2

I'm trying to create an RSA keypair that I can use with System.Security.Cryptography.X509Certificates.X509Certificate2 using OpenSSL.

The PFX I've managed to generate gives me this stack trace

create a private key, unencrypted (I realize this is not best practice)

openssl genrsa -out private.pem 2048

create a public key from the private key

openssl rsa -in private.pem -outform PEM -pubout -out public.pem

create a certificate file from the private key

openssl req -x509 -key private.pem -out cert.pem -days 365 -nodes -subj "/C=US/ST=Colorado/L=Colorado Springs/O=Contoso/OU=Security/CN=mypurpose.contoso.org"

create a pfx file using the self-signed certificate

openssl pkcs12 -in cert.pem -inkey private.pem -export -out combined.pfx

prompts for a password to secure the pkcs

Trying to instantiate the instance of X509Certificate2 with

new X509Certificate2(@"C:\path\to\combined.pfx", "password", X509KeyStorageFlags.Exportable);

   at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
   at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromFile(String fileName, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx)
   at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromFile(String fileName, Object password, X509KeyStorageFlags keyStorageFlags)
   at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags)
   at Program.Main()
twoleggedhorse
  • 4,938
  • 4
  • 23
  • 38
JJS
  • 6,431
  • 1
  • 54
  • 70

1 Answers1

2

The stack trace is telling me everything. 

at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromFile(String fileName, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx)
at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromFile(String fileName, Object password, X509KeyStorageFlags keyStorageFlags)

This means that there's no CERTIFICATE in my PFX file, because I used -nocerts in the openssl pkcs12 command.

In cryptography, PKCS #12 defines an archive file format for storing many cryptography objects as a single file. It is commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust. PKCS 12

A pkcs12 file really wants to contain something besides just a Private/Public Key, It wants an X.509 certificate; which is:

  • Certificate Version
  • Serial Number
  • Signature Algorithm
  • Issuer
  • Validity Not Before
  • Validity Not After.

This is the final command that worked the way I wanted to:

openssl pkcs12 -in cert.pem -inkey private.pem -export -clcerts -out combined.pfx -passout pass:

This allows me to instantiate using this code:

new X509Certificate2(@"C:\path\to\combined.pfx", (string)null, X509KeyStorageFlags.Exportable);

There's some additional code I'm using to load the private.pem and public.pem generated by openssl genrsa and openssl rsa here: https://stackoverflow.com/a/32243171/26877. This code is loading the raw PEM data (just the private/public keys) into RSACryptoServiceProvider instance, which can be used to encrypt & decrypt.

JJS
  • 6,431
  • 1
  • 54
  • 70