} // End Sub WriteCerAndCrt public static void Test() { Org.BouncyCastle.Asn1.X509.X509Name caName = new Org.BouncyCastle.Asn1.X509.X509Name("CN=TestCA"); Org.BouncyCastle.Asn1.X509.X509Name eeName = new Org.BouncyCastle.Asn1.X509.X509Name("CN=TestEE"); Org.BouncyCastle.Asn1.X509.X509Name eeName25519 = new Org.BouncyCastle.Asn1.X509.X509Name("CN=TestEE25519"); string countryIso2Characters = "EA"; string stateOrProvince = "ERA"; string localityOrCity = "NeutralZone"; string companyName = "Skynet Earth Inc."; string division = "Skynet mbH"; string domainName = "sky.net"; string email = "*****@*****.**"; Org.BouncyCastle.Asn1.X509.X509Name subj = CertificateInfo.CreateSubject( countryIso2Characters, stateOrProvince , localityOrCity, companyName , division, domainName, email); System.Console.WriteLine(subj); Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair caKey25519 = KeyGenerator.GenerateEcKeyPair("curve25519", s_secureRandom.Value); Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair caKey = KeyGenerator.GenerateEcKeyPair("secp256r1", s_secureRandom.Value); Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair eeKey = KeyGenerator.GenerateRsaKeyPair(2048, s_secureRandom.Value); string publicKey = null; // id_rsa.pub using (System.IO.TextWriter textWriter = new System.IO.StringWriter()) { Org.BouncyCastle.OpenSsl.PemWriter pemWriter = new Org.BouncyCastle.OpenSsl.PemWriter(textWriter); pemWriter.WriteObject(eeKey); pemWriter.Writer.Flush(); publicKey = textWriter.ToString(); } // End Using textWriter System.Console.WriteLine(publicKey); // https://social.msdn.microsoft.com/Forums/vstudio/de-DE/8d49a681-22c6-417f-af3c-8daebd6f10dd/signierung-eines-hashs-mit-ellipticcurve-crypto?forum=visualcsharpde // https://stackoverflow.com/questions/22963581/reading-elliptic-curve-private-key-from-file-with-bouncycastle/41947163 // PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(pkcs8key); // The EC PARAMETERS block in your file is an accident of the way openssl ecparam - genkey works by default; // it is not needed or used as part of the actual key and you can omit it by specifying - noout // which is admittedly somewhat unobvious. // The actual key structure('hidden' in the base64/ DER data) for EC(DSA / DH) // does contain some parameter info which RSA doesn't but DSA does. PrivatePublicPemKeyPair keyPair = KeyImportExport.GetPemKeyPair(caKey25519); // PrivatePublicPemKeyPair keyPair = PrivatePublicPemKeyPair.ImportFrom("", ""); Org.BouncyCastle.X509.X509Certificate caCert = GenerateCertificate(caName, caName, caKey.Private, caKey.Public, s_secureRandom.Value); Org.BouncyCastle.X509.X509Certificate eeCert = GenerateCertificate(caName, eeName, caKey.Private, eeKey.Public, s_secureRandom.Value); Org.BouncyCastle.X509.X509Certificate ee25519Cert = GenerateCertificate(caName, eeName25519, caKey25519.Private, caKey25519.Public, s_secureRandom.Value); bool caOk = ValidateSelfSignedCert(caCert, caKey.Public); bool eeOk = ValidateSelfSignedCert(eeCert, caKey.Public); bool ee25519 = ValidateSelfSignedCert(eeCert, caKey.Public); PfxGenerator.CreatePfxFile("example.pfx", caCert, caKey.Private, null); // System.IO.File.WriteAllBytes("fileName", caCert.Export(X509ContentType.Pkcs12, PfxPassword)); // https://info.ssl.com/how-to-der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-conver-them/ // The file extensions .CRT and .CER are interchangeable. // If your server requires that you use the .CER file extension, you can change the extension // http://www.networksolutions.com/support/what-is-the-difference-between-a-crt-and-a-cer-file/ // https://stackoverflow.com/questions/642284/apache-with-ssl-how-to-convert-cer-to-crt-certificates // File extensions for cryptographic certificates aren't really as standardized as you'd expect. // Windows by default treats double - clicking a.crt file as a request to import the certificate // So, they're different in that sense, at least, that Windows has some inherent different meaning // for what happens when you double click each type of file. // One is a "binary" X.509 encoding, and the other is a "text" base64 encoding that usually starts with "-----BEGIN CERTIFICATE-----". // into the Windows Root Certificate store, but treats a.cer file as a request just to view the certificate. // CER is an X.509 certificate in binary form, DER encoded // CRT is a binary X.509 certificate, encapsulated in text (base-64) encoding // Most systems accept both formats, but if you need to you can convert one to the other via openssl // Certificate file should be PEM-encoded X.509 Certificate file: // openssl x509 -inform DER -in certificate.cer -out certificate.pem using (System.IO.Stream f = System.IO.File.Open("ca.cer", System.IO.FileMode.Create)) { byte[] buf = caCert.GetEncoded(); f.Write(buf, 0, buf.Length); f.Flush(); } using (System.IO.Stream fs = System.IO.File.Open("ee.cer", System.IO.FileMode.Create)) { byte[] buf = eeCert.GetEncoded(); fs.Write(buf, 0, buf.Length); fs.Flush(); } // End Using fs using (System.IO.Stream fs = System.IO.File.Open("ee25519.cer", System.IO.FileMode.Create)) { byte[] buf = ee25519Cert.GetEncoded(); fs.Write(buf, 0, buf.Length); fs.Flush(); } // End Using fs // new System.Text.ASCIIEncoding(false) // new System.Text.UTF8Encoding(false) using (System.IO.Stream fs = System.IO.File.Open("ee.crt", System.IO.FileMode.Create)) { using (System.IO.StreamWriter sw = new System.IO.StreamWriter(fs, System.Text.Encoding.ASCII)) { byte[] buf = eeCert.GetEncoded(); string pem = ToPem(buf); sw.Write(pem); } // End Using sw } // End Using fs using (System.IO.Stream fs = System.IO.File.Open("ee25519.crt", System.IO.FileMode.Create)) { using (System.IO.StreamWriter sw = new System.IO.StreamWriter(fs, System.Text.Encoding.ASCII)) { byte[] buf = ee25519Cert.GetEncoded(); string pem = ToPem(buf); sw.Write(pem); } // End Using sw } // End Using fs Org.BouncyCastle.Asn1.X509.X509Name subject = eeName25519; } // End Sub Test
} // End Function ValidateSelfSignedCert // https://stackoverflow.com/questions/51703109/nginx-the-ssl-directive-is-deprecated-use-the-listen-ssl public static void Test2() { Org.BouncyCastle.X509.X509Certificate caRoot = null; Org.BouncyCastle.X509.X509Certificate caSsl = null; CertificateInfo caCertInfo = null; string curveName = "curve25519"; curveName = "secp256k1"; { string countryIso2Characters = "EA"; string stateOrProvince = "Europe"; string localityOrCity = "NeutralZone"; string companyName = "Skynet Earth Inc."; string division = "Skynet mbH"; string domainName = "Skynet"; string email = "*****@*****.**"; caCertInfo = new CertificateInfo( countryIso2Characters, stateOrProvince , localityOrCity, companyName , division, domainName, email , System.DateTime.UtcNow , System.DateTime.UtcNow.AddYears(5) ); // Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateEcKeyPair(curveName, s_secureRandom.Value); Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateRsaKeyPair(2048, s_secureRandom.Value); // Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateDsaKeyPair(1024, s_secureRandom.Value); // Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateDHKeyPair(1024, s_secureRandom.Value); // kp1 = KeyGenerator.GenerateGhostKeyPair(4096, s_secureRandom.Value); caCertInfo.SubjectKeyPair = KeyImportExport.GetPemKeyPair(kp1); caCertInfo.IssuerKeyPair = KeyImportExport.GetPemKeyPair(kp1); caRoot = GenerateRootCertificate(caCertInfo, s_secureRandom.Value); PfxGenerator.CreatePfxFile(@"ca.pfx", caRoot, kp1.Private, null); WritePrivatePublicKey("issuer", caCertInfo.IssuerKeyPair); } { string countryIso2Characters = "GA"; string stateOrProvince = "Aremorica"; string localityOrCity = "Erquy, Bretagne"; string companyName = "Coopérative Ménhir Obelix Gmbh & Co. KGaA"; string division = "NT (Neanderthal Technology)"; string domainName = "localhost"; domainName = "*.sql.guru"; domainName = "localhost"; string email = "webmaster@localhost"; CertificateInfo ci = new CertificateInfo( countryIso2Characters, stateOrProvince , localityOrCity, companyName , division, domainName, email , System.DateTime.UtcNow , System.DateTime.UtcNow.AddYears(5) ); ci.AddAlternativeNames("localhost", System.Environment.MachineName, "127.0.0.1", "sql.guru", "*.sql.guru"); // Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateEcKeyPair(curveName, s_secureRandom.Value); Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateRsaKeyPair(2048, s_secureRandom.Value); // Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateDsaKeyPair(1024, s_secureRandom.Value); // Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateDHKeyPair(1024, s_secureRandom.Value); ci.SubjectKeyPair = KeyImportExport.GetPemKeyPair(kp1); ci.IssuerKeyPair = caCertInfo.SubjectKeyPair; caSsl = GenerateSslCertificate(ci, s_secureRandom.Value, caRoot); // Just to clarify, an X.509 certificate does not contain the private key // The whole point of using certificates is to send them more or less openly, // without sending the private key, which must be kept secret. // An X509Certificate2 object may have a private key associated with it (via its PrivateKey property), // but that's only a convenience as part of the design of this class. // var cc = new System.Security.Cryptography.X509Certificates.X509Certificate2(caRoot.GetEncoded()); // System.Console.WriteLine(cc.PublicKey); // System.Console.WriteLine(cc.PrivateKey); bool val = ValidateSelfSignedCert(caSsl, caRoot.GetPublicKey()); System.Console.WriteLine(val); PfxGenerator.CreatePfxFile(@"obelix.pfx", caSsl, kp1.Private, ""); WritePrivatePublicKey("obelix", ci.SubjectKeyPair); } WriteCerAndCrt(@"ca", caRoot); WriteCerAndCrt(@"obelix", caSsl); } // End Sub Test2