Dynamically Creating a CSR & Private Key in .NET

This one was a bit tricky–it took me two days to figure this out, and when I figured it out I didn’t even realize I was close to the solution.  When I initially started working on this, I was looking into using an OpenSSL port to windows called OpenSSL.NET.  The pure ASCII look of this page should be a good indication of how many other alternatives there are out there.  Eventually I found The Legion of Bouncy Castle, and stumbled onto a solution.  Initially I discredited looking at this option too thoroughly due to the name–but again, because of the lack of how many good alternatives out there it became a steady contender.

Part of the problem of why I suddenly came upon the solution was that I didn’t realize that what I was looking for was a .PEM file.  I knew what an SSL Certificate was–I’ve installed a bunch of them in my time.  But I didn’t know what a PKS#10 was; what x509 stood for; why sometimes people referenced x500; or why Microsoft didn’t have a simple command like PHP’s openssl_csr_create which really seemed so simple since it was one command.

While looking over a stackoverflow article it seemed like this guy was trying to do what I was doing, though I had no idea what a .PEM file was.  For the record, a .PEM file looks like this:

-----BEGIN CERTIFICATE REQUEST-----
MIICZjCCAU4CAQAwIzEUMBIGA1UEAwwLQ2xpZW50IENlcnQxCzAJBgNVBAYTAk5M
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnf1AUjlbJupcNQdZ7cdS
MUTnzf8vwkkVC6T1EJywC9bB2f1UAyi1ud/MnZ3fSAxxBTrNic/2Dvz9r/xEv2vC
gf75UP61LAicSnCHZGCoxj2dN5NWx4JOPnTHXqGC8FPNjIeVmfVV0SduHnNJDsSQ
kxlgre8/dAyQ1427beFrfCHFtO1imBjYwmGjTcgXmC8RYQx0AYDQIm/qdE+sVOKO
P7/Ex3s/SKwFINOXpB0Q3W810C/SKqW3bU5xULTvkoCjEQKUDRD12tVl0za8ed39
DOLgmSoPEZ38u9Ly5/xhwAiU7zJME99/13udnz28avyFDCAKR8rN3+kVqrVUSV2G
cwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQB1Zf7Blw00ijIIErkU58ke3NuISYw1
7n/qe9XnzmxzneS5HXD2iiTgSIu5R8aWug+g5TN4r8Pe7M/hC2HgwjknciBT8RBr
Xv5DH00jh1I830bRws4qpusqGbBfoSMPrn54I5aqVrIKRVPNNZTvn3o1Fqpzpp6c
u/riopjGG+xv0vUe/ubHbO4dZmP7bQuzxR/Ex/4e7gCNxcAQek+3G2VdvvlGJQUE
bDPx+1RUM+grzVVIcY/EDJVSOEgiUtiXJPwE25ykL+r4UzNSNBxf6/z7Mtdo2qWf
kAL7rL+DSr2jhqNuWgwVNs6VM8dcipmSFMsCOUxC3M8seYi828k6MYf9
-----END CERTIFICATE REQUEST-----

Or it might look like one of these too:

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAnf1AUjlbJupcNQdZ7cdSMUTnzf8vwkkVC6T1EJywC9bB2f1U
Ayi1ud/MnZ3fSAxxBTrNic/2Dvz9r/xEv2vCgf75UP61LAicSnCHZGCoxj2dN5NW
x4JOPnTHXqGC8FPNjIeVmfVV0SduHnNJDsSQkxlgre8/dAyQ1427beFrfCHFtO1i
mBjYwmGjTcgXmC8RYQx0AYDQIm/qdE+sVOKOP7/Ex3s/SKwFINOXpB0Q3W810C/S
KqW3bU5xULTvkoCjEQKUDRD12tVl0za8ed39DOLgmSoPEZ38u9Ly5/xhwAiU7zJM
E99/13udnz28avyFDCAKR8rN3+kVqrVUSV2GcwIDAQABAoIBAERnPO0cxjmAKPIQ
v7/yl8SbN935ydzNtZ34Ct7paFOH5SCTzUcc3imfG0F29BCGynxgLFOpxbhRkyka
CU3zwyBzm9CUpy5sf/a+5+/u5cQHM0W3tk/lPClQeG2hckbJkepxXbVuAnzvHH90
nMIXGx2FVFWai5ecRS3+wJLfkaEJcq9iKR8aA1ioAnKVNNCUpztmzBpSvxhf2Y5p
rHyZa+IHaRTKR/c+0VGJBIQgIfNZDDZk6Hex9+EiC+WFHO5Tr1sauEldVwVfcTCu
WPuIg7sdjHsZbYT71rUwSceUtyHfqK2e1U+YMPkK8lI6U1pxh5IJgJMykOfdIrtL
6SlvvLECgYEA5L2ZjkiPNTVK0K48ta9TpMDcWfNcYXdfaB3PzlpzfMRUwtOHntNW
Ky1Z1wmzhbB2T4op4pIXRrmBnfu+GrJDHnJ52sff1vrsDkoqJ7odkJMYjFqkxnjG
JFfqM+t00t7aW4NFvCgknbOvd5NcQJhZ+kI2xoEP93Rg2tHnLYvqqJsCgYEAsNEs
uSuJ3pEzMjJ9RLdbqkODbLbGPRKzdOI4thbj4ZIyKvlqblhiuIDUZWzfTGe0pt8r
xopOg5Wj39AyKlQfZ8ca/opnOONDdTd55Rv6tnEQQy/OeURkzJbWqoswu5QUiJr6
dOxNilE7rPXQ7EsgCdTvebQiWKrLUkFR1Ssz2wkCgYA7m0TGlRXscaS7WIwtdDDB
wBgrwIUUSP0trocWaO+rVaYY1vKCauQLgFfm93o2nlNWStS7XAKAxZqHRrC1WDqx
Vnd2kZs89EpLNvxhOdi2cf51pLFHnvVTRy2atgLNaJFSQ5UKgRN5nPdem6Hwm0Ln
OhX4CG3WuBb9LrGlZs6RfQKBgErCFfOwidk1cPzvRfGQyMvjQaTsXkKiLofjwfCT
GwRbaKSs0agX7J1vst2zO3I1grbvMrX98hZGZYQSpbMp4CFjmHE4mU3/IJ1luD77
JnSOtz6A7v5swWWS/O4cbZ1RjaD4TZ6z7lDl6aJGSHAvjzs48Yt2cvMkO1Tq0yua
2ZDpAoGBALiz/2tyTOiJradoVshFZ2JkCrzhHTat9tzYD1LHRjGXJSQm4bN1hLpg
UzdmgSpfwPCGD+ZYnB5FjIPRMhrgjQWI0/oRHANESPWzXM7SNibzGjTetvQMuNxT
6EMgEX1VRah2Fya3+8b5OOz2fsO9yfGW9ItYBp1noXtiyqtMjgf2
-----END RSA PRIVATE KEY-----

So now that both you and I know what a .PEM file is, and how desirable they are when you are trying to get an SSL Certificate, this is how you can get one after added the Legion of Bouncy Castle to your .NET project.

//Necessary References
using Org.BouncyCastle.Pkcs;
using Org.BouncyCastle.Asn1.X509;
using Org.BouncyCastle.Crypto.Generators;
using Org.BouncyCastle.Crypto;
using Org.BouncyCastle.Security;
using Org.BouncyCastle.OpenSsl;
using System.Text;
using System.IO;

//Later in your Code

//Requested Certificate Name
X509Name name = new X509Name("CN=Client Cert, C=NL");

//Key generation 2048bits
RsaKeyPairGenerator rkpg = new RsaKeyPairGenerator();
rkpg.Init(new KeyGenerationParameters(new SecureRandom(), 2048));
AsymmetricCipherKeyPair ackp = rkpg.GenerateKeyPair();

//PKCS #10 Certificate Signing Request
Pkcs10CertificationRequest csr = new Pkcs10CertificationRequest("SHA1WITHRSA", name, ackp.Public, null, ackp.Private);

//Convert BouncyCastle CSR to .PEM file.
StringBuilder CSRPem = new StringBuilder();
PemWriter CSRPemWriter = new PemWriter(new StringWriter(CSRPem));
CSRPemWriter.WriteObject(csr);
CSRPemWriter.Writer.Flush();

//Push the CSR Text to a Label on a Page
CSRLabel.Text = CSRPem.ToString();

//Convert BouncyCastle Private Key to .PEM file.
StringBuilder PrivateKeyPem = new StringBuilder();
PemWriter PrivateKeyPemWriter = new PemWriter(new StringWriter(PrivateKeyPem));
PrivateKeyPemWriter.WriteObject(ackp.Private);
CSRPemWriter.Writer.Flush();

//Push the CSR Text to a Label on a Page
PrivateKeyLabel.Text = PrivateKeyPem.ToString();

All that asside I really wish the Legion of Bouncy Castle would have made some simple function like openssl_csr_create–I understand why Microsoft wants to make things confusing, but people in a Bouncy Castle should be having more fun.

October 31, 2011 • Tags: , , , , • Posted in: Technology

3 Responses to “Dynamically Creating a CSR & Private Key in .NET”

  1. Generating PFX from CSR - July 30, 2012

    […] I got CSR creation code from this link. […]

  2. Jose A Diaz - August 12, 2015

    what a surprise, haha… i have been using a X509 Library to generate Digital Certificates called X509DLL that can be found here: http://www.signfiles.com/file-sign-library/ but there was something missing, it cant generate CSRs, just Sign CSR to return a X509 Certificate… so thats why i came here.. i downloaded the BouncyCastle library and loaded it to my project… VisualStudio started to tell me the class names are ambiguous, why? haha… well seems like the x509DLL is based on to the BouncyCastle because it contains all their classes… SOOOO, if youre reading this, the X509DLL can give you all youre looking for in here and much more :)

  3. 94Wilhelmina - August 8, 2017

    Hi blogger, i must say you have hi quality posts here.
    Your website can go viral. You need initial traffic only.
    How to get it? Search for; Mertiso’s tips go viral

Leave a Reply