Sunday, February 21, 2010

Creating x.509 certificates with Pluralsight self-cert

If, like me, you spend a fair amount of time playing with various security setups, you’ll be quite fed up with using makecert or OpenSSL and the IIS certificate management UI to create and install self-cert x.509 certificates.

Self-cert

But help is at hand. I recently discovered a useful little tool for generating x.509 certificates. It’s called ‘self-cert’ and it’s written by Keith Brown of Pluralsight. It’s pretty basic and doesn’t give you the control over your certificate that OpenSSL provides, but it does automatically install the certificate in the Windows certificate store which is a great benefit.

Download the bits here:
http://www.pluralsight.com/community/cfs-file.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/keith.SampleCode/SelfCert.zip

Keith has included all the source code for self-cert in the zip file including a nicely factored certificate creation library that wraps the Win32 crypto API. This means that you can easily create certificates programmatically:

using (var context = new CryptContext())
{
    context.Open();

    var properties = new SelfSignedCertProperties()
    {
        IsPrivateKeyExportable = true,
        KeyBitLength = 2048,
        Name = new X500DistinguishedName("cn=localhost"),
        ValidFrom = DateTime.Today.AddDays(-1),
        ValidTo = DateTime.Today.AddYears(1)
    };

    var certificate = context.CreateSelfSignedCertificate(properties);

    var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
    store.Open(OpenFlags.ReadWrite);
    store.Add(certificate);
    store.Close();
}

Here I’m using Keith’s CryptContext class to create an x.509 certificate and then I’m storing the certificate in the local machine’s certificate store.

I’m doing a fair amount of research into federated security and WIF for one of my clients at the moment, so I’m finding more about x.509 than perhaps I wanted to. This tool has been very useful for quickly putting together prototypes. I’ll be posting some more stuff on this soon.

Oh, and if you need a certificate from a CA, StartSSL seem to offering them for free.

3 comments:

Sean said...

Thank you for sharing this. I used command line tool package with .NET, but being able to generate it from code can be also handy.

Lipika said...

Hi, I am also looking for something like this.It seems the link provided to download the zip file is no more available. Please can any one provide me the zip file.

Thanks

Anonymous said...

SelfCert has moved: http://bit.ly/xe6QhD