hi I want to Create X509Certificate To Use in SslStream.AuthenticateAsServer() on windows 10 loopbak.
I try to Create Certificate with OpenSsl and Makecert Script but certificates not work.
please help me.
my Code :
X509Store store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
RawStringData = RawStringData.Replace("CONNECT ", "GET https://");
RawStringData = RawStringData.Replace(":443", "/");
RawStringData = RawStringData.Replace("Proxy-Connection", "Connection");
RawByteArrayData = Encoding.ASCII.GetBytes(RawStringData);
Port = 443;
ServerSocket.Connect(HostEntry.AddressList[0], Port);
HttpsStream = new SslStream(new NetworkStream(ServerSocket));
HttpsStream.AuthenticateAsClient(Host);
HttpsStream.Write(RawByteArrayData);
int Count = HttpsStream.Read(NewData, 0, NewData.Length);
string pfxpath = #"D:\test.pfx";
X509Certificate2 cert = new X509Certificate2(File.ReadAllBytes(pfxpath));
byte[] pfxData = File.ReadAllBytes(pfxpath);
cert = new X509Certificate2(pfxData,"", X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable);
X509Certificate x509 = store.Certificates.Find(X509FindType.FindByIssuerName, "localhost", false)[0];
ssl = new SslStream(new NetworkStream(A) , false , Verification , null );
ssl.AuthenticateAsServer(cert , false, System.Security.Authentication.SslProtocols.Tls, true);
ssl.Write(NewData);
Related
My websocket server is not starting. I cannot connect. But if I run program with admin rights It's working.
X509Certificate2 certificate = new X509Certificate2(Resource.UZCRYPTO);
using (X509Store store = new X509Store(StoreName.Root, StoreLocation.CurrentUser))
{
store.Open(OpenFlags.ReadWrite);
if (!store.Certificates.Contains(certificate))
store.Add(certificate);
}
X509Certificate2 cert = new X509Certificate2(Resource._127_0_0_1, "1", X509KeyStorageFlags.MachineKeySet);
//WebCoket set
WebSocketServer wssv = new WebSocketServer(IPAddress.Parse("127.0.0.1"), 4141, true);
wssv.SslConfiguration.ServerCertificate = new X509Certificate2(cert);
wssv.SslConfiguration.EnabledSslProtocols = SslProtocols.Tls11 | SslProtocols.Tls12;
wssv.AddWebSocketService<WebSocketEcho>("/");
wssv.KeepClean = false;
wssv.Start();
I've been looking around the web and tested different solutions, but I still have not found a solution that can solve my problem.
I keep getting an exception, after adding my certificate with .CER extension. When attempting to invoke the web service from my console app, it fails with the message saying:
Could not establish a secure channel for ssl/tls.
Is it something I'm doing wrong in my code? Hope that I can get some help...
public void GetCVR()
{
string url = #"My url";
string certPath = #"My Path to the Certificate.cer";
ServicePointManager.ServerCertificateValidationCallback +=
(sender, certificate, chain, sslPolicyErrors) =>
{
switch (sslPolicyErrors)
{
case System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors:
case System.Net.Security.SslPolicyErrors.RemoteCertificateNameMismatch:
case System.Net.Security.SslPolicyErrors.RemoteCertificateNotAvailable:
break;
}
Console.WriteLine(sslPolicyErrors + " " + chain + " " + certificate);
Console.ReadLine();
return true;
};
var handler = new HttpClientHandler();
handler.ClientCertificates.Add(new X509Certificate2(certPath));
handler.ClientCertificateOptions = ClientCertificateOption.Manual;
var _client = new HttpClient(handler);
_client.DefaultRequestHeaders.Add("User-Agent", Guid.NewGuid().ToString());
_client.DefaultRequestHeaders.Add("Connection", "keep-alive");
_client.BaseAddress = new Uri(baseUrl);
_client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
HttpResponseMessage response = _client.GetAsync(url).Result;
}
}
Update 15-09-2019
Ok I change my code above and I add two methods:
private void AddCertificate(string cer)
{
X509Store store = new X509Store(StoreName.Root, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadWrite);
store.Add(new X509Certificate2(X509Certificate2.CreateFromCertFile(cer)));
store.Close();
}
private X509Certificate2 GetMyCert()
{
string certThumbprint = "7a61a6fc";
X509Certificate2 cert = null;
// Load the certificate
var store = new X509Store(StoreName.Root, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certCollection = store.Certificates.Find
(
X509FindType.FindBySerialNumber,
certThumbprint,
false
);
if (certCollection.Count > 0)
{
cert = certCollection[0];
}
store.Close();
return cert;
}
So instead of:
handler.ClientCertificates.Add(new X509Certificate2(certPath));
I first add the certificate to the key store and then I retrieve it as follows.
In debug it looks fine.
X509Certificate2 cert = GetMyCert();
handler.ClientCertificates.Add(cert);
But it still fails with the message saying:
Could not establish a secure channel for ssl/tls.
How to create a self-signed certificate for development suitable to sign MimeKit Messages?
MimeKit has its own CmsSigner. When i try to load the certificate into MimeKit CmsSigner:
X509Certificate2 cert = new X509Certificate2(#"cert.pfx", "xpto", X509KeyStorageFlags.Exportable);
var signer = new MimeKit.Cryptography.CmsSigner(cert);
it throws:
'The certificate cannot be used for signing.'
The problem is that the default algorithm used by CmsSign has to be the same algorithm used to create the certificate key, in my case, SHA1.
Here how was loaded for an S/MIME certificate:
X509Certificate2 cert = new X509Certificate2(#"ca.p12", "xpto", X509KeyStorageFlags.Exportable);
var signer = new CmsSigner(cert);
signer.DigestAlgorithm = DigestAlgorithm.Sha1;
MultipartSigned.Create( signer, mimeMessage.Body);
var message = new MimeMessage() { ... };
// Load your x509 certificate
x509certificate2 cert = new x509certificate2("d:\\mycer.pfx", "123456789", x509keystorageflags.exportable);
// CmsSigner = CMS = Cryptographic Message Syntax = a standard syntax for storing signed and/or encrypted data
var signer = new cmssigner(cert);
signer.digestalgorithm = digestalgorithm.sha256;
// This will sign the message body using our certificate which includes our organisation name
// Needs this package to run: https://www.nuget.org/packages/System.Data.SQLite/
message.body = multipartsigned.create(signer, message.body);
// Getting the private key from the pfx file
// https://www.asptricks.net/2016/09/how-to-export-private-key-from.html
RSACryptoServiceProvider rsa = (RSACryptoServiceProvider)cert.PrivateKey;
AsymmetricCipherKeyPair keyPair = DotNetUtilities.GetRsaKeyPair(rsa);
var myCAprivateKey = keyPair.Private;
// Now sign the message with the private key only to authenticate DKIM
DkimSigner Signer = new DkimSigner(
myCAprivateKey,
"mydomain.com", // your domain name
"myDKIM") // The dkim selector on your domain's DNS (txt record)
{
HeaderCanonicalizationAlgorithm = DkimCanonicalizationAlgorithm.Relaxed,
BodyCanonicalizationAlgorithm = DkimCanonicalizationAlgorithm.Relaxed,
AgentOrUserIdentifier = "#mydomain.com", // your domain name
QueryMethod = "dns/txt",
SignatureAlgorithm = DkimSignatureAlgorithm.RsaSha1
};
Signer.Sign(message, headers);
// do your sending logic
Currently creating Certificate Authorities and Issued Certificates. The Generation of the request, enrollment and validation are all functional, but when I checked my certificate store, I realized, it was placing them in my personal certificate directory. For memory, security and legal reasons, I can't have that.
The certificates are stored in a secure remote database. The certificates may be randomly accessed or generated on a random machine from a collection. If they generate certificates, it will store them on whichever machine created the certificate. Is there a way to generate a certificate enrollment (CX509Enrollment) without any trace of the certificate being left on the machine afterwards?
The portion that controls enrollment is relatively small and straight forward. It can only be ran as an administrator. I assume that's because it's adding certificates to the store.
I'm currently running a separate project file to attempt to debug this issue.
Both my certificates are constructed and kept in memory.
static void Main(string[] args)
{
X509Certificate2 rootCert = CreateSelfSignedCertificate("testRoot");
X509Certificate2 signedChild = CreateSignedCertificate("testyMcTesterson", rootCert);
X509Chain chain = new X509Chain();
chain.ChainPolicy = new X509ChainPolicy()
{
RevocationMode = X509RevocationMode.NoCheck,
VerificationFlags = X509VerificationFlags.AllFlags,
UrlRetrievalTimeout = new TimeSpan(0, 1, 0)
};
chain.ChainPolicy.ExtraStore.Add(rootCert);
bool isValid = chain.Build(signedChild); //Is True :D
}
The certificates end up in my personal certificate store
My enrollment occurs in this method. It takes a fully contructed and encoded certificate request.
public static CX509Enrollment EnrollCertificateRequest(CX509CertificateRequestCertificate certRequest)
{
var enroll = new CX509Enrollment();
enroll.InitializeFromRequest(certRequest);
string csr = enroll.CreateRequest();
enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate,
csr, EncodingType.XCN_CRYPT_STRING_BASE64, "");
return enroll;
}
EDIT
I'm currently limited to .NET 4.5.x.
Another problem I'm running into, is that trying to sign a certificate with a root will throw a CRYPT_E_NOT_FOUND exception.
There's probably not a way to do it with CX509Enroll. But you can possibly accomplish your goals with .NET Framework 4.7.2 and the CertificateRequest class.
using (RSA rsa = RSA.Create(2048))
{
CertificateRequest request = new CertificateRequest(
"CN=Your Name Here",
rsa,
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
SubjectAlternativeNameBuilder builder = new SubjectAlternativeNameBuilder();
builder.AddDnsName("your.name.here");
builder.AddDnsName("your.other.name.here");
request.CertificateExtensions.Add(builder.Build());
// Any other extensions you're supposed to request, like not being a CA.
request.CertificateExtensions.Add(
new X509BasicConstraintsExtension(false, false, 0, false));
// TLS Server?
request.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(
new OidCollection
{
new Oid("1.3.6.1.5.5.7.3.1")
},
false));
byte[] derEncodedRequest = request.CreateSigningRequest();
X509Certificate2 responseWithPrivateKey;
using (X509Certificate2 response = SendRequestToServerAndGetResponse(derEncodedRequest))
{
responseWithPrivateKey = response.CopyWithPrivateKey(rsa);
}
// Use it, save it to a PFX, whatever.
// At this point, nothing has touched the hard drive.
}
I figured it out without using enrollment and sticking to .NET 4.5.x.
I first create a RSACrytpoServiceProvider using CspParameters.
I then construct a private and public key from the RSACryptoServiceProvider. I create a certificate request and initiate from the private key. The certificate request is encoded and converted to raw data, then to bytes. The bytes are then used to create an X509Certificate2.
public static X509Certificate2 GenerateCertificate(string subjectName)
{
var dn = new CX500DistinguishedName();
dn.Encode("CN=" + subjectName, X500NameFlags.XCN_CERT_NAME_STR_COMMA_FLAG);
//Create crytpo provider to generate an assymetric key
int KeyType = (int)X509ProviderType.XCN_PROV_RSA_SCHANNEL;
CspParameters cspParams = new CspParameters(KeyType);
cspParams.Flags = CspProviderFlags.UseMachineKeyStore;
cspParams.KeyContainerName = Guid.NewGuid().ToString();
var rsa = new RSACryptoServiceProvider(2048, cspParams);
var CryptoProvider = rsa.CspKeyContainerInfo.ProviderName;
var keyContainerName = rsa.CspKeyContainerInfo.KeyContainerName;
CX509PrivateKey privateKey = new CX509PrivateKey();
privateKey.MachineContext = true;
privateKey.ProviderName = CryptoProvider;
privateKey.ContainerName = keyContainerName;
privateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES;
privateKey.Open();
keyContainerName = privateKey.ContainerName;
CX509PublicKey publicKey = privateKey.ExportPublicKey();
var oid = new CObjectId();
oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // SSL server
var oidlist = new CObjectIds();
oidlist.Add(oid);
var eku = new CX509ExtensionEnhancedKeyUsage();
eku.InitializeEncode(oidlist);
var hashobj = new CObjectId();
hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY,
AlgorithmFlags.AlgorithmFlagsNone, "SHA256");
CX509CertificateRequestCertificate certRequest = new CX509CertificateRequestCertificate();
certRequest.InitializeFromPrivateKey(
X509CertificateEnrollmentContext.ContextMachine,
privateKey,
"");
certRequest.Subject = dn;
certRequest.NotBefore = DateTime.Now;
certRequest.NotAfter = DateTime.Now.AddYears(1);
certRequest.HashAlgorithm = hashobj;
certRequest.X509Extensions.Add((CX509Extension)eku);
certRequest.Encode();
return new X509Certificate2(
Convert.FromBase64String(certRequest.RawData), "",
X509KeyStorageFlags.Exportable)
{
PrivateKey = rsa,
FriendlyName = subjectName
};
}
To issue a cert. The same process is followed a CSignerCertificate is initiated and attached. But before that happens, I save the root certificate to the My, Local Machine Certificate Store. I then create a signed certificate using the root that was just added to the store. I then remove the certificate from the store.
Signing a Certificate Request
var dnSigner = new CX500DistinguishedName();
dnSigner.Encode("CN=" + signer.FriendlyName, X500NameFlags.XCN_CERT_NAME_STR_COMMA_FLAG);
string base64Root = Convert.ToBase64String(signer.RawData);
CSignerCertificate certSigner = new CSignerCertificate();
bool useMachineStore = ((ICspAsymmetricAlgorithm)signer.PrivateKey).CspKeyContainerInfo.MachineKeyStore;
certSigner.Initialize(useMachineStore, X509PrivateKeyVerify.VerifyNone, EncodingType.XCN_CRYPT_STRING_BASE64, base64Root);
certRequest.SignerCertificate = certSigner;
certRequest.Issuer = dnSigner;
static void Main(string[] args)
{
X509Certificate2 rootCert = GenerateCertificate("TEST_ROOT");
X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadWrite);
store.Add(rootCert);
X509Certificate2 signedChild = GenerateUserCertificate("Testy McTesterson", rootCert);
store.Remove(rootCert);
store.Close();
}
A few important things to note:
This will only work with certain key usage and key spec flags
An X509Chain will still build and validate but it will recognize that the root is untrusted (Easy to bypass).
This is a followup to C# Generate a non self signed client CX509Certificate Request without a CA using the certenroll.dll
I am trying to create a client cert signed by my self signed CA, as in the above question. I can create the desired certs without issue using makecert.exe (they show as trusted). I attempting to do the same in C#. The certs are created and placed in the machine's My store. The self signed CA is also installed in the machine's Trusted store. When I open them, they say:
Windows does not have enough information to verify this certificate.
Help?
Code:
// create DN
var dn = new CX500DistinguishedName();
dn.Encode("CN=Demo Cert", X500NameFlags.XCN_CERT_NAME_STR_NONE);
// create prvate key
var pk = new CX509PrivateKey();
pk.MachineContext = true;
pk.Length = 1024;
pk.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE;
pk.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG;
pk.Create();
// use SHA512
var hash = new CObjectId();
hash.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, AlgorithmFlags.AlgorithmFlagsNone, "SHA512");
// EKU
var oid = new CObjectId();
oid.InitializeFromValue("1.3.6.1.5.5.7.3.2");
var oidlist = new CObjectIds();
oidlist.Add(oid);
var eku = new CX509ExtensionEnhancedKeyUsage();
eku.InitializeEncode(oidlist);
// Initialize the signer
var TheCA = GimmeTheCA(); // method returns my self signed CA as X509Certificate2
ISignerCertificate signer = new CSignerCertificate();
signer.Initialize(true, X509PrivateKeyVerify.VerifyNone, EncodingType.XCN_CRYPT_STRING_HEX, TheCA.GetRawCertDataString());
// Root Dn
var Rootdn = new CX500DistinguishedName();
Rootdn.Encode(TheCA.Subject, X500NameFlags.XCN_CERT_NAME_STR_NONE);
// Cert Request
var cert = new CX509CertificateRequestCertificate();
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, pk, "");
cert.Subject = dn;
cert.Issuer = Rootdn;
cert.SignerCertificate = (CSignerCertificate)signer;
cert.NotBefore = DateTime.Now;
cert.NotAfter = new DateTime(2020, 1, 1);
cert.X509Extensions.Add((CX509Extension)eku);
cert.HashAlgorithm = hash;
cert.Encode();
// Enrollment
var enroll = new CX509Enrollment();
enroll.InitializeFromRequest(cert);
enroll.CertificateFriendlyName = "Intel IPT";
string csr = enroll.CreateRequest();
// Install
enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedRoot, csr, EncodingType.XCN_CRYPT_STRING_BASE64, "");
You may try :
pk.KeySpec = X509KeySpec.XCN_AT_SIGNATURE;
pk.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES;
Run the application with Elevated Privileges (run it as an Administrator).
Put a Copy of the CA certificate int the "Computer\Personal" ("MY") Store (but keep the original certificate in the "Computer\Trusted Root Cert. Auth." ("Root") Store)