Create and sign certificate

Question

I'm developing an API server that will take input from user for following information

"CN=ABC123,O=DEF,L=XYZ,S=CA,C=US,E=info@abc.com"

and create a signed developer's certificate using our root certificate. For making certificates using makecert.exe I've followed Creating self signed certificates with makecert.exe for development tutorial and created root certificate using following commands

makecert.exe ^
-n "CN=CARoot" ^
-r ^
-pe ^
-a sha512 ^
-len 4096 ^
-cy authority ^
-sv CARoot.pvk ^
CARoot.cer

pvk2pfx.exe ^
-pvk CARoot.pvk ^
-spc CARoot.cer ^
-pfx CARoot.pfx ^
-po Test123

in command prompt and it asks for certificate and private.key passwords in a prompt popup that is fine since this is one time process and I have done this manually

Where as for developers certificate I have used

Process.Start("makecert.exe",certCmd);

with the following in certCmd as string

makecert.exe ^
-n "CN=%1" ^
-iv CARoot.pvk ^
-ic CARoot.cer ^
-pe ^
-a sha512 ^
-len 4096 ^
-b 01/01/2014 ^
-e 01/01/2016 ^
-sky exchange ^
-eku 1.3.6.1.5.5.7.3.2 ^
-sv %1.pvk ^
%1.cer

pvk2pfx.exe ^
-pvk %1.pvk ^
-spc %1.cer ^
-pfx %1.pfx ^
-po Test123

now according to the documentation there is no -po parameter that is given in the above command and as a result it asks for password in the prompt that is an issue here

since this is an API and there will be no way to input the password in the prompt for private key

The other option is to use X509Certificate2 and bouncyCastle but not sure how to use them, any help will be appreciable

I want to keep it as simple as possible and that is the reason I went for makecert.exewith Process.Start()

Why can't you just send a newline down the `stdin` of `makecert.exe`? — Luke Joshua Park, May 04 '16 at 06:03

Luke Joshua Park · Answer 1 · 2016-05-04T06:11:04.947

2

If you want to produce your own certificates... I have used this code in the past to generate certificates on the fly. You will need to adjust it for your solution but it should give you everything you need. It uses Bouncy Castle.

public static X509Certificate GenerateRootCertificate(AsymmetricCipherKeyPair key, X509Name subjectAndIssuer, int serialNumber, int yearsValid)
    {
        X509V3CertificateGenerator gen = new X509V3CertificateGenerator();
        Asn1SignatureFactory sig = new Asn1SignatureFactory("SHA256withRSA", key.Private, new SecureRandom());
        DateTime notBefore = DateTime.Now;
        DateTime notAfter = DateTime.Now.AddYears(yearsValid);

        gen.SetSerialNumber(BigInteger.ValueOf(serialNumber));
        gen.SetSubjectDN(subjectAndIssuer);
        gen.SetIssuerDN(subjectAndIssuer);
        gen.SetPublicKey(key.Public);

        gen.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(true));
        gen.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.DigitalSignature | KeyUsage.CrlSign | KeyUsage.KeyCertSign));
        gen.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(key.Public));
        gen.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(key.Public));

        gen.SetNotBefore(notBefore);
        gen.SetNotAfter(notAfter);

        return gen.Generate(sig);
    }

This would probably be a better way to go about it, gives you more control in the end.

EDIT: You can retrieve your public and private key by using this method, given that it is in PEM format:

public static object ReadObjectFromPEMFile(string fileName)
        {
            PemReader reader = new PemReader(new StreamReader(File.Open(fileName, FileMode.Open)));
            object r = reader.ReadObject();
            reader.Reader.Close();
            return r;
        }

Don't forget to cast the result to AsymmetricCipherKeyPair!

edited May 04 '16 at 06:11

answered May 04 '16 at 06:06

Luke Joshua Park

9,527
5
27
44

Thanks Luke, I know this function I have seen it before while google, the issue is I dont know how to convert my root certificate into `AsymmetricCipherKeyPair` – riksof-zeeshan May 04 '16 at 06:08
1

That's odd, was written by me. In what format is your root private key? See my edit. – Luke Joshua Park May 04 '16 at 06:10
Luke I have .cer certificate file that I will be needing to use to sign the clients/developer certificate – riksof-zeeshan May 04 '16 at 06:31
I will give a try to your suggestion and comeback to you – riksof-zeeshan May 04 '16 at 06:31
@riksof-zeeshan Are you sure your .cer file contains the *private key*? Generally the only certificates that contain private keys are PKCS12 files. .crt and .cer files tend to only contain public keys. – Luke Joshua Park May 04 '16 at 06:44
I'm not sure, the above root cert command creates `.cer` `.pvk` and `.pfx` files – riksof-zeeshan May 04 '16 at 10:48
The `.pfx` file is the one that contains the private key. You will need to retrieve it from there. – Luke Joshua Park May 04 '16 at 10:50
Common dude... please specify where to get the DLL – user1034912 Jan 24 '18 at 07:40
@user1034912 My answer clearly states that the code uses Bouncy castle. If you are incapable of Google searching then I'm afraid you are beyond my help. – Luke Joshua Park Jan 24 '18 at 07:42

score 1 · Answer 2 · answered May 04 '16 at 06:13

I agree with @LukeParks answer, that you should do that all in your own code, but if you still want to go with you current way, here is how:

You can redirect the StandardInput of the makecert process to pass the input directly to the program.

ProcessStartInfo procInf = new ProcessStartInfo("makecert.exe",certCmd)
{
    RedirectStandardOutput = true,
    RedirectStandardInput = true,
    RedirectStandardError = true,
    UseShellExecute = false,
    CreateNoWindow = true
};

Process makeCertProcess = Process.Start(procInf);

//Here is the "manual" input (timing doesn't matter)
pscp.StandardInput.WriteLine("password or whatever");

pscp.WaitForExit(TimeOut);

string errors = pscp.StandardError.ReadToEnd();
string output = pscp.StandardOutput.ReadToEnd();
int errorcode = pscp.ExitCode;

I have exactly followed what you have suggested above and added `processMakeCert.StandardInput.WriteLine(clientCertPass);` but it still asks for password in prompt popup — riksof-zeeshan, May 04 '16 at 07:40

score 0 · Answer 3 · edited May 23 '17 at 10:33

I have answered a very similar question some time ago. The question then was to

Generate self signed certificate on the fly

but later the question was modified to issue end entity certificates using before generated CA certificate. Hmm, it seems I have not renamed the method GenerateSelfSignedCertificate after the change. It should be named GenerateEndEntityCertificate because that's what it does.

Try to look at my answer here

Create and sign certificate

3 Answers3