0

It looks like I can make a Self-signed certificate in .NET Core pretty easily:

var rsa = RSA.Create(KeySize);
var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithm,
    RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(new X509BasicConstraintsExtension(false, false, 0, false));
request.CertificateExtensions.Add(new X509KeyUsageExtension(
    X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.DataEncipherment |
    X509KeyUsageFlags.NonRepudiation, false));

var cert = request.CreateSelfSigned(DateTimeOffset.Now, DateTimeOffset.Now.Add(CertificateLifespan));

...it also looks like I can store that certificate pretty easily:

using var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadWrite);
store.Add(certificate);
store.Close();

...but I don't see how to revoke that certificate. What needs to happen to render that certificate invalid?

Jeremy Holovacs
  • 22,480
  • 33
  • 117
  • 254
  • Does using [`X509Store.Remove`](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509store.remove?view=net-5.0) have the desired effect? – D M Feb 01 '21 at 16:40
  • ...it seems that would remove it from the store, but does that revoke it? – Jeremy Holovacs Feb 01 '21 at 16:44
  • What do you expect from revoking here? There is no CA for your certificate so no one to handle the revocation. – Ralf Feb 01 '21 at 16:52
  • I'm hoping to mark it as never usable again, in case it was somehow compromised or no longer necessary. – Jeremy Holovacs Feb 01 '21 at 16:53
  • Here's an answer about [hosting your own CRL](https://stackoverflow.com/a/41614516/14956277) and [building your own CRL](https://stackoverflow.com/a/52245274/14956277), but I'd assume that removing your custom certificate from your local store would invalidate it since your store is the only source from which it is available. – D M Feb 01 '21 at 17:00
  • If removing the certificate from your store doesn't work, it looks like you can set the certificate's [`X509RevocationMode`](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509revocationmode?view=net-5.0#fields) to `Offline` and use your own CRL to revoke it. – D M Feb 01 '21 at 17:04
  • Can someone come up with an attack vector that not involves using a self signed certificate at spots where you shouldn't use one? – Ralf Feb 01 '21 at 17:11
  • I don't know, but it seems like a bad idea to think "I can't think of how this certificate could be abused, so I'm not going to protect against it."... it could be harmless, but I'd rather err on the side of caution. – Jeremy Holovacs Feb 01 '21 at 17:25

0 Answers0