Reputation: 6658
how do I create a pfx compatible with X509Certificate2 with openssl
I'm trying to create an RSA keypair that I can use with System.Security.Cryptography.X509Certificates.X509Certificate2 using OpenSSL.
The PFX I've managed to generate gives me this stack trace
create a private key, unencrypted (I realize this is not best practice)
openssl genrsa -out private.pem 2048
create a public key from the private key
openssl rsa -in private.pem -outform PEM -pubout -out public.pem
create a certificate file from the private key
openssl req -x509 -key private.pem -out cert.pem -days 365 -nodes -subj "/C=US/ST=Colorado/L=Colorado Springs/O=Contoso/OU=Security/CN=mypurpose.contoso.org"
create a pfx file using the self-signed certificate
openssl pkcs12 -in cert.pem -inkey private.pem -export -out combined.pfx
prompts for a password to secure the pkcs
Trying to instantiate the instance of X509Certificate2 with
new X509Certificate2(@"C:\path\to\combined.pfx", "password", X509KeyStorageFlags.Exportable);
at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromFile(String fileName, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx)
at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromFile(String fileName, Object password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags)
at Program.Main()
Upvotes: 2
Views: 4293
Answers (1)
Reputation: 6658
The stack trace is telling me everything.
at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromFile(String fileName, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx)
at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromFile(String fileName, Object password, X509KeyStorageFlags keyStorageFlags)
This means that there's no CERTIFICATE in my PFX file, because I used -nocerts in the openssl pkcs12 command.
In cryptography, PKCS #12 defines an archive file format for storing many cryptography objects as a single file. It is commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust. PKCS 12
A pkcs12 file really wants to contain something besides just a Private/Public Key, It wants an X.509 certificate; which is:
- Certificate Version
- Serial Number
- Signature Algorithm
- Issuer
- Validity Not Before
- Validity Not After.
This is the final command that worked the way I wanted to:
openssl pkcs12 -in cert.pem -inkey private.pem -export -clcerts -out combined.pfx -passout pass:
This allows me to instantiate using this code:
new X509Certificate2(@"C:\path\to\combined.pfx", (string)null, X509KeyStorageFlags.Exportable);
There's some additional code I'm using to load the private.pem and public.pem generated by openssl genrsa and openssl rsa here: https://stackoverflow.com/a/32243171/26877.
This code is loading the raw PEM data (just the private/public keys) into RSACryptoServiceProvider instance, which can be used to encrypt & decrypt.
Upvotes: 2
Related Questions
- .NET Standard - Merge a certificate and a private key into a .pfx file programmatically
- C# Export X509Certificate2 to PFX including extensions
- How can I generate a .pfx file?
- Create X509Certificate2 from Cert and Key, without making a PFX file
- Convert .cer and .key files to .pfx file using OpenSSL
- CryptographicException while loading X509Certificate2 from PFX file programatically:
- C# Export cert in pfx format
- How can I encrypt, decrypt and sign using .pfx certificate?
- Convert a .PEM certificate to .PFX programmatically using OpenSSL
- OpenSSL.NET create PFX