How can I programmatically get when X509Certificate is revoked? I can get information if certificate is revoked, but i need to get when is revoked, i think that CRL list have that info, but can someone tell me how to read that.
Revocation status is checked by (a) obtaining CRL lists and checking if the certificate is listed there, and (b) sending an OCSP request to the server to check the same.
.NET doesn't let you do this. CryptoAPI might have some means for these operations, but the easiest is to use third-party library for .NET. BouncyCastle claims to have some support for OCSP and CRLs, and our SecureBlackbox provides complete support (both client and server components are available) for OCSP and CRL, and also we provide a component which performs complete certificate validation (with all CRL and OCSP checks and HTTP and LDAP communication when needed) with one method call.
The CRL is stored as an OID in the extensions property of the X509Certificate object. The OID FriendlyName and Value are 'CRL Distribution Points' and '2.5.29.31'. Searching the certificate's extensions for an OID with value 2.5.29.31, you can then parse the raw data and get the distribution point(s).
I found the following code sample here. I tested it on both publicly sign certs and internal Microsoft CA certs; it returns the URL or LDAP connection string.
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
namespace System.Security.Cryptography.X509Certificates
{
public static class X509Certificate2Extensions
{
/// <summary>
/// Returns an array of CRL distribution points for X509Certificate2 object.
/// </summary>
/// <param name="certificate">X509Certificate2 object.</param>
/// <returns>Array of CRL distribution points.</returns>
public static string[] GetCrlDistributionPoints(this X509Certificate2 certificate)
{
X509Extension ext = certificate.Extensions.Cast<X509Extension>().FirstOrDefault(
e => e.Oid.Value == "2.5.29.31");
if (ext == null || ext.RawData == null || ext.RawData.Length < 11)
return EmptyStrings;
int prev = -2;
List<string> items = new List<string>();
while (prev != -1 && ext.RawData.Length > prev + 1)
{
int next = IndexOf(ext.RawData, 0x86, prev == -2 ? 8 : prev + 1);
if (next == -1)
{
if (prev >= 0)
{
string item = Encoding.UTF8.GetString(ext.RawData, prev + 2, ext.RawData.Length - (prev + 2));
items.Add(item);
}
break;
}
if (prev >= 0 && next > prev)
{
string item = Encoding.UTF8.GetString(ext.RawData, prev + 2, next - (prev + 2));
items.Add(item);
}
prev = next;
}
return items.ToArray();
}
static int IndexOf(byte[] instance, byte item, int start)
{
for (int i = start, l = instance.Length; i < l; i++)
if (instance[i] == item)
return i;
return -1;
}
static string[] EmptyStrings = new string[0];
}
}
use this API from x509.h file use openssl 1.0 / or above version
X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x);
X in the certificate u want to check ;
Ret is the Address of the revocation structure where reason for the revocation and all stored
crl is the CRL .
For future readers.
As already was said, .NET currently do not expose public classes nor for X.509 certificate revocation lists, nor for OCSP messaging. Of course, you can write your own code or to use 3rd party libraries.
You can try my own CryptoAPI managed extensions from PowerShell PKI module project (PKI.Core.dll library). There is a support for X509 CRL managed class (built on top of CryptoAPI native functions): X509CRL2 class. RevokedCertificates property stores an array of revoked certificates. In addition, library includes OCSP messaging classes (completely managed) stored in PKI.OCSP namespace. If your certificate contains OCSP links in the AIA extension, then you can easyly construct OCSP request from X509Certificate2 object by instantiating OCSPRequest object and invoking OCSPRequest.SendRequest method. Return object is an instance of OCSPResponse class.
Basically, the code woul look as this:
using System;
using System.Security.Cryptography.X509Certificates;
using PKI.OCSP;
public class Class1 {
public static DateTime? GetrevocationDate(X509Certificate2 cert) {
OCSPRequest request = new OCSPRequest(cert);
OCSPResponse response = request.SendRequest();
if (response.Responses[0].CertStatus == CertificateStatus.Revoked) {
return response.Responses[0].RevocationInfo.RevocationDate;
}
return null;
}
}
NULL would mean that the certificate is not revoked.
with X509 CRL the code would look as this:
using System;
using System.Security.Cryptography.X509Certificates;
public class Class1 {
// crlRawData could a type of System.String and pass the path to a CRL file there.
public static DateTime? GetrevocationDate(X509Certificate2 cert, Byte[] crlRawData) {
X509CRL2 crl = new X509CRL2(crlRawData);
X509CRLEntry entry = crl.RevokedCertificates[cert.SerialNumber];
if (entry != null) {
return entry.RevocationDate;
}
return null;
}
}
I don't have the reputation to upvote #Hive's answer above but it was exactly what I needed, except for the language. I've posted my PowerShell port below:
$cert = (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -match "SUBJECT NAME*"})
function IndexOfByte([byte[]]$instance, [byte]$item, [int]$start)
{
$len = $instance.Length
for ($i = $start; $i -lt $len; $i++) {
if ($instance[$i] -eq $item) { return $i }
}
return -1;
}
$crls = $cert.Extensions | ? { $_.Oid.FriendlyName -eq "CRL Distribution Points" }
$prev = -2;
[System.Collections.ArrayList]$items = #();
while ($prev -ne -1 -and $crls.RawData.Length -gt $prev + 1)
{
if($prev -eq -2) { $y = 8 } else {$y = $prev + 1}
$next = IndexOfByte -instance $crls.RawData -item 0x86 -start $y
if ($next -eq -1) {
if ($prev -ge 0) {
$item = [system.Text.Encoding]::UTF8.GetString($crls.RawData, $prev + 2, $crls.RawData.Length - ($prev + 2));
$items.Add($item);
}
break;
}
if ($prev -ge 0 -and $next -gt $prev) {
$item = [system.Text.Encoding]::UTF8.GetString($crls.RawData, $prev + 2, $next - ($prev + 2));
$items.Add($item);
}
$prev = $next;
}
Write-Host "Certificate CRLs: `n$($items | out-string)"
This could help you:
http://blogs.msdn.com/b/alejacma/archive/2010/05/10/how-to-get-info-from-client-certificates-issued-by-a-ca-c.aspx
Regards.
The first step is to extract the CRL distribution points from the certificate, and then match your certificate's serial number against the content of the CRL from the distribution point.
Here's an alternative way to extract the CRL distribution points with fewer magic numbers and bit twiddling. (tested in .NET Core 2.1)
var path = "<path to signed file>";
// get certificate
var cert = new X509Certificate2(path);
// extract the CRL distribution points information
var crlInfo = cert.Extensions["2.5.29.31"];
var crlDistribitionPoints = new AsnEncodedData(crlInfo.Oid, crlInfo.RawData).Format(false);
Console.Writeline(crlDistribitionPoints);
When you say revoked, do you mean invalid? If its revoked I wouldn't expect it to arrive at the request in your code as the web server will have got in the way first.
If you use the x509certificate2, which is derived from x509certificate, then you have a lot more properties which you can check; there are a number of examples on the link below.
http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509certificate2.aspx
Related
first i'm an complete newby on c#, so im just searching on the web for posibilities
What i want to get: I want a button which retrieves a list of installed certificates in the personal store.
i tried already a little, but get messages about missing references etc. So i hope someone can give me a litte advice how to achieve this.
what i found on the web is:
using System.Security.Cryptography.X509Certificates;
public static X509Certificate2 selectCert(StoreName store, StoreLocation location, string windowTitle, string windowMsg)
{
X509Certificate2 certSelected = null;
X509Store x509Store = new X509Store(store, location);
x509Store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection col = x509Store.Certificates;
X509Certificate2Collection sel = X509Certificate2UI.SelectFromCollection(col, windowTitle, windowMsg, X509SelectionFlag.SingleSelection);
if (sel.Count > 0)
{
X509Certificate2Enumerator en = sel.GetEnumerator();
en.MoveNext();
certSelected = en.Current;
}
x509Store.Close();
return certSelected;
}
yours
(i use visual studio...)
Add a reference to System.Security.dll to use the X509Certificate2UI class.
you can use foreach
if (sel.Count > 0){
foreach(var cert in sel){
certSelected = cert ;
}
}
you can make it even shorte when using linq
using System.Linq;
...
if (sel.Count > 0){
return sel.FirstOrDefault();
}
I have existing ap.net c# website is working with mysql database. now i am planning to create mobile app for that website for that API needs to be ready.
I am creating an API into PHP Laravel Framework. for RegistrationAPI needs to generate password.
Asp.net using its inbuilt library for generating password like
WebSecurity.CreateUserAndAccount("username", "password");
it automatically generates password in table called "webpages_membership"
Note: I am using same database which is used by aps.net working website. so my website will be in asp.net and api will be now in php.
I found MembershipModel class in php which is used to compare two password but it can not generate password.
<?php
/*
* Author : Mr. Juned Ansari
* Date : 15/02/2017
* Purpose : It Handles Login Encryption And Decryption Related Activities
*/
class MembershipModel {
function bytearraysequal($source, $target) {
if ($source == null || $target == null || (strlen($source) != strlen($target)))
return false;
for ($ctr = 0; $ctr < strlen($target); $ctr++) {
if ($target[$ctr] != $source[$ctr])
return false;
}
return true;
}
//This Function is Used to verifypassword
function verifypassword($hashedPassword, $password) {
$PBKDF2IterCount = 1000; // default for Rfc2898DeriveBytes
$PBKDF2SubkeyLength = 32; // 256 bits
$SaltSize = 16; // 128 bits
if ($hashedPassword == null) {
return false;
//show_error("hashedPassword is null");
}
if ($password == null) {
return false;
//show_error("Password is null");
}
$hashedPasswordBytes = base64_decode($hashedPassword);
if (strlen($hashedPasswordBytes) != 48) {
return false;
}
$salt = substr($hashedPasswordBytes, 0, $SaltSize);
$storedSubkey = substr($hashedPasswordBytes, $SaltSize, $PBKDF2SubkeyLength);
$generatedSubkey = $this->encript('sha1', $password, $salt, $PBKDF2IterCount, $PBKDF2SubkeyLength, true);
return $this->bytearraysequal($storedSubkey, $generatedSubkey);
}
function encript($algorithm, $password, $salt, $count, $key_length, $raw_output = false) {
$algorithm = strtolower($algorithm);
if (!in_array($algorithm, hash_algos(), true))
return false;
//show_error('PBKDF2 ERROR: Invalid hash algorithm.');
if ($count <= 0 || $key_length <= 0)
return false;
//show_error('PBKDF2 ERROR: Invalid parameters.');
$hash_length = strlen(hash($algorithm, "", true));
$block_count = ceil($key_length / $hash_length);
$output = "";
for ($i = 1; $i <= $block_count; $i++) {
$last = $salt . pack("N", $i);
$last = $xorsum = hash_hmac($algorithm, $last, $password, true);
for ($j = 1; $j < $count; $j++) {
$xorsum ^= ($last = hash_hmac($algorithm, $last, $password, true));
}
$output .= $xorsum;
}
return substr($output, 0, $key_length);
}
}
I have successfully created Login APi in PHP which is working fine using above class.
As all the comments are advising you, you’re probably doing it the hard way if you try to port this work over to PHP instead of letting PHP talk to the backend via some .NET component.
Nevertheless, if you’re set on porting it over, the code for WebSecurity.CreateUserAndAccount() is available on GitHub. As you can see, it leans on the currently-configured membership provider's implementation of that method.
For SimpleMembershipProvider, the implementation is very simple. Here’s the important bit:
CreateUserRow(db, userName, values);
return CreateAccount(userName, password, requireConfirmation);
CreateUserRow() isn't very interesting or surprising, but CreateAccount() is responsible for the part I think you care about.
There are two parts that you'd need to port to PHP; Crypto.HashPassword() and GenerateToken(). Since you're calling WebSecurity.CreateUserAndAccount() with only two parameters, you can ignore the GenerateToken() part (since requireConfirmation defaults to false).
Here's the source code for Crypto.HashPassword(). As per its comment, it performs:
PBKDF2 with HMAC-SHA1, 128-bit salt, 256-bit subkey, 1000 iterations.
(See also: SDL crypto guidelines v5.1, Part III)
Format: { 0x00, salt, subkey }
…using the System.Security.Cryptography.Rfc2898DeriveBytes() method.
Which leads us to this directly related existing Stack Overflow answer, which I think gives you what you want.
All, I run into an issue where the service account my ASP.NET web forms application (.Net Framework 4.6.1) runs under cannot load the X509Certificate(.pfx) from the personal store on the windows 2012 R2 server .Here is how I imported the certificate to the certificate store
I Logged into the server using the service account(domain\username) ,used mmc snap in to import the certificate to Current User Personal Certificate Store (please see screenshot at the end)
This is the code I am using to load the certificate in C#.But the certificate
is null
public X509Certificate2 Load()
{
X509Certificate2 x509Certificate = null;
var store = new X509Store(StoreName.My,StoreLocation.CurrentUser);
string thumbPrint = StripTheSpacesAndMakeItUpper(ConfigurationManager.AppSettings["pfxthumbPrint"]);
store.Open(OpenFlags.ReadOnly);
var certCollection = store.Certificates;
foreach (var x509 in certCollection)
{
if (x509.Thumbprint.Equals(thumbPrint))
{
x509Certificate = x509;
break;
}
}
store.Close();
return x509Certificate;
}
private string StripTheSpacesAndMakeItUpper(string thumbPrint)
{
if(!string.IsNullOrWhiteSpace(thumbPrint))
{
return Regex.Replace(thumbPrint, #"\s|\W", "").ToUpper();
}
return thumbPrint;
}
Any suggestions on why the method Load returns null ?
]3
I don't know how you set the value of ConfigurationManager.AppSettings["pfxthumbPrint"]. I guess you double clicked the certificate in your CurrentUser store and copied the thumbprint from the Details tab, right? If that is the case, you copied also one invisible character from the beginning of the thumbprint.
The saddest thing is that this character (I don't know what it is) is not visible in your app.config/web.config. The only way to get rid of if is to delete the first quote character with the first character of the thumbprint and type them in again manually. Or delete entire thumbprint and the quotes and type them again if you wish.
Instead of
if (x509.Thumbprint.Equals(x509CertificateFriendlyName))
Shouldn't it be
if (x509.Thumbprint.Equals(thumbPrint))
...?
Also, you appear to have x509Certificate declared as a local variable and then you discard it. Did you intend to assign the value to an instance variable perhaps? I don't even see a return statement.
Also, you're not disposing your store, although that probably isn't the cause of your issue.
Here's a different version that addresses these issues, and will also eliminate any invisible characters in the configuration entry (see pepo's answer for why).
public X509Certificate2 Load()
{
var thumbPrintFromConfig = ConfigurationManager.AppSettings["pfxthumbPrint"]
var thumbPrint = Regex.Replace(thumbPrintFromConfig.ToUpper(),"[^A-F0-9]",""); //Keep only hex digits
return Load(thumbPrint);
}
private X509Certificate2 Load(string thumbPrint)
{
using (var store = new X509Store(StoreName.My,StoreLocation.CurrentUser))
{
store.Open(OpenFlags.ReadOnly);
var cert = store
.Certificates
.OfType<X509Certificate2>()
.Where(x => x.Thumbprint == thumbPrint)
.Single();
store.Close();
return cert;
}
}
I need to send data to a webservice everyday so I made a scheduled task that runs my code. The problem is the webservice requires a certificate with a PIN code. I have attached the certificate but I can't find a way to set the PIN to it, therefor it shows a popup everytime to enter it manually.
Here is my code for the certificate:
private void SendData(string data)
{
using (SerWSService webService = new SerWSService())
{
string certificateSN = "serial number for the certificate";
webService.ClientCertificates.Add(FindCertificate(certificateSN));
webService.SendData(data);
}
}
private X509Certificate2 FindCertificate(string certserial)
{
X509Certificate2 WPE_UserCert = null;
X509Store wstore = default(X509Store);
wstore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
wstore.Open(OpenFlags.ReadOnly);
var wcerts = wstore.Certificates;
foreach (var wcert in wcerts)
{
if (wcert.SerialNumber.ToUpper() == certserial.Replace(" ", "").ToUpper())
{
WPE_UserCert = wcert;
break;
}
}
wstore.Close();
if (WPE_UserCert != null)
{
//TO DO: add PIN code to certificate
}
return WPE_UserCert;
}
Is there any way I can set the PIN to the certificate?
No, because certificates don't have PINs; (private) keys do.
If you are finding a certificate with a private key and you pass that certificate to a class that expects the unified pair (e.g. SslStream, HttpClient) then there's no real/good solution.
If you are using the private key yourself, you have some leeway:
using (RSA rsa = cert.GetRSAPrivateKey())
{
RSACng rsaCng = rsa as RSACng;
RSACryptoServiceProvider rsaCsp = rsa as RSACryptoServiceProvider;
if (rsaCng != null)
{
// Set the PIN, an explicit null terminator is required to this Unicode/UCS-2 string.
byte[] propertyBytes;
if (pin[pin.Length - 1] == '\0')
{
propertyBytes = Encoding.Unicode.GetBytes(pin);
}
else
{
propertyBytes = new byte[Encoding.Unicode.GetByteCount(pin) + 2];
Encoding.Unicode.GetBytes(pin, 0, pin.Length, propertyBytes, 0);
}
const string NCRYPT_PIN_PROPERTY = "SmartCardPin";
CngProperty pinProperty = new CngProperty(
NCRYPT_PIN_PROPERTY,
propertyBytes,
CngPropertyOptions.None);
rsaCng.Key.SetProperty(pinProperty);
}
else if (rsaCsp != null)
{
// This is possible, but painful.
// Copy out the CspKeyContainerInfo data into a new CspParameters,
// build the KeyPassword value on CspParameters,
// Dispose() the existing instance,
// and open a new one to replace it.
//
// But if you really called GetRSAPrivateKey() and it has returned an RSACng for
// your device once, it pretty much will forever (until the next
// new RSA type for Windows is invented... at which point it still
// won't return an RSACryptoServiceProvider).
}
else
{
// No other built-in RSA types support setting a PIN programmatically.
}
// Use the key here.
// If you needed to return it, don't put it in a using :)
}
In the case of a CSP private key use CryptAcquireCertificatePrivateKey to acquire CryptoProv handle and then use CryptSetProvParam(h,PP_SIGNATURE_PIN,pin,0) to set the PIN.
I have identified an issue related to building apps that use C:\Windows\System32\CertEnroll.dll as a reference.
The following code works fine when compiled using VS 2015 on Windows 7 and then ran on a Windows 7 machine.
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using CERTENROLLLib;
namespace CertTest
{
class Program
{
static void Main(string[] args)
{
try
{
CX509PrivateKey key = new CX509PrivateKey();
key.ContainerName = Guid.NewGuid().ToString();
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
}
}
}
When you try and compile this in Windows 10 and then try and run it on a Windows 7 machine, it throws the following error.
"Unable to cast COM object of type 'System.__ComObject' to interface type 'CERTENROLLLib.CX509PrivateKey'. This operation failed because the QueryInterface call on the COM component for the interface with IID '{728AB362-217D-11DA-B2A4-000E7BBB2B09}' failed due to the following error: No such interface supported (Exception from HRESULT: 0x80004002 (E_NOINTERFACE))."
I have had several people here replicate it and I'd like to get more input before contacting Microsoft on what's going on here.
I guess my question is: Can anybody else confirm this or if it's confirmed they broke backward compatibilty?
Somehow the Interface Implementation on CertEnroll.dll changed between "vanilla" Windows 2008 and Windows 2008 R2. I guess it is the same with some Windows 7 builds. To get it (halfway) working, you have to instantiate the classes with Activator.CreateInstance(Type.GetTypeFromProgID(<TypeName>);
This will cause the system to look up the references in HKLM:\SOFTWARE\Classes\Interface\ to get the right class for you.
Working Example:
(Part of this code was used from https://stackoverflow.com/a/13806300/5243037)
using System;
using System.Collections.Generic;
using System.DirectoryServices.ActiveDirectory;
using System.Linq;
using System.Net;
using System.Net.NetworkInformation;
using System.Net.Sockets;
using System.Security.Cryptography.X509Certificates;
using CERTENROLLLib;
/// <summary>
/// Creates a self-signed certificate in the computer certificate store MY.
/// Issuer and Subject are computername and its domain.
/// </summary>
/// <param name="friendlyName">Friendly-name of the certificate</param>
/// <param name="password">Password which will be used by creation. I think it's obsolete...</param>
/// <returns>Created certificate</returns>
/// <remarks>Base from https://stackoverflow.com/a/13806300/5243037 </remarks>
public static X509Certificate2 CreateSelfSignedCertificate(string friendlyName, string password)
{
// create DN for subject and issuer
var dnHostName = new CX500DistinguishedName();
// DN will be in format CN=machinename, DC=domain, DC=local for machinename.domain.local
dnHostName.Encode(GetMachineDn());
var dnSubjectName = dnHostName;
//var privateKey = new CX509PrivateKey();
var typeName = "X509Enrollment.CX509PrivateKey";
var type = Type.GetTypeFromProgID(typeName);
if (type == null)
{
throw new Exception(typeName + " is not available on your system: 0x80040154 (REGDB_E_CLASSNOTREG)");
}
var privateKey = Activator.CreateInstance(type) as IX509PrivateKey;
if (privateKey == null)
{
throw new Exception("Your certlib does not know an implementation of " + typeName +
" (in HKLM:\\SOFTWARE\\Classes\\Interface\\)!");
}
privateKey.ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider";
privateKey.ProviderType = X509ProviderType.XCN_PROV_RSA_AES;
// key-bitness
privateKey.Length = 2048;
privateKey.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE;
privateKey.MachineContext = true;
// Don't allow export of private key
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_NONE;
// use is not limited
privateKey.Create();
// Use the stronger SHA512 hashing algorithm
var hashobj = new CObjectId();
hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY,
AlgorithmFlags.AlgorithmFlagsNone, "SHA512");
// add extended key usage if you want - look at MSDN for a list of possible OIDs
var oid = new CObjectId();
oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // SSL server
var oidlist = new CObjectIds { oid };
var eku = new CX509ExtensionEnhancedKeyUsage();
eku.InitializeEncode(oidlist);
// add all IPs of current machine as dns-names (SAN), so a user connecting to our wcf
// service by IP still claim-trusts this server certificate
var objExtensionAlternativeNames = new CX509ExtensionAlternativeNames();
{
var altNames = new CAlternativeNames();
var dnsHostname = new CAlternativeName();
dnsHostname.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME, Environment.MachineName);
altNames.Add(dnsHostname);
foreach (var ipAddress in Dns.GetHostAddresses(Dns.GetHostName()))
{
if ((ipAddress.AddressFamily == AddressFamily.InterNetwork ||
ipAddress.AddressFamily == AddressFamily.InterNetworkV6) && !IPAddress.IsLoopback(ipAddress))
{
var dns = new CAlternativeName();
dns.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME, ipAddress.ToString());
altNames.Add(dns);
}
}
objExtensionAlternativeNames.InitializeEncode(altNames);
}
// Create the self signing request
//var cert = new CX509CertificateRequestCertificate();
typeName = "X509Enrollment.CX509CertificateRequestCertificate";
type = Type.GetTypeFromProgID(typeName);
if (type == null)
{
throw new Exception(typeName + " is not available on your system: 0x80040154 (REGDB_E_CLASSNOTREG)");
}
var cert = Activator.CreateInstance(type) as IX509CertificateRequestCertificate;
if (cert == null)
{
throw new Exception("Your certlib does not know an implementation of " + typeName +
" (in HKLM:\\SOFTWARE\\Classes\\Interface\\)!");
}
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, "");
cert.Subject = dnSubjectName;
cert.Issuer = dnHostName; // the issuer and the subject are the same
cert.NotBefore = DateTime.Now.AddDays(-1);
// this cert expires immediately. Change to whatever makes sense for you
cert.NotAfter = DateTime.Now.AddYears(1);
cert.X509Extensions.Add((CX509Extension)eku); // add the EKU
cert.X509Extensions.Add((CX509Extension)objExtensionAlternativeNames);
cert.HashAlgorithm = hashobj; // Specify the hashing algorithm
cert.Encode(); // encode the certificate
// Do the final enrollment process
//var enroll = new CX509Enrollment();
typeName = "X509Enrollment.CX509Enrollment";
type = Type.GetTypeFromProgID(typeName);
if (type == null)
{
throw new Exception(typeName + " is not available on your system: 0x80040154 (REGDB_E_CLASSNOTREG)");
}
var enroll = Activator.CreateInstance(type) as IX509Enrollment;
if (enroll == null)
{
throw new Exception("Your certlib does not know an implementation of " + typeName +
" (in HKLM:\\SOFTWARE\\Classes\\Interface\\)!");
}
// Use private key to initialize the certrequest...
enroll.InitializeFromRequest(cert);
enroll.CertificateFriendlyName = friendlyName; // Optional: add a friendly name
var csr = enroll.CreateRequest(); // Output the request in base64 and install it back as the response
enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate, csr,
EncodingType.XCN_CRYPT_STRING_BASE64, password);
// This will fail on Win2k8, some strange "Parameter is empty" error... Thus we search the
// certificate by serial number with the managed X509Store-class
// // output a base64 encoded PKCS#12 so we can import it back to the .Net security classes
//var base64Encoded = enroll.CreatePFX(password, PFXExportOptions.PFXExportChainNoRoot, EncodingType.XCN_CRYPT_STRING_BASE64);
//return new X509Certificate2(Convert.FromBase64String(base64Encoded), password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet);
var certFs = LoadCertFromStore(cert.SerialNumber);
if (!certFs.HasPrivateKey) throw new InvalidOperationException("Created certificate has no private key!");
return certFs;
}
/// <summary>
/// Converts Domain.local into CN=Domain, CN=local
/// </summary>
private static string GetDomainDn()
{
var fqdnDomain = IPGlobalProperties.GetIPGlobalProperties().DomainName;
if (string.IsNullOrWhiteSpace(fqdnDomain)) return null;
var context = new DirectoryContext(DirectoryContextType.Domain, fqdnDomain);
var d = Domain.GetDomain(context);
var de = d.GetDirectoryEntry();
return de.Properties["DistinguishedName"].Value.ToString();
}
/// <summary>
/// Gets machine and domain name in X.500-format: CN=PC,DN=YourFirm,DN=local
/// </summary>
private static string GetMachineDn()
{
var machine = "CN=" + Environment.MachineName;
var dom = GetDomainDn();
return machine + (string.IsNullOrWhiteSpace(dom) ? "" : ", " + dom);
}
/// <summary>
/// Load a certificate by serial number from computer.my-store
/// </summary>
/// <param name="serialNumber">Base64-encoded certificate serial number</param>
private static X509Certificate2 LoadCertFromStore(string serialNumber)
{
var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.OpenExistingOnly | OpenFlags.MaxAllowed);
try
{
// serialnumber from certenroll.dll v6 is a base64 encoded byte array, which is reversed.
// serialnumber from certenroll.dll v10 is a base64 encoded byte array, which is NOT reversed.
var serialBytes = Convert.FromBase64String(serialNumber);
var serial = BitConverter.ToString(serialBytes.ToArray()).Replace("-", "");
var serialReversed = BitConverter.ToString(serialBytes.Reverse().ToArray()).Replace("-", "");
var serverCerts = store.Certificates.Find(X509FindType.FindBySerialNumber, serial, false);
if (serverCerts.Count == 0)
{
serverCerts = store.Certificates.Find(X509FindType.FindBySerialNumber, serialReversed, false);
}
if (serverCerts.Count == 0)
{
throw new KeyNotFoundException("No certificate with serial number <" + serial + "> or reversed serial <" + serialReversed + "> found!");
}
if (serverCerts.Count > 1)
{
throw new Exception("Found multiple certificates with serial <" + serial + "> or reversed serial <" + serialReversed + ">!");
}
return serverCerts[0];
}
finally
{
store.Close();
}
}
Remarks
So why did I write "halfway"? There is a problem with certenroll.dll V. 6, which causes the build to fail on cert.InitializeFromPrivateKey. In certenroll.dll V 6.0, the second parameter must be of type "CX509PrivateKey", whereas on Win10 machines with Certenroll.dll V 10, it's IX509PrivateKey:
error CS1503: Argument 2: cannot convert from 'CERTENROLLLib.IX509PrivateKey' to 'CERTENROLLLib.CX509PrivateKey'
So you would think: Yea, simply "cast" the privateKey in the above example to CX509PrivateKey on Activator.CreateInstance. The Problem here is, it will compile, but on vanilla Win2k8 it will not give you the class (CX509...) but the Interface (IX509...), and thus the cast fails and returns null.
We've solved this issue by compiling the certenrollment function in a seperate project on a machine with certenroll.dll V 10. It compiles fine and works in Win2k8, too. It's never-the-less a bit annoying to have it in a seperate project, since the build will fail on our buildserver with certenroll.dll V 6.
These are the steps from Microsoft to resolve this issue
If you use Windows 10 solely as your build environment then the executable would run on downlevel OSes, however if you really just want to have a project that you can compile anywhere and run anywhere then the only solution is to create your own interop DLL that you include in the project folder. You would have to generate it on Windows 7 first and reference that DLL.
Tlbimp.exe CertEnroll_Interop c:\Windows\System32\CertEnroll.dll
This generates a CertEnroll_Interop.dll file that you can copy to your project folder and then browse to in your project. Of course you would need the using “using CertEnroll_Interop;” statement.
You can build the project on Windows 10 and have it run on Windows 7 and Windows 8.1 and any other combination.
I had the same problem, my development machine is running on windows 10 and the build server windows 8.1.
But since c# has the ability of reflection and dynamic types, i now first analyze which types the InitializeFromPrivateKey method takes as parameters(I separated it from the actually certificate code by creating a method).
private static bool IsCompiledOnWin10AndAbove()
{
var typeOfMethod = typeof(IX509CertificateRequestPkcs10);
var methodType = typeOfMethod.GetMethod("InitializeFromPrivateKey", new Type[] { typeof(X509CertificateEnrollmentContext), typeof(CX509PrivateKey), typeof(string) });
var methodeParameters = methodType.GetParameters();
return methodeParameters[1].ParameterType != typeof(CX509PrivateKey);
}
And then use a dynamic type dependent on which type the second parameter is.
dynamic privateKeyCorrectType;
if (IsCompiledOnWin10AndAbove()) // win 10 and above compiled
{
privateKeyCorrectType= privateKey;
}
else // below win 10 compiled
{
privateKeyCorrectType= (CX509PrivateKey)privateKey;
}
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKeyCorrectType, "");