internal static void ResetCertificateGenerator(ResourceRequestContext context) { var config = context.BridgeConfiguration; if (s_certificateGenerator == null) { lock (s_certificateHelperLock) { if (s_certificateGenerator == null) { s_certificateGenerator = new CertificateGenerator() { CertificatePassword = config.BridgeCertificatePassword, CrlUriBridgeHost = string.Format("http://{0}:{1}", config.BridgeHost, config.BridgePort), CrlUriRelativePath = s_crlUriRelativePath, ValidityPeriod = config.BridgeCertificateValidityPeriod }; // Upon creation, we want to immediately get the authority certificate and install it // as it means we are about to run a test requiring certs CertificateManager.InstallCertificateToRootStore(s_certificateGenerator.AuthorityCertificate.Certificate); } } } }
public static void RevokeCertificate(CertificateGenerator certificateGenerator, string serialNum) { if (certificateGenerator == null) { throw new ArgumentNullException("certificateGenerator"); } lock (s_certificateLock) { certificateGenerator.RevokeCertificateBySerialNumber(serialNum); } }
// When called, generates the a cert for the machine DNS name with SAN localhost, and installs both certs // returns thumbprint of the machine certs public static X509Certificate2 CreateAndInstallLocalMachineCertificates(CertificateGenerator certificateGenerator) { if (certificateGenerator == null) { throw new ArgumentNullException("certificateGenerator"); } lock (s_certificateLock) { if (s_localCertificate != null) { return(s_localCertificate); } Trace.WriteLine("[CertificateManager] Installing Root and Machine certificates to machine store."); // At this point, we know we haven't generated the certs yet, or the operation is completing on another thread // Certificate generation is time-consuming, so we want to make sure that we don't unnecessarily generate a cert var rootCertificate = certificateGenerator.AuthorityCertificate.Certificate; var fqdn = Dns.GetHostEntry("127.0.0.1").HostName; var hostname = fqdn.Split('.')[0]; // always create a certificate locally for the current machine's fully qualified domain name, // hostname, and "localhost". CertificateCreationSettings certificateCreationSettings = new CertificateCreationSettings() { FriendlyName = "WCF Bridge - Machine certificate generated by the CertificateManager", Subject = fqdn, SubjectAlternativeNames = new string[] { fqdn, hostname, "localhost" } }; var hostCert = certificateGenerator.CreateMachineCertificate(certificateCreationSettings).Certificate; // Since s_myCertificates keys by subject name, we won't install a cert for the same subject twice // only the first-created cert will win InstallCertificateToRootStore(rootCertificate); InstallCertificateToMyStore(hostCert, certificateCreationSettings.ValidityType == CertificateValidityType.Valid); s_localCertificate = hostCert; // Create the PeerTrust cert certificateCreationSettings = new CertificateCreationSettings() { FriendlyName = "WCF Bridge - UserPeerTrustCertificateResource", Subject = fqdn, SubjectAlternativeNames = new string[] { fqdn, hostname, "localhost" } }; var peerCert = certificateGenerator.CreateMachineCertificate(certificateCreationSettings).Certificate; InstallCertificateToTrustedPeopleStore(peerCert, certificateCreationSettings.ValidityType == CertificateValidityType.Valid); } return(s_localCertificate); }
// We generate a local machine certificate for common usage. This method is usded to generate certs for non common usage, such as an expired cert. public static X509Certificate2 CreateAndInstallNonDefaultMachineCertificates(CertificateGenerator certificateGenerator, CertificateCreationSettings certificateCreationSettings, string resourceAddress) { if (certificateCreationSettings == null) { throw new ArgumentException("certificateCreationSettings cannot be null as we are creating a non default certificate"); } if (certificateGenerator == null) { throw new ArgumentNullException("certificateGenerator"); } lock (s_certificateLock) { Trace.WriteLine("[CertificateManager] Installing Non default Machine certificates to machine store."); var rootCertificate = certificateGenerator.AuthorityCertificate.Certificate; var hostCert = certificateGenerator.CreateMachineCertificate(certificateCreationSettings).Certificate; InstallCertificateToRootStore(rootCertificate); InstallCertificateToMyStore(hostCert, certificateCreationSettings.ValidityType == CertificateValidityType.Valid, resourceAddress); return(hostCert); } }
// When called, generates the a cert for the machine DNS name with SAN localhost, and installs both certs // returns thumbprint of the machine certs public static X509Certificate2 CreateAndInstallLocalMachineCertificates(CertificateGenerator certificateGenerator) { if (certificateGenerator == null) { throw new ArgumentNullException("certificateGenerator"); } lock (s_certificateLock) { if (s_localCertificate != null) { return(s_localCertificate); } Trace.WriteLine("[CertificateManager] Installing Root and Machine certificates to machine store."); // At this point, we know we haven't generated the certs yet, or the operation is completing on another thread // Certificate generation is time-consuming, so we want to make sure that we don't unnecessarily generate a cert var rootCertificate = certificateGenerator.AuthorityCertificate.Certificate; var fqdn = Dns.GetHostEntry("127.0.0.1").HostName; var hostname = fqdn.Split('.')[0]; // always create a certificate locally for the current machine's fully qualified domain name, // hostname, and "localhost". var hostCert = certificateGenerator.CreateMachineCertificate(fqdn, hostname, "localhost").Certificate; // Since s_myCertificates keys by subject name, we won't install a cert for the same subject twice // only the first-created cert will win InstallCertificateToRootStore(rootCertificate); InstallCertificateToMyStore(hostCert); s_localCertificate = hostCert; } return(s_localCertificate); }
private static void OnResourceFolderChanged(object sender, EventArgs args) { lock (s_certificateHelperLock) { s_certificateGenerator = null; } }
private static int Main(string[] args) { ApplyAppSettings(); if (args.Length > 0) { if (string.Compare(args[0], "-Uninstall", true) == 0) { UninstallAllCerts(); return 0; } else if (string.Compare(args[0], "-help", true) == 0) { Usage(); return 0; } else { Usage(); return 1; } } UninstallAllCerts(); CertificateGenerator certificateGenerate = new CertificateGenerator(); certificateGenerate.CertificatePassword = "******"; certificateGenerate.CrlUriBridgeHost = s_fqdn; certificateGenerate.ValidityPeriod = s_ValidatePeriod; if (!string.IsNullOrEmpty(s_testserverbase)) { certificateGenerate.CrlUriRelativePath += "/" + s_testserverbase; } certificateGenerate.CrlUriRelativePath += "/CrlService.svc/GetCrl"; //Create and install root and server cert CertificateManager.CreateAndInstallLocalMachineCertificates(certificateGenerate); //Create and Install expired cert CertificateCreationSettings certificateCreationSettings = new CertificateCreationSettings() { FriendlyName = "WCF Bridge - TcpExpiredServerCertResource", ValidityType = CertificateValidityType.Expired, ValidityNotBefore = DateTime.UtcNow - TimeSpan.FromDays(4), ValidityNotAfter = DateTime.UtcNow - TimeSpan.FromDays(2), //If you specify multiple subjects, the first one becomes the subject, and all of them become Subject Alt Names. //In this case, the certificate subject is CN=fqdn, OU=..., O=... , and SANs will be fqdn, hostname, localhost //We do this so that a single bridge setup can deal with all the possible addresses that a client might use. //If we don't put "localhost' here, a long-running bridge will not be able to receive requests from both fqdn and localhost //because the certs won't match. Subject = s_fqdn, SubjectAlternativeNames = new string[] { s_fqdn, s_hostname, "localhost" } }; CreateAndInstallMachineCertificate(certificateGenerate, certificateCreationSettings); //Create and Install TcpCertificateWithServerAltNameResource certificateCreationSettings = new CertificateCreationSettings() { FriendlyName = "WCF Bridge - TcpCertificateWithServerAltNameResource", Subject = "not-real-subject-name", SubjectAlternativeNames = new string[] { "not-real-subject-name", "not-real-subject-name.example.com", s_fqdn, s_hostname, "localhost" } }; CreateAndInstallMachineCertificate(certificateGenerate, certificateCreationSettings); //TcpCertificateWithSubjectCanonicalNameDomainNameResource certificateCreationSettings = new CertificateCreationSettings() { FriendlyName = "WCF Bridge - TcpCertificateWithSubjectCanonicalNameDomainNameResource", Subject = s_hostname, SubjectAlternativeNames = new string[0], ValidityType = CertificateValidityType.NonAuthoritativeForMachine }; CreateAndInstallMachineCertificate(certificateGenerate, certificateCreationSettings); //WCF Bridge - TcpCertificateWithSubjectCanonicalNameFqdnResource certificateCreationSettings = new CertificateCreationSettings() { FriendlyName = "WCF Bridge - TcpCertificateWithSubjectCanonicalNameFqdnResource", Subject = s_fqdn, SubjectAlternativeNames = new string[0], ValidityType = CertificateValidityType.NonAuthoritativeForMachine }; CreateAndInstallMachineCertificate(certificateGenerate, certificateCreationSettings); //TcpCertificateWithSubjectCanonicalNameLocalhostResource certificateCreationSettings = new CertificateCreationSettings() { FriendlyName = "WCF Bridge - TcpCertificateWithSubjectCanonicalNameLocalhostResource", Subject = "localhost", SubjectAlternativeNames = new string[0], ValidityType = CertificateValidityType.NonAuthoritativeForMachine }; CreateAndInstallMachineCertificate(certificateGenerate, certificateCreationSettings); //TcpRevokedServerCertResource certificateCreationSettings = new CertificateCreationSettings() { FriendlyName = "WCF Bridge - TcpRevokedServerCertResource", ValidityType = CertificateValidityType.Revoked, Subject = s_fqdn, SubjectAlternativeNames = new string[] { s_fqdn, s_hostname, "localhost" } }; CreateAndInstallMachineCertificate(certificateGenerate, certificateCreationSettings); //Create and install client cert certificateCreationSettings = new CertificateCreationSettings() { FriendlyName = "WCF Bridge - UserCertificateResource", Subject = "WCF Client Certificate", }; X509Certificate2 certificate = certificateGenerate.CreateUserCertificate(certificateCreationSettings).Certificate; CertificateManager.AddToStoreIfNeeded(StoreName.TrustedPeople, StoreLocation.LocalMachine, certificate); CertificateManager.AddToStoreIfNeeded(StoreName.My, StoreLocation.LocalMachine, certificate); //Create CRL and save it File.WriteAllBytes(s_CrlFileLocation, certificateGenerate.CrlEncoded); return 0; }
private static void CreateAndInstallMachineCertificate(CertificateGenerator certificateGenerate, CertificateCreationSettings certificateCreationSettings) { X509Certificate2 certificate = certificateGenerate.CreateMachineCertificate(certificateCreationSettings).Certificate; CertificateManager.AddToStoreIfNeeded(StoreName.My, StoreLocation.LocalMachine, certificate); }
// We generate a local machine certificate for common usage. This method is usded to generate certs for non common usage, such as an expired cert. public static X509Certificate2 CreateAndInstallNonDefaultMachineCertificates(CertificateGenerator certificateGenerator, CertificateCreationSettings certificateCreationSettings, string resourceAddress) { if (certificateCreationSettings == null) { throw new ArgumentException("certificateCreationSettings cannot be null as we are creating a non default certificate"); } if (certificateGenerator == null) { throw new ArgumentNullException("certificateGenerator"); } lock (s_certificateLock) { Trace.WriteLine("[CertificateManager] Installing Non default Machine certificates to machine store."); var rootCertificate = certificateGenerator.AuthorityCertificate.Certificate; var hostCert = certificateGenerator.CreateMachineCertificate(certificateCreationSettings).Certificate; InstallCertificateToRootStore(rootCertificate); InstallCertificateToMyStore(hostCert, certificateCreationSettings.IsValidCert, resourceAddress); return hostCert; } }
// When called, generates the a cert for the machine DNS name with SAN localhost, and installs both certs // returns thumbprint of the machine certs public static X509Certificate2 CreateAndInstallLocalMachineCertificates(CertificateGenerator certificateGenerator) { if (certificateGenerator == null) { throw new ArgumentNullException("certificateGenerator"); } lock (s_certificateLock) { if (s_localCertificate != null) { return s_localCertificate; } Trace.WriteLine("[CertificateManager] Installing Root and Machine certificates to machine store."); // At this point, we know we haven't generated the certs yet, or the operation is completing on another thread // Certificate generation is time-consuming, so we want to make sure that we don't unnecessarily generate a cert var rootCertificate = certificateGenerator.AuthorityCertificate.Certificate; var fqdn = Dns.GetHostEntry("127.0.0.1").HostName; var hostname = fqdn.Split('.')[0]; // always create a certificate locally for the current machine's fully qualified domain name, // hostname, and "localhost". CertificateCreationSettings certificateCreationSettings = new CertificateCreationSettings() { Subjects = new string[] { fqdn, hostname, "localhost" } }; var hostCert = certificateGenerator.CreateMachineCertificate(certificateCreationSettings).Certificate; // Since s_myCertificates keys by subject name, we won't install a cert for the same subject twice // only the first-created cert will win InstallCertificateToRootStore(rootCertificate); InstallCertificateToMyStore(hostCert, certificateCreationSettings.IsValidCert); s_localCertificate = hostCert; } return s_localCertificate; }