject; //getting old cert subject (hostname)
HostName = objDN.Name.ToString().Substring(3);
objEnroll.InitializeFromRequest(objPkcs10); //create enroll rquest
CertifcateStr = objEnroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64); //crearte new cert request
Database db = new Database();
var cert = db.ReturnCertificateInformation(HostName);
db.DeleteCertificateRecordFromDb(reqid);
// revokeCert(cert.serialnumber);
iDisposition = SubmitRequest(CertifcateStr, HostName); //submit cert to the ca
objCertAdmin.ResubmitRequest(strCAConfig, iDisposition); //issue the Certificate
if (iDisposition > 0) //if cert was created delete the old cert from the table
{
DeleteCertificateFromStore(objDN.Name.ToString());
return(iDisposition);
}
return(0);
}
catch (Exception ex)
{
status = ex.Message;
Database db = new Database();
db.InsertToErrorMessageTable("", reqid, ex.Message, "RenewCert");//insert Error Message into The Error Table Log In The DataBase
return(1);
}
}
/*Install Certificate On the Machine For future Renew Expired Certificate */
public int InstallCert(string Cert)
{
// Create all the objects that will be required
CX509Enrollment objEnroll = new CX509Enrollment();
try
{
// Install the certificate
objEnroll.Initialize(X509CertificateEnrollmentContext.ContextUser);
objEnroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedRoot, Cert, EncodingType.XCN_CRYPT_STRING_BASE64HEADER, null);
return(0);
}
catch (Exception ex)
{
Console.Write(ex.Message);
return(1);
}
}
public void InstallAndDownload(string certText, string password, string friendlyName)
{
var enroll = new CX509Enrollment();
enroll.Initialize(X509CertificateEnrollmentContext.ContextUser);
enroll.CertificateFriendlyName = friendlyName;
enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedRoot,
certText,
EncodingType.XCN_CRYPT_STRING_BASE64REQUESTHEADER,
password
);
var dir = Directory.GetParent(Assembly.GetExecutingAssembly().Location).ToString();
var pfx = enroll.CreatePFX(password, PFXExportOptions.PFXExportChainWithRoot);
var fileName = "cert.pfx";
var filePath = $@"{dir}\{fileName}";
Download(filePath, pfx);
Install(filePath, password);
}
public virtual string CreateRequest()
{
Trace.TraceInformation(Resources.CertificateCreateRequest);
if (Request == null)
{
Trace.TraceError(Resources.CertificateCreateRequestNull);
throw new InvalidOperationException(Resources.CertificateCreateRequestNull);
}
var enrollment =
new CX509Enrollment();
enrollment.InitializeFromRequest(Request);
var request =
enrollment.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64REQUESTHEADER);
return(request);
}
/*Install Certificate On the Machine For future Renew Expired Certificate */
public int InstallCert(string Cert)
{
// Create all the objects that will be required
CX509Enrollment objEnroll = new CX509Enrollment();
try
{
// Install the certificate
objEnroll.Initialize(X509CertificateEnrollmentContext.ContextUser);
objEnroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedRoot, Cert, EncodingType.XCN_CRYPT_STRING_BASE64HEADER, null);
return(0);
}
catch (Exception ex)
{
Database db = new Database();
db.InsertToErrorMessageTable("", 0, ex.Message, "InstallCert");//insert Error Message into The Error Table Log In The DataBase
return(1);
}
}
public string CreateTemplateRequest(string cn, string ou, string o, string l, string s, string c,
int keyLength,
string templateName)
{
var csp = new CCspInformations();
csp.AddAvailableCsps();
var privateKey = new CX509PrivateKey();
privateKey.Length = keyLength;
privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE;
privateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES;
privateKey.MachineContext = false;
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG;
privateKey.CspInformations = csp;
privateKey.Create();
var pkcs10 = new CX509CertificateRequestPkcs10();
pkcs10.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextUser,
privateKey,
templateName);
var san = GetSAN(cn);
pkcs10.X509Extensions.Add((CX509Extension)san);
var distinguishedName = new CX500DistinguishedName();
var subjectName = $"{cn},OU = {ou},O = {o} ,L = {l},S = {s},C = {c}";
distinguishedName.Encode(subjectName);
pkcs10.Subject = distinguishedName;
var enroll = new CX509Enrollment();
enroll.InitializeFromRequest(pkcs10);
var strRequest = enroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64HEADER);
return(strRequest);
}
// enroll a certificate based on given template name
public static void EnrollCert(
string templateName,
string subjectName,
string friendlyName)
{
// create a CX509Enrollment object
// either from CX509EnrollmentClass or CX509Enrollment should work
//CX509EnrollmentClass objEnroll = new CX509EnrollmentClass();
CX509Enrollment objEnroll = new CX509Enrollment();
// initialize the CX509Enrollment object
objEnroll.InitializeFromTemplateName(
X509CertificateEnrollmentContext.ContextUser,
templateName);
// set up the subject name
//
// first get the request
IX509CertificateRequest iRequest = objEnroll.Request;
// then get the inner PKCS10 request
IX509CertificateRequest iInnerRequest =
iRequest.GetInnerRequest(InnerRequestLevel.LevelInnermost);
IX509CertificateRequestPkcs10 iRequestPkcs10 =
iInnerRequest as IX509CertificateRequestPkcs10;
// create CX500DistinguishedName
CX500DistinguishedName objName = new CX500DistinguishedName();
objName.Encode(subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);
// set up the subject name
iRequestPkcs10.Subject = objName;
// set up friendly name
objEnroll.CertificateFriendlyName = friendlyName;
// enroll for the certificate, which should install the certficate
// in MY store if the certificate is successfully issued by CA
objEnroll.Enroll();
}
// enroll a certificate based on given template name
public static void EnrollCert(
string templateName,
string subjectName,
string friendlyName)
{
// create a CX509Enrollment object
// either from CX509EnrollmentClass or CX509Enrollment should work
//CX509EnrollmentClass objEnroll = new CX509EnrollmentClass();
CX509Enrollment objEnroll = new CX509Enrollment();
// initialize the CX509Enrollment object
objEnroll.InitializeFromTemplateName(
X509CertificateEnrollmentContext.ContextUser,
templateName);
// set up the subject name
//
// first get the request
IX509CertificateRequest iRequest = objEnroll.Request;
// then get the inner PKCS10 request
IX509CertificateRequest iInnerRequest =
iRequest.GetInnerRequest(InnerRequestLevel.LevelInnermost);
IX509CertificateRequestPkcs10 iRequestPkcs10 =
iInnerRequest as IX509CertificateRequestPkcs10;
// create CX500DistinguishedName
CX500DistinguishedName objName = new CX500DistinguishedName();
objName.Encode(subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);
// set up the subject name
iRequestPkcs10.Subject = objName;
// set up friendly name
objEnroll.CertificateFriendlyName = friendlyName;
// enroll for the certificate, which should install the certficate
// in MY store if the certificate is successfully issued by CA
objEnroll.Enroll();
}
public static Certificate InstallResponse(string response)
{
Trace.TraceInformation(Resources.CertificateInstallResponce);
if (String.IsNullOrWhiteSpace(response))
{
Trace.TraceError(Resources.CertificateResponseNull);
throw new ArgumentNullException(Resources.CertificateResponseNull);
}
var enrollment =
new CX509Enrollment();
enrollment.Initialize(X509CertificateEnrollmentContext.ContextMachine);
enrollment.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, response, EncodingType.XCN_CRYPT_STRING_BASE64_ANY, null);
var cerificateData =
Convert.FromBase64String(enrollment.Certificate);
return(new Certificate(cerificateData));
}
public SSLCertificate InstallCertificate(SSLCertificate cert, WebSite website)
{
CX509Enrollment response = Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX509Enrollment", true)) as CX509Enrollment;
try
{
response.Initialize(X509CertificateEnrollmentContext.ContextMachine);
response.InstallResponse(
InstallResponseRestrictionFlags.AllowUntrustedRoot,
cert.Certificate, EncodingType.XCN_CRYPT_STRING_BASE64HEADER,
null
);
SSLCertificate servercert = (from c in GetServerCertificates()
where c.FriendlyName == cert.FriendlyName
select c).Single();
cert.SerialNumber = servercert.SerialNumber;
cert.ValidFrom = servercert.ValidFrom;
cert.ExpiryDate = servercert.ExpiryDate;
cert.Hash = servercert.Hash;
cert.DistinguishedName = servercert.DistinguishedName;
if (cert.IsRenewal && CheckCertificate(website))
{
DeleteCertificate(GetCurrentSiteCertificate(website), website);
}
AddBinding(cert, website);
}
catch (Exception ex)
{
Log.WriteError("Error adding SSL certificate", ex);
cert.Success = false;
}
return(cert);
}
/// <summary>
/// The create active directory certificate request.
/// </summary>
/// <param name="templateName">
/// The template name.
/// </param>
/// <returns>
/// The <see cref="string"/>.
/// </returns>
public string CreateActiveDirectoryCertificateRequest(string templateName)
{
//// https://blogs.msdn.microsoft.com/alejacma/2008/09/05/how-to-create-a-certificate-request-with-certenroll-and-net-c/
//// http://geekswithblogs.net/shaunxu/archive/2012/01/13/working-with-active-directory-certificate-service-via-c.aspx
this.LastError.Clear();
try
{
var cspInformations = new CCspInformations();
cspInformations.AddAvailableCsps();
var privateKey = new CX509PrivateKey // Создали приватный ключ
{
Length = 2048,
KeySpec = X509KeySpec.XCN_AT_SIGNATURE,
KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES,
MachineContext = false,
ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG,
CspInformations = cspInformations
};
privateKey.Create();
var objPkcs10 = new CX509CertificateRequestPkcs10();
objPkcs10.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextUser, privateKey, templateName);
var objEnroll = new CX509Enrollment();
objEnroll.InitializeFromRequest(objPkcs10);
var strRequest = objEnroll.CreateRequest(); // Значение по уолчанию: EncodingType.XCN_CRYPT_STRING_BASE64
return(strRequest);
}
catch (Exception ex)
{
this.LastError.Add(ex.Message);
return(string.Empty);
}
}
/// <summary>
/// Generates a certificate signing request for use with Xbox Live.
/// </summary>
public string GenerateCertRequest()
{
this.EnsureAdmin();
CX509CertificateRequestCertificate certRequest = new CX509CertificateRequestCertificate();
certRequest.Initialize(X509CertificateEnrollmentContext.ContextMachine);
certRequest.PrivateKey.Length = 2048;
certRequest.PrivateKey.ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider";
certRequest.PrivateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
CX500DistinguishedName subject = new CX500DistinguishedName();
subject.Encode("CN=NOT USED");
certRequest.Subject = subject;
CX509Enrollment enroll = new CX509Enrollment();
enroll.InitializeFromRequest(certRequest);
enroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64HEADER);
this.privateKey = certRequest.PrivateKey.Export("PRIVATEBLOB", EncodingType.XCN_CRYPT_STRING_BASE64).ToSecureString();
return(certRequest.PrivateKey.Export("PUBLICBLOB", EncodingType.XCN_CRYPT_STRING_BASE64 | EncodingType.XCN_CRYPT_STRING_NOCRLF));
}
public string CreateTemplateRequest(string cn, string ou, string o, string l, string s, string c, int keylength, string template)
{
var objCSPs = new CCspInformations();
objCSPs.AddAvailableCsps();
var objPrivateKey = new CX509PrivateKey();
objPrivateKey.Length = keylength;
objPrivateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE;
objPrivateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES;
objPrivateKey.MachineContext = false;
objPrivateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG;
objPrivateKey.CspInformations = objCSPs;
objPrivateKey.Create();
var objPkcs10 = new CX509CertificateRequestPkcs10();
objPkcs10.InitializeFromPrivateKey(
X509CertificateEnrollmentContext.ContextUser,
objPrivateKey,
template);
var objDN = new CX500DistinguishedName();
var subjectName = "CN = " + cn + ",OU = " + ou + ",O = " + o + ",L = " + l + ",S = " + s + ",C = " + c;
objDN.Encode(subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);
objPkcs10.Subject = objDN;
var objEnroll = new CX509Enrollment();
objEnroll.InitializeFromRequest(objPkcs10);
var strRequest = objEnroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64);
return strRequest;
}
/*
* http://stackoverflow.com/questions/13806299/how-to-create-a-self-signed-certificate-using-c
* This implementation uses the CX509CertificateRequestCertificate COM object (and friends - MSDN doc) from certenroll.dll to create a self signed certificate request and sign it.
*/
public static X509Certificate2 CreateSelfSignedCertificateCOM(string subjectName)
{
// create DN for subject and issuer
var dn = new CX500DistinguishedName();
dn.Encode("CN=" + subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);
// create a new private key for the certificate
CX509PrivateKey privateKey = new CX509PrivateKey();
privateKey.ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider";
privateKey.MachineContext = true;
privateKey.Length = 2048;
privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; // use is not limited
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
privateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_SIGNING_FLAG;
privateKey.Create();
var hashobj = new CObjectId();
hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY,
AlgorithmFlags.AlgorithmFlagsNone, "SHA256");
// add extended key usage if you want - look at MSDN for a list of possible OIDs
//var oid = new CObjectId();
//oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // SSL server
//var oidlist = new CObjectIds();
//oidlist.Add(oid);
//var eku = new CX509ExtensionEnhancedKeyUsage();
//eku.InitializeEncode(oidlist);
// Create the self signing request
var cert = new CX509CertificateRequestCertificate();
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, "");
cert.Subject = dn;
cert.Issuer = dn; // the issuer and the subject are the same
cert.NotBefore = DateTime.Now.Subtract(new TimeSpan(1, 0, 0, 0));
cert.NotAfter = DateTime.Now.Add(new TimeSpan(30,0,0,0));
//cert.X509Extensions.Add((CX509Extension)eku); // add the EKU
cert.HashAlgorithm = hashobj; // Specify the hashing algorithm
cert.Encode(); // encode the certificate
// Do the final enrollment process
var enroll = new CX509Enrollment();
enroll.InitializeFromRequest(cert); // load the certificate
enroll.CertificateFriendlyName = subjectName; // Optional: add a friendly name
string csr = enroll.CreateRequest(); // Output the request in base64
// and install it back as the response
enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate,
csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password
// output a base64 encoded PKCS#12 so we can import it back to the .Net security classes
var base64encoded = enroll.CreatePFX("", // no password, this is for internal consumption
PFXExportOptions.PFXExportChainWithRoot);
// instantiate the target class with the PKCS#12 data (and the empty password)
return new System.Security.Cryptography.X509Certificates.X509Certificate2(
System.Convert.FromBase64String(base64encoded), "",
// mark the private key as exportable (this is usually what you want to do)
System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.Exportable
);
}
/// <summary>
/// Certificate constructor to intialize objects and values required to create a certificate
/// </summary>
public Certificate()
{
try
{
// Create objects required
objCertRequest = new CX509CertificateRequestCertificate();
objCSP = new CCspInformation();
objCSPs = new CCspInformations();
objDN = new CX500DistinguishedName();
objEnroll = new CX509Enrollment();
objObjectId = new CObjectId();
objPrivateKey = (IX509PrivateKey)Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX509PrivateKey"));
// Friendly name
this.FriendlyName = "";
// Set default values. Refer to https://msdn.microsoft.com/en-us/library/windows/desktop/aa374846(v=vs.85).aspx
this.CryptographicProviderName = "Microsoft Enhanced Cryptographic Provider v1.0";
this.KeySize = 2048;
// Use key for encryption
this.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE;
// The key can be used for decryption
this.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_DECRYPT_FLAG;
// Create for user and not machine
this.MachineContext = false;
// Default to expire in 1 year
this.ExpirationLengthInDays = 365;
// Let th private key be exported in plain text
this.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
// This is intended for a computer
this.EnrollmentContextMachine = X509CertificateEnrollmentContext.ContextUser;
// Use a hasing algorithm
this.ObjectIdGroupId = ObjectIdGroupId. XCN_CRYPT_HASH_ALG_OID_GROUP_ID;
this.ObjectIdPublicKeyFlags = ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY;
this.AlgorithmFlags = AlgorithmFlags.AlgorithmFlagsNone;
// Use SHA-2 with 512 bits
this.AlgorithmName = "SHA512";
this.EncodingType = EncodingType.XCN_CRYPT_STRING_BASE64;
// Allow untrusted certificate to be installed
this.InstallResponseRestrictionFlags = InstallResponseRestrictionFlags.AllowUntrustedCertificate;
// No password set
this.Password = null;
// Enable key to be exported, keep the machine set, and persist the key set
// https://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509keystorageflags(v=vs.110).aspx
this.ExportableFlags = X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet;
}
catch (Exception ex)
{
throw ex;
}
}
/// <summary>
/// Installs the certificate
/// </summary>
/// <returns></returns>
public X509Certificate2 InstallCertficate()
{
CX509Enrollment objEnroll = new CX509Enrollment();
try
{
// Install the certificate
objEnroll.InitializeFromRequest(objCertRequest);
objEnroll.InstallResponse(
this.InstallResponseRestrictionFlags,
stringResponse,
this.EncodingType,
this.Password
);
var base64encoded = objEnroll.CreatePFX(this.Password, PFXExportOptions.PFXExportChainWithRoot);
return new System.Security.Cryptography.X509Certificates.X509Certificate2(
System.Convert.FromBase64String(base64encoded), this.Password,
this.ExportableFlags);
}
catch (Exception ex)
{
throw ex;
}
}
public bool enrollWithIX509EnrollmentHelper()
{
bool bRet = true;
try
{
IX509EnrollmentPolicyServer objPolicyServer = null;
IX509CertificateTemplates objTemplates = null;
IX509CertificateTemplate objTemplate = null;
IX509EnrollmentHelper objEnrollHelper = null;
IX509Enrollment2 objEnroll2 = null;
objPolicyServer = new CX509EnrollmentPolicyWebService();
objPolicyServer.Initialize(
m_strPolicyServerUrl,
null,
m_PolicyServerAuthType,
true,
m_context);
//This call sets authentication type and authentication credential
//to policy server to the object referenced by objPolicyServer.
//This call is necessary even for Kerberos authentication type.
objPolicyServer.SetCredential(
0,
m_PolicyServerAuthType,
m_strPolicyServerUsername,
m_strPolicyServerPassword);
objPolicyServer.LoadPolicy(X509EnrollmentPolicyLoadOption.LoadOptionDefault);
objTemplates = objPolicyServer.GetTemplates();
objTemplate = objTemplates.get_ItemByName(m_strTemplateName);
//There is no need to cache credential for Kerberos authentication type
if (m_EnrollmentServerAuthType == X509EnrollmentAuthFlags.X509AuthUsername)
{
objEnrollHelper = new CX509EnrollmentHelper();
objEnrollHelper.Initialize(m_context);
//This call caches the authentication credential to
//enrollment server in Windows vault
objEnrollHelper.AddEnrollmentServer(
m_strEnrollmentServerUrl,
m_EnrollmentServerAuthType,
m_strEnrollmentServerUsername,
m_strEnrollmentServerPassword);
}
objEnroll2 = new CX509Enrollment();
objEnroll2.InitializeFromTemplate(
m_context,
objPolicyServer,
objTemplate);
//This call reads authentication cache to
//enrollment server from Windows vault
objEnroll2.Enroll();
}
catch (Exception e)
{
bRet = false;
Console.WriteLine("Error: {0}", e.Message);
}
if (bRet)
Console.WriteLine("Certificate enrollment succeeded.");
else
Console.WriteLine("Certificate enrollment failed.");
return bRet;
}
// create the certifcate request
public string CreateCertifcate(string hostName)
{
// Create all the objects that will be required
CX509CertificateRequestPkcs10 objPkcs10 = new CX509CertificateRequestPkcs10();
CX509PrivateKey objPrivateKey = new CX509PrivateKey();
CCspInformation objCSP = new CCspInformation();
CCspInformations objCSPs = new CCspInformations();
CX500DistinguishedName objDN = new CX500DistinguishedName();
CX509Enrollment objEnroll = new CX509Enrollment();
CObjectIds objObjectIds = new CObjectIds();
CObjectId objObjectId = new CObjectId();
CX509ExtensionKeyUsage objExtensionKeyUsage = new CX509ExtensionKeyUsage();
CX509ExtensionEnhancedKeyUsage objX509ExtensionEnhancedKeyUsage = new CX509ExtensionEnhancedKeyUsage();
string CertifcateStr;
try
{
Database db = new Database();
/*Check if there is allready request for the hostname so we dont need to create new one*/
if (db.CheckIfCertificateExists(hostName) == 1)
{
return("Exsits");
}
if (db.CheckIfCertificateExists(hostName) == 2)
{
return("Issued");
}
//create the private key (CX509CertificateRequestPkcs10 will initilizae from the private key)
objCSP.InitializeFromName("Microsoft Enhanced Cryptographic Provider v1.0");
objCSPs.Add(objCSP);
objPrivateKey.Length = 1024;
objPrivateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE;
objPrivateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES;
objPrivateKey.MachineContext = false;
objPrivateKey.CspInformations = objCSPs;
objPrivateKey.Create();
//create pkc10 object from the privaet key
objPkcs10.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextUser, objPrivateKey, "");
objExtensionKeyUsage.InitializeEncode(CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE |
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE | CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE);
// objPkcs10.X509Extensions.Add((CX509Extension)objExtensionKeyUsage);
// objObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.2");
// objObjectIds.Add(objObjectId);
// objX509ExtensionEnhancedKeyUsage.InitializeEncode(objObjectIds);
// objPkcs10.X509Extensions.Add((CX509Extension)objX509ExtensionEnhancedKeyUsage);
objDN.Encode("CN=" + hostName, X500NameFlags.XCN_CERT_NAME_STR_NONE); //create DistinguishedName
objPkcs10.Subject = objDN; //initial the DistinguishedName
objEnroll.InitializeFromRequest(objPkcs10); //init enrollement request
CertifcateStr = objEnroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64); //Certifcate Request
return(CertifcateStr);
}
catch (Exception ex)
{
Database db = new Database();
db.InsertToErrorMessageTable(hostName, 0, ex.Message, "CreateCertifcate");//insert Error Message into The Error Table Log In The DataBase
return("Error" + ex.Message);
}
}
private static string CreateCertContent(string cn, TimeSpan expirationLength, string pwd)
{
var base64encoded = string.Empty;
var dn = new CX500DistinguishedName();
dn.Encode("CN=" + cn, X500NameFlags.XCN_CERT_NAME_STR_NONE);
var privateKey = new CX509PrivateKey();
privateKey.ProviderName = "Microsoft Strong Cryptographic Provider";
privateKey.Length = 2048;
privateKey.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE;
privateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_DECRYPT_FLAG |
X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_KEY_AGREEMENT_FLAG;
privateKey.MachineContext = true;
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
privateKey.Create();
// Use the stronger SHA512 hashing algorithm
var hashobj = new CObjectId();
hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY,
AlgorithmFlags.AlgorithmFlagsNone, "SHA256");
// Create the self signing request
var cert = new CX509CertificateRequestCertificate();
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, "");
cert.Subject = dn;
cert.Issuer = dn; // the issuer and the subject are the same
cert.NotBefore = DateTime.Now.Date;
// this cert expires immediately. Change to whatever makes sense for you
cert.NotAfter = cert.NotBefore + expirationLength;
cert.HashAlgorithm = hashobj; // Specify the hashing algorithm
cert.Encode(); // encode the certificate
// Do the final enrollment process
var enroll = new CX509Enrollment();
enroll.InitializeFromRequest(cert); // load the certificate
enroll.CertificateFriendlyName = cn; // Optional: add a friendly name
var csr = enroll.CreateRequest(); // Output the request in base64
// and install it back as the response
enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate,
csr, EncodingType.XCN_CRYPT_STRING_BASE64, pwd); // no password
// output a base64 encoded PKCS#12 so we can import it back to the .Net security classes
base64encoded = enroll.CreatePFX(pwd, // no password, this is for internal consumption
PFXExportOptions.PFXExportChainWithRoot);
return base64encoded;
}
public void GenerateCsr(SSLCertificate cert)
{
// Create all the objects that will be required
CX509CertificateRequestPkcs10 pkcs10 = new CX509CertificateRequestPkcs10();
CX509PrivateKey privateKey = new CX509PrivateKey();
CCspInformation csp = new CCspInformation();
CCspInformations csPs = new CCspInformations();
CX500DistinguishedName dn = new CX500DistinguishedName();
CX509Enrollment enroll = new CX509Enrollment();
CObjectIds objectIds = new CObjectIds();
CObjectId clientObjectId = new CObjectId();
CObjectId serverObjectId = new CObjectId();
CX509ExtensionKeyUsage extensionKeyUsage = new CX509ExtensionKeyUsage();
CX509ExtensionEnhancedKeyUsage x509ExtensionEnhancedKeyUsage = new CX509ExtensionEnhancedKeyUsage();
try
{
// Initialize the csp object using the desired Cryptograhic Service Provider (CSP)
csp.InitializeFromName("Microsoft RSA SChannel Cryptographic Provider");
// Add this CSP object to the CSP collection object
csPs.Add(csp);
// Provide key container name, key length and key spec to the private key object
//objPrivateKey.ContainerName = "AlejaCMa";
privateKey.Length = cert.CSRLength;
privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE;
privateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES;
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG | X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG;
privateKey.MachineContext = true;
// Provide the CSP collection object (in this case containing only 1 CSP object)
// to the private key object
privateKey.CspInformations = csPs;
// Create the actual key pair
privateKey.Create();
// Initialize the PKCS#10 certificate request object based on the private key.
// Using the context, indicate that this is a user certificate request and don't
// provide a template name
pkcs10.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, "");
cert.PrivateKey = privateKey.ToString();
// Key Usage Extension
extensionKeyUsage.InitializeEncode(
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE |
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE |
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE |
CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE
);
pkcs10.X509Extensions.Add((CX509Extension)extensionKeyUsage);
// Enhanced Key Usage Extension
clientObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.2");
objectIds.Add(clientObjectId);
serverObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.1");
objectIds.Add(serverObjectId);
x509ExtensionEnhancedKeyUsage.InitializeEncode(objectIds);
pkcs10.X509Extensions.Add((CX509Extension)x509ExtensionEnhancedKeyUsage);
// Encode the name in using the Distinguished Name object
string request = String.Format(@"CN={0}, O={1}, OU={2}, L={3}, S={4}, C={5}", cert.Hostname, cert.Organisation, cert.OrganisationUnit, cert.City, cert.State, cert.Country);
dn.Encode(request, X500NameFlags.XCN_CERT_NAME_STR_NONE);
// Assing the subject name by using the Distinguished Name object initialized above
pkcs10.Subject = dn;
// Create enrollment request
enroll.InitializeFromRequest(pkcs10);
enroll.CertificateFriendlyName = cert.FriendlyName;
cert.CSR = enroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64REQUESTHEADER);
}
catch (Exception ex)
{
Log.WriteError("Error creating CSR", ex);
}
}
/// <summary>
/// Generate a self-signed certificate and add it to the Windows certificate store.
/// </summary>
/// <param name="subjectName">The subject name of the certificate.</param>
/// <param name="friendlyName">The friendly name of the certificate.</param>
/// <param name="location">Location of the certificate; either the Current User or Local Machine.</param>
/// <param name="addAsTrustedRoot">Whether to add the generated certificate as a trusted root.</param>
/// <param name="keyLength">Size of the key in bits.</param>
/// <param name="durationYears">Duration of the certificate, specified in years.</param>
/// <param name="oids">Collection of OIDs identifying certificate usage.</param>
public static X509Certificate2 CreateSelfSignedCertificate(string subjectName, string friendlyName, StoreLocation location, bool addAsTrustedRoot, int keyLength, int durationYears, List<string> oids)
{
// Create the self-signing request.
CX509CertificateRequestCertificate cert = CreateCertificateSigningRequest(subjectName, keyLength, durationYears, oids);
// Enroll based on the certificate signing request.
CX509Enrollment enrollment = new CX509Enrollment();
enrollment.InitializeFromRequest(cert);
enrollment.CertificateFriendlyName = friendlyName;
string csrText = enrollment.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64);
// Install the certificate chain. Note that no password is specified.
enrollment.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csrText, EncodingType.XCN_CRYPT_STRING_BASE64, "");
// Base-64 encode the PKCS#12 certificate in order to re-import it.
string pfx = enrollment.CreatePFX("", PFXExportOptions.PFXExportChainWithRoot);
// Instantiate the PKCS#12 certificate.
X509Certificate2 certificate = new X509Certificate2(System.Convert.FromBase64String(pfx), "", X509KeyStorageFlags.Exportable);
// If specified, also install the certificate to the trusted root store.
if (addAsTrustedRoot)
{
X509Store rootStore = new X509Store(StoreName.Root, location);
rootStore.Open(OpenFlags.ReadWrite);
rootStore.Add(certificate);
rootStore.Close();
}
return certificate;
}
/// <summary>
/// CreateSelfSignedCertificate method implementation
/// </summary>
private static string InternalCreateSelfSignedCertificate(string subjectName, int years)
{
var dn = new CX500DistinguishedName();
var neos = new CX500DistinguishedName();
dn.Encode("CN=" + subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);
neos.Encode("CN=MFA RSA Keys Certificate", X500NameFlags.XCN_CERT_NAME_STR_NONE);
CX509PrivateKey privateKey = new CX509PrivateKey();
privateKey.ProviderName = "Microsoft RSA SChannel Cryptographic Provider";
privateKey.MachineContext = true;
privateKey.Length = 2048;
privateKey.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE; // use is not limited
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG | X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG | X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_ARCHIVING_FLAG | X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_ARCHIVING_FLAG;
privateKey.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)";
privateKey.Create();
var hashobj = new CObjectId();
hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY,
AlgorithmFlags.AlgorithmFlagsNone, "SHA256");
var oid = new CObjectId();
oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // SSL server
var oidlist = new CObjectIds();
oidlist.Add(oid);
var coid = new CObjectId();
coid.InitializeFromValue("1.3.6.1.5.5.7.3.2"); // Client auth
oidlist.Add(coid);
var eku = new CX509ExtensionEnhancedKeyUsage();
eku.InitializeEncode(oidlist);
// Create the self signing request
var cert = new CX509CertificateRequestCertificate();
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextAdministratorForceMachine, privateKey, "");
cert.Subject = dn;
cert.Issuer = neos;
cert.NotBefore = DateTime.Now.AddDays(-10);
cert.NotAfter = DateTime.Now.AddYears(years);
cert.X509Extensions.Add((CX509Extension)eku); // add the EKU
cert.HashAlgorithm = hashobj; // Specify the hashing algorithm
cert.Encode(); // encode the certificate
// Do the final enrollment process
var enroll = new CX509Enrollment();
enroll.InitializeFromRequest(cert); // load the certificate
enroll.CertificateFriendlyName = subjectName; // Optional: add a friendly name
string csr = enroll.CreateRequest(); // Output the request in base64
// and install it back as the response
enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password
// output a base64 encoded PKCS#12 so we can import it back to the .Net security classes
var base64encoded = enroll.CreatePFX("", PFXExportOptions.PFXExportChainWithRoot);
return(base64encoded);
}
public SSLCertificate InstallCertificate(SSLCertificate cert, WebSite website)
{
CX509Enrollment response = new CX509Enrollment();
try
{
response.Initialize(X509CertificateEnrollmentContext.ContextMachine);
response.InstallResponse(
InstallResponseRestrictionFlags.AllowUntrustedRoot,
cert.Certificate, EncodingType.XCN_CRYPT_STRING_BASE64HEADER,
null
);
SSLCertificate servercert = (from c in GetServerCertificates()
where c.FriendlyName == cert.FriendlyName
select c).Single();
cert.SerialNumber = servercert.SerialNumber;
cert.ValidFrom = servercert.ValidFrom;
cert.ExpiryDate = servercert.ExpiryDate;
cert.Hash = servercert.Hash;
cert.DistinguishedName = servercert.DistinguishedName;
if (cert.IsRenewal && CheckCertificate(website))
{
DeleteCertificate(GetCurrentSiteCertificate(website), website);
}
AddBinding(cert, website);
}
catch (Exception ex)
{
Log.WriteError("Error adding SSL certificate", ex);
cert.Success = false;
}
return cert;
}
