internal static CertContainer IssueSignerCertificate(X509Name dnName, int keySize = DefaultKeySize)
{
CertContainer issuerCert = IntermediateCa;
RsaKeyPairGenerator keyPairGen = new RsaKeyPairGenerator();
keyPairGen.Init(new KeyGenerationParameters(_secureRandom, keySize));
AsymmetricCipherKeyPair keyPair = keyPairGen.GenerateKeyPair();
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
certGen.SetSerialNumber(BigInteger.One);
certGen.SetIssuerDN(issuerCert.Certificate.SubjectDN);
certGen.SetNotBefore(DateTime.Now);
certGen.SetNotAfter(DateTime.Now.AddYears(1));
certGen.SetSubjectDN(dnName);
certGen.SetPublicKey(keyPair.Public);
certGen.SetSignatureAlgorithm("SHA256withRSA");
certGen.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(issuerCert.Certificate.GetPublicKey()));
certGen.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false));
certGen.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(X509KeyUsage.NonRepudiation | X509KeyUsage.DigitalSignature));
certGen.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(keyPair.Public));
certGen.AddExtension(X509Extensions.ExtendedKeyUsage, false, new ExtendedKeyUsage(KeyPurposeID.IdKPClientAuth));
// Add CRL endpoint
Uri currentBaseUri = new Uri("https://localhost/");
Uri crlUri = new Uri(currentBaseUri, IntermediateCrlPath);
GeneralName generalName = new GeneralName(GeneralName.UniformResourceIdentifier, crlUri.ToString());
GeneralNames generalNames = new GeneralNames(generalName);
DistributionPointName distPointName = new DistributionPointName(generalNames);
DistributionPoint distPoint = new DistributionPoint(distPointName, null, null);
certGen.AddExtension(X509Extensions.CrlDistributionPoints, false, new CrlDistPoint(new DistributionPoint[] { distPoint }));
// Add OCSP endpoint
Uri ocspUri = new Uri(currentBaseUri, OcspPath);
AccessDescription ocsp = new AccessDescription(AccessDescription.IdADOcsp,
new GeneralName(GeneralName.UniformResourceIdentifier, ocspUri.ToString()));
Asn1EncodableVector aiaASN = new Asn1EncodableVector();
aiaASN.Add(ocsp);
certGen.AddExtension(X509Extensions.AuthorityInfoAccess, false, new DerSequence(aiaASN));
X509Certificate generatedCert = certGen.Generate(issuerCert.PrivateKey);
Pkcs12StoreBuilder pfxBuilder = new Pkcs12StoreBuilder();
Pkcs12Store pfxStore = pfxBuilder.Build();
X509CertificateEntry certEntry = new X509CertificateEntry(generatedCert);
pfxStore.SetCertificateEntry(generatedCert.SubjectDN.ToString(), certEntry);
pfxStore.SetKeyEntry(generatedCert.SubjectDN + "_key", new AsymmetricKeyEntry(keyPair.Private), new X509CertificateEntry[] { certEntry });
return(new CertContainer(pfxStore, issuerCert.GetIssuerChain(true)));
}
/// <summary>
/// User Certificate will create generate a default certificate
/// with the provided informations
/// </summary>
/// <param name="name">Name of the signer (CN of the certificate)</param>
/// <param name="emailAddress">E-Mail of the signer (part of the certificate)</param>
/// <param name="countryCode">Two letters country code (C of the certificate)</param>
/// <param name="orgName">Organisation (O of the certificate)</param>
public UserCertificate(string name, string emailAddress, string countryCode = null, string orgName = null)
{
string[] requiredProperties = { name, emailAddress };
if (!requiredProperties.Any(string.IsNullOrEmpty))
{
X509Name subjectName = GenerateDNName(name, emailAddress, countryCode, orgName);
this._certContainer = CAManager.IssueSignerCertificate(subjectName);
}
}
static CAManager()
{
RootCa =
new CertContainer(GetPkcs12Store(RootCaPfx, RootCaPfxPassword));
IntermediateCa =
new CertContainer(GetPkcs12Store(IntermediateCaPfx, IntermediatePfxPassword), RootCa);
DefaultSignerCert =
new CertContainer(GetPkcs12Store(DefaultSignerCertPfx, DefaultSignerCertPfxPassword), IntermediateCa, RootCa);
}