Error setting X509Certificate2 PrivateKey
The provided solution did not help me, so I'll be leaving this solution here hoping it will help the next person having this problem.
Using CertBuilder().ConvertBouncyCert it's possible to convert a BouncyCastle X509Certificate to a X509Certificate2 with the public/private key embedded.
X509Certificate2 _x509certificate2 = new CertBuilder().ConvertBouncyCert(_bouncyCertificate, subjectKeyPair);
And the full example i'm using it in (based on the answer provided here: Bouncy Castle's X509V3CertificateGenerator.SetSignatureAlgorithm marked obsolete. What do I do?).
public static X509Certificate2 CreateSelfSignedCertificateBasedOnCertificateAuthorityPrivateKey(string ipAddress, string issuerName, AsymmetricKeyParameter issuerPrivKey)
{
const int keyStrength = 4096;
// Generating Random Numbers
CryptoApiRandomGenerator randomGenerator = new CryptoApiRandomGenerator();
SecureRandom random = new SecureRandom(randomGenerator);
ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA512WITHRSA", issuerPrivKey, random);
// The Certificate Generator
X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();
certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage((new List<DerObjectIdentifier>() { new DerObjectIdentifier("1.3.6.1.5.5.7.3.1"), new DerObjectIdentifier("1.3.6.1.5.5.7.3.2") })));
// Serial Number
BigInteger serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
certificateGenerator.SetSerialNumber(serialNumber);
// Issuer and Subject Name
X509Name subjectDN = new X509Name("CN=" + ipAddress);
X509Name issuerDN = new X509Name(issuerName);
certificateGenerator.SetIssuerDN(issuerDN);
certificateGenerator.SetSubjectDN(subjectDN);
// Valid For
DateTime notBefore = DateTime.UtcNow.Date;
DateTime notAfter = notBefore.AddYears(2);
certificateGenerator.SetNotBefore(notBefore);
certificateGenerator.SetNotAfter(notAfter);
// Subject Public Key
AsymmetricCipherKeyPair subjectKeyPair;
var keyGenerationParameters = new KeyGenerationParameters(random, keyStrength);
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
subjectKeyPair = keyPairGenerator.GenerateKeyPair();
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
GeneralNames subjectAltName = new GeneralNames(new GeneralName(GeneralName.IPAddress, ipAddress));
certificateGenerator.AddExtension(X509Extensions.SubjectAlternativeName, false, subjectAltName);
// self sign certificate
Org.BouncyCastle.X509.X509Certificate certificate = certificateGenerator.Generate(signatureFactory);
X509Certificate2 certificate2 = new CertBuilder().ConvertBouncyCert(certificate, subjectKeyPair);
return certificate2;
}
Used nuget packages:
- Portable.BouncyCastle by Oren Novotny version 1.8.5
- CryptLink.CertBuilder by Jermy Peterson version 1.1.0
As LexLi said, setting the private key on an existing certificate is not possible by design in .net core.
Following what is described here, what you can do is use the method RSACertificateExtensions.CopyWithPrivateKey.
Instead of
x509certificate.PrivateKey = DotNetUtilities.ToRSA(rsaParams);
you could have
var rsa = DotNetUtilities.ToRSA(rsaParams);
var cert = x509certificate.CopyWithPrivateKey(rsa);
return cert;
To get access to the "CopyWithPrivateKey" extension method, add this using :
using System.Security.Cryptography.X509Certificates; /* for getting access to extension methods in RSACertificateExtensions */
"(CopyWithPrivateKey) Combines a private key with the public key of an RSA certificate to generate a new RSA certificate."
https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.rsacertificateextensions.copywithprivatekey?view=netcore-3.0