Create Self Signed Certificate
A self-signed certificate is a certificate, signed with the private key corresponding to the
certificate public key
and usually the subject and owner details are the same. All root Certificate Authorities certificates are self-signed.
In order to create a self-signed certificate we need a public and its corresponding private key and of course a
Properties
instance:
C# example
using DidiSoft.OpenSsl;
using DidiSoft.OpenSsl.Rsa;
using DidiSoft.OpenSsl.X509;
OpenSslRsa rsa = new OpenSslRsa();
KeyPair keypair = rsa.GenerateRsaKeyPair(KeyLength.Length2048);
// certificate owner details
X509Name certificateProperties = new X509Name() { CN = "My Test Name" };
Certificate cert = Certificate.CreateSelfSignedCertificate(keypair.Public, keypair.Private, certificateProperties);
using DidiSoft.OpenSsl;
using DidiSoft.OpenSsl.Rsa;
using DidiSoft.OpenSsl.X509;
OpenSslRsa rsa = new OpenSslRsa();
KeyPair keypair = rsa.GenerateRsaKeyPair(KeyLength.Length2048);
// certificate owner details
X509Name certificateProperties = new X509Name() { CN = "My Test Name" };
Certificate cert = Certificate.CreateSelfSignedCertificate(keypair.Public, keypair.Private, certificateProperties);
VB.NET example
using DidiSoft.OpenSsl;
using DidiSoft.OpenSsl.Rsa;
using DidiSoft.OpenSsl.X509;
OpenSslRsa rsa = new OpenSslRsa();
KeyPair keypair = rsa.GenerateRsaKeyPair(KeyLength.Length2048);
// certificate owner details
X509Name certificateProperties = new X509Name() { CommonName = "My Test Name" };
Certificate cert = Certificate.CreateSelfSignedCertificate(keypair.Public, keypair.Private, certificateProperties);
using DidiSoft.OpenSsl;
using DidiSoft.OpenSsl.Rsa;
using DidiSoft.OpenSsl.X509;
OpenSslRsa rsa = new OpenSslRsa();
KeyPair keypair = rsa.GenerateRsaKeyPair(KeyLength.Length2048);
// certificate owner details
X509Name certificateProperties = new X509Name() { CommonName = "My Test Name" };
Certificate cert = Certificate.CreateSelfSignedCertificate(keypair.Public, keypair.Private, certificateProperties);
This is just a basic example for a quick creation of a self-signed X.509 certificate. You can check the more extended examples in order to find out how to customize the additional details that can be stored inside a certificate.
Verifying a certificate
A certificate verification consists of checking the digital signature inside it with a public key, usually embedded inside the issuer Certificate.
Check the dedicated chapter for examples on Certificate Verification.
Certificate details
In addition to the certificate owner (Subject) properties, other details can be found as well inside a certificate. In short there are
four groups
of information details:
Certificate cert = Certificate.Load("my.cert");
|
Certificate cert = Certificate.Load("my.cert");
Information for the certificate
(subject
properties
, serial number, validity period, version, etc.)
string serialNumber = cert.SerialNumber;
string thumbprint = cert.GetThumbprint();
string keyId = cert.GetSubjectKeyIdentifier();
Properties subject = cert.Subject;
|
string serialNumber = cert.SerialNumber;
string thumbprint = cert.GetThumbprint();
string keyId = cert.GetSubjectKeyIdentifier();
Properties subject = cert.Subject;
Information for the issuer
(issuer properties, issuer key identifier)
string issuerKeyId = cert.GetAuthorityKeyIdentifier();
string issuedTo = cert.Subject.CommonName;
string issuedFrom = cert.Issuer.CommonName;
X509Name issuer = cert.Issuer;
|
string issuerKeyId = cert.GetAuthorityKeyIdentifier();
string issuedTo = cert.Subject.CommonName;
string issuedFrom = cert.Issuer.CommonName;
X509Name issuer = cert.Issuer;
Allowed usages of the certificate
A certificate’s public key and corresponding private key uses may be limited, with special settings called Key Usages stored inside the certificate. For example in order to limit the certificate to only be used for data signing, only the
KeyUsages.DigitalSignature
will be present.
Here is how to list the allowed key usages for a certificate:
C# example:
KeyUsages[] usages = cert.GetKeyUsages();
// if nothing is specify all key usages are allowed
bool allUsagesAllowed = (usages.Length == 0);
// Print allowed key usages
foreach (KeyUsages usage in usages)
Console.WriteLine(usage);
}
KeyUsages[] usages = cert.GetKeyUsages();
// if nothing is specify all key usages are allowed
bool allUsagesAllowed = (usages.Length == 0);
// Print allowed key usages
foreach (KeyUsages usage in usages)
Console.WriteLine(usage);
VB.NET example
Dim usages As KeyUsages() = cert.GetKeyUsages()
Dim allUsagesAllowed As Boolean = (usages.Length = 0)
' Print allowed key usages
For Each usage As KeyUsages In usages
Console.WriteLine(usage)
Next
Dim usages As KeyUsages() = cert.GetKeyUsages()
Dim allUsagesAllowed As Boolean = (usages.Length = 0)
' Print allowed key usages
For Each usage As KeyUsages In usages
Console.WriteLine(usage)
Information for the Certificate Authority
A certificate authority usually stores inside a certificate additional information for itself. This information is useful for the people to whom the certificate will be distributed in order to know how to contact the issuing Certificate Authority for additional information. Of course, all of these methods may return
null
, if there is no such information.
Especially valuable information is the location of the CRL (certificate revocation) list and the OCSP (On-line certificate status) protocol endpoint:
string urlOfCACertificate = cert.GetUrlOfCACertificate();
string urlOfCAPoliciesDocument = cert.GetUrlOfCertificatePolicies();
string urlOfCRL = cert.GetUrlOfCrlList();
string urlOfOCSP = cert.GetUrlOfOcsp();
|
string urlOfCACertificate = cert.GetUrlOfCACertificate();
string urlOfCAPoliciesDocument = cert.GetUrlOfCertificatePolicies();
string urlOfCRL = cert.GetUrlOfCrlList();
string urlOfOCSP = cert.GetUrlOfOcsp();
Public key
The public key stored inside a X.509 certificate can be obtained with:
DidiSoft.OpenSsl.PublicKey pubKey = cert.SubjectPublicKey;
|
DidiSoft.OpenSsl.PublicKey pubKey = cert.SubjectPublicKey;
Afterward the key can be stored or used for other purposes.
Interoperability with X509Certificate2
In places where the library must be put in place with the default .NET cryptography code we can create certificates to and from the
System.Security.Cryptography.X509Certificate
and
System.Security.Cryptography.X509Certificate2
class instances like:
System.Security.Cryptography.X509Certificate cert1 = ...
System.Security.Cryptography.X509Certificate2 cert2 = ...
DidiSoft.OpenSsl.X509.Certificate mycert1 = new DidiSoft.OpenSsl.X509.Certificate(cert1);
DidiSoft.OpenSsl.X509.Certificate mycert2 = new DidiSoft.OpenSsl.X509.Certificate(cert2);
cert1 = mycert1.ToX509Certificate();
cert2 = mycert2.ToX509Certificate2();
System.Security.Cryptography.X509Certificate cert1 = ...
System.Security.Cryptography.X509Certificate2 cert2 = ...
DidiSoft.OpenSsl.X509.Certificate mycert1 = new DidiSoft.OpenSsl.X509.Certificate(cert1);
DidiSoft.OpenSsl.X509.Certificate mycert2 = new DidiSoft.OpenSsl.X509.Certificate(cert2);
cert1 = mycert1.ToX509Certificate();
cert2 = mycert2.ToX509Certificate2();
Of course the value of the
X509Certificate2
class is in its capability to hold also the corresponding private key. In that case, we can also create such an instance with ToX509Certificate2:
DidiSoft.OpenSsl.KeyPair key = DidiSoft.OpenSsl.KeyPair.GenerateKeyPair(KeyAlgorithm.Rsa, KeyLength.Length1024);
var properties = new DidiSoft.OpenSsl.X509.X509Name()
CN = "MyCN"
var newCert = DidiSoft.OpenSsl.X509.Certificate.CreateSelfSignedCertificate(key.Public, key.Private, properties);
System.Security.Cryptography.X509Certificate2 cert2 = newCert.ToX509Certificate2(key.Private, "SomeSecureString");
DidiSoft.OpenSsl.KeyPair key = DidiSoft.OpenSsl.KeyPair.GenerateKeyPair(KeyAlgorithm.Rsa, KeyLength.Length1024);
var properties = new DidiSoft.OpenSsl.X509.X509Name()
CN = "MyCN"
var newCert = DidiSoft.OpenSsl.X509.Certificate.CreateSelfSignedCertificate(key.Public, key.Private, properties);
System.Security.Cryptography.X509Certificate2 cert2 = newCert.ToX509Certificate2(key.Private, "SomeSecureString");
Summary
This chapter introduced
DidiSoft.OpenSs.X509.Certificate
class and illustrated basic usage scenarios with it.
From here you may check the other chapters dedicated to X.509 certificate creation and verification,
CSR
, and
Certificate Authority
.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking "Accept All”, you consent to the use of ALL the cookies. However, you may visit
Cookie Settings
to provide a controlled consent.
Manage consent