0

I got a splendid answer on creating a self-signed certificate to be consumed by Azure principals at Generating self-signed certificate without external libraries by the excellent bartonjs.

The following is the pretty much the code provided in the Azure sample. However, I'm stuck at that how could the signing algorithm be changed? It seem to be SHA-1 by default, I might be wrong, but perhaps this should be explicitly be set to something else like SHA-256.

public static X509Certificate2 CreateSelfSignedRsaCertificate(string subjectName, string friendlyName)
    {
        if(subjectName == null)
        {
            throw new ArgumentNullException(nameof(subjectName));
        }

        if(friendlyName == null)
        {
            throw new ArgumentNullException(nameof(friendlyName));
        }

        var keyParams = new CngKeyCreationParameters();
        keyParams.Parameters.Add(new CngProperty("Length", BitConverter.GetBytes(2048), CngPropertyOptions.Persist));
        using(var rsaKey = CngKey.Create(CngAlgorithm.Rsa, Guid.NewGuid().ToString(), keyParams))
        {
            using(RSA rsa = new RSACng(rsaKey))
            {
                var certRequest = new CertificateRequest(subjectName, rsa, HashAlgorithmName.SHA512, RSASignaturePadding.Pkcs1);

                //Explicitly not a CA.
                certRequest.CertificateExtensions.Add(new X509BasicConstraintsExtension(false, false, 0, false));

                certRequest.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyEncipherment, true));

                //TLS Server EKU.
                certRequest.CertificateExtensions.Add(new X509EnhancedKeyUsageExtension(new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, false));

                //SubjectAlternativeName extension.
                var sanBuilder = new SubjectAlternativeNameBuilder();
                sanBuilder.AddDnsName("localhost");
                certRequest.CertificateExtensions.Add(sanBuilder.Build());

                DateTimeOffset now = DateTimeOffset.UtcNow;
                var certificate = certRequest.CreateSelfSigned(notBefore: now, notAfter: now.AddDays(1)/*now.AddDays(365.25)*/);
                certificate.FriendlyName = friendlyName;

                return certificate;
            }
        }
    }
Veksi
  • 3,556
  • 3
  • 30
  • 69
  • The code from bartonjs works fine. Yours does not even compile. I tried SHA256 and SHA512 and the signature algorithm in the self-signed certificate is sha256RSA or sha512RSA. – pepo Aug 26 '17 at 23:31
  • 2
    The argument between the key and the signature padding (in this case SHA512) determines the hash into the signature algorithm, so this would be RSA-SSA-PKCS1_1.5-SHA-2-512. The `Thumbprint` value will still be SHA-1, because the thumbprint is defined to be the SHA-1 of the signed certificate. – bartonjs Aug 27 '17 at 02:10
  • Ah, I see. Maybe I should've added I was looking this through `certlm` well past last night. The third lowest point tells "signing algorithm" in my language (not English), so I assumed that would be used in signing. I think this answers it. There's another one too, "the hash algorithm of the signature", which is "sha512" and a third one "the signing hash algorithm", which is "sha512rsa". It looks like all is well then. – Veksi Aug 27 '17 at 07:32

0 Answers0