Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
376 views
in Technique[技术] by (71.8m points)

iis 7 - Generating X509Certificate2 object using C#

I have to generate a X509Certificate2 certficate at runtime from my web application and store it in my database in bytes format. I am using the solution provided here. Using this solution you may be able to generate the certificate but it will also create it in the machine certificate store. I don't need the certificate to be present in the machine certificate store so i delete it from the certificate store after I get the X509Certificate2 object.

Additionally, as my web application is running under IIS_IUSRS account it did not allow me to create certficates using MachineContext initially so I had to do it under UserContext. To create certficates even under UserContext there is an app-pool property called 'Load User Profile' which should be set to true. Now I am able to get the desired results but I want to check if there are any problems with the approach or in setting 'Load User Profile' to true in the IIS.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

If you're able to switch to .NET Core, the 2.0 preview is out and has an in-box solution to certificate creation.

using System.Security.Cryptography.X509Certificates;

...

private static X509Certificate2 MakeLocalhostCert()
{
    using (ECDsa key = ECDsa.Create(ECCurve.NamedCurves.nistP384))
    {
        var request = new CertificateRequest(
            "CN=localhost",
            key,
            HashAlgorithmName.SHA384);

        request.CertificateExtensions.Add(
            new X509BasicConstraintsExtension(false, false, 0, true));

        const X509KeyUsageFlags endEntityTypicalUsages =
            X509KeyUsageFlags.DataEncipherment |
            X509KeyUsageFlags.KeyEncipherment |
            X509KeyUsageFlags.DigitalSignature |
            X509KeyUsageFlags.NonRepudiation;

        request.CertificateExtensions.Add(
            new X509KeyUsageExtension(endEntityTypicalUsages, true));

        var sanBuilder = new SubjectAlternativeNameBuilder();
        sanBuilder.AddDnsName("localhost");
        sanBuilder.AddIpAddress(IPAddress.Loopback);
        sanBuilder.AddIpAddress(IPAddress.IPv6Loopback);

        request.CertificateExtensions.Add(sanBuilder.Build());

        request.CertificateExtensions.Add(
            new X509EnhancedKeyUsageExtension(
                new OidCollection
                {
                    // server authentication
                    new Oid("1.3.6.1.5.5.7.3.1"),
                },
                false));

        DateTimeOffset now = DateTimeOffset.UtcNow;

        return request.CreateSelfSigned(now, now.AddDays(90));
    }
}

There's a breaking change to certificates for RSA keys post-preview1, an RSASignaturePadding required parameter was added to the CertificateRequest ctor for RSA.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...