/// <summary> /// Save specified certificate to backup /// </summary> /// <param name="certDto">Certificate</param> /// <returns></returns> public bool SaveCertificateToBackupDisc(CertificateDto certDto) { if (!IsUserAccessGranted(WindowsIdentity.GetCurrent().Name)) { Audit.WriteEvent("User '" + WindowsIdentity.GetCurrent().Name + "' had denied access for method SaveCertificateToBackupDisc", EventLogEntryType.FailureAudit); } X509Certificate2 certificate = certDto.GetCert(); activeCertificates.Add(certificate); CertificateHandler.ExportToFileSystem(X509ContentType.Pfx, certificate, certificate.SubjectName.Name); string logMessage = "Certificate with subject name '" + certificate.SubjectName.Name + "' is saved on backup server.'"; Audit.WriteEvent(logMessage, EventLogEntryType.Information); return true; }
/// <summary> /// This method is used for integrity update. /// Integrity update implies data copy from hot to backup server. /// </summary> /// <param name="param">Data from hot server</param> /// <returns></returns> public bool SetModel(CAModelDto param) { bool retVal = true; // Copy and install valid CA certificate to backup server if (File.Exists(PFX_PATH)) { System.IO.File.Delete(PFX_PATH); } CertificateHandler.ReplaceCACertificateInStore(caCertificate, param.CaCertificate.GetCert()); caCertificate = param.CaCertificate.GetCert(); caPrivateKey = DotNetUtilities.GetKeyPair(caCertificate.PrivateKey).Private; CertificateHandler.ExportToFileSystem(X509ContentType.Pfx, caCertificate, caCertificate.SubjectName.Name); // Export and install active client certificates on backup server activeCertificates.Clear(); foreach(var cerDto in param.ActiveCertificates) { X509Certificate2 cert = cerDto.GetCert(); activeCertificates.Add(cert); CertificateHandler.ExportToFileSystem(X509ContentType.Pfx, cert, cert.SubjectName.Name); string fileName = cert.SubjectName.Name.Contains("=") ? cert.SubjectName.Name.Split('=')[1] : cert.SubjectName.Name; if (!File.Exists(CERT_FOLDER_PATH + cert.SubjectName.Name + fileName + ".pfx")) { CertificateHandler.AddCertificateToStore(cert, StoreName.TrustedPeople, StoreLocation.LocalMachine); } } // Set active revocation list on backup server revocationList.Clear(); foreach (var cerDto in param.RevocationList) { X509Certificate2 cert = cerDto.GetCert(); revocationList.Add(cert); } clientDict.Clear(); foreach (var pair in param.ClientDict) { clientDict.Add(pair.Key, pair.Value); } return retVal; }
/// <summary> /// Prepare certification authority service for use. /// Load information about CA. /// </summary> private void PrepareCAService() { bool isPfxCreated = true; bool isCertFound = false; X509Certificate2Collection collection = new X509Certificate2Collection(); if(!IsUserAccessGranted(WindowsIdentity.GetCurrent().Name)) { Audit.WriteEvent("Access to SecurityStore is denied to user '" + WindowsIdentity.GetCurrent().Name + "' based on ACL content.", EventLogEntryType.Warning); return; } try { // Try to import pfx file for the CA(Certification authority) collection.Import(PFX_PATH, PFX_PASSWORD, X509KeyStorageFlags.Exportable); } catch { isPfxCreated = false; } if(isPfxCreated) { foreach (X509Certificate2 cert in collection) { if (cert.SubjectName.Name.Equals(CA_SUBJECT_NAME)) { isCertFound = true; caCertificate = cert; caPrivateKey = DotNetUtilities.GetKeyPair(cert.PrivateKey).Private; break; } } } if (!isCertFound) { // if PFX for the CA isn't created generate certificate and PFX for the CA caCertificate = CertificateHandler.GenerateCACertificate(CA_SUBJECT_NAME, ref caPrivateKey); } Audit.WriteEvent("Certificate for the CA is successfully loaded.", EventLogEntryType.Information); }
/// <summary> /// Generate new certificate with specified subject name. /// If certificate with given subject name already exist this action is forbiden. /// </summary> /// <param name="subject">Subject name</param> /// <param name="address">Host address of client</param> /// <returns></returns> public CertificateDto GenerateCertificate(string subject, string address) { if(!IsUserAccessGranted(WindowsIdentity.GetCurrent().Name)) { Audit.WriteEvent("User '" + WindowsIdentity.GetCurrent().Name + "' had denied access for method GenerateCertificate", EventLogEntryType.FailureAudit); } CertificateDto retVal = null; X509Certificate2 newCertificate = null; string logMessage = String.Empty; newCertificate = IsCertificatePublished(subject); if (newCertificate == null) { newCertificate = CertificateHandler.GenerateAuthorizeSignedCertificate(subject, "CN=" + CA_SUBJECT_NAME, caPrivateKey); if (newCertificate != null) { activeCertificates.Add(newCertificate); clientDict.Add(subject, address); logMessage = "Certificate with subject name '" + subject + "' is issued by '" + CA_SUBJECT_NAME + "'"; Audit.WriteEvent(logMessage, EventLogEntryType.Information); } else { logMessage = "Generation of certificate with subject name '" + subject + "' failed."; Audit.WriteEvent(logMessage, EventLogEntryType.Warning); } } else { logMessage = "Certificate with subject name '" + subject + "' is already published"; Audit.WriteEvent(logMessage, EventLogEntryType.Warning); } retVal = new CertificateDto(newCertificate); return retVal; }