Introduction
This is a custom developed tool for generating a digital certificate. This allows the user to select the root certificate details (PVK and CER files) to customize the validity period. The tool also allows to browse the store and view the properties of selected certificates and the context menu on these properties allows to copy any of them to the clipboard.
Using the Code
This tool can be fully customizable to create the digital certificates.
The current version accepts a couple of parameters including the root certificate details to create a new one.
The application will not be able to run without admin rights to the machine. Once the application starts, the main window will appear which will allow you to set a couple of parameters. The current version has been customized for my use and you can add more options.
Process p = new Process();
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.ErrorDialogParentHandle = this.Handle;
p.StartInfo.FileName = sCommand;
p.StartInfo.Arguments = sArguments + sbOutPutFile.ToString();
p.StartInfo.CreateNoWindow = true;
p.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
p.Start();
MakeCert
syntax follows and the attached source code allows you to add/customize with any of the parameters.
Usage: MakeCert [ basic|extended options] [outputCertificateFile]
Basic Options
-sk <keyName> Subject's key container name; To be created if not present
-pe Mark generated private key as exportable
-ss <store> Subject's certificate store name that stores the output
certificate
-sr <location> Subject's certificate store location.
<CurrentUser|LocalMachine>. Default to 'CurrentUser'
-# <number> Serial Number from 1 to 2^31-1. Default to be unique
-$ <authority> The signing authority of the certificate
<individual|commercial>
-n <X509name> Certificate subject X500 name (eg: CN=Fred Dews)
-? Return a list of basic options
-! Return a list of extended options
Extended Options
-tbs <file> Certificate or CRL file to be signed
-sc <file> Subject's certificate file
-sv <pvkFile> Subject's PVK file; To be created if not present
-ic <file> Issuer's certificate file
-ik <keyName> Issuer's key container name
-iv <pvkFile> Issuer's PVK file
-is <store> Issuer's certificate store name.
-ir <location> Issuer's certificate store location
<CurrentUser|LocalMachine>. Default to 'CurrentUser'
-in <name> Issuer's certificate common name.(eg: Fred Dews)
-a <algorithm> The signature algorithm
<md5|sha1|sha256|sha384|sha512>. Default to 'sha1'
-ip <provider> Issuer's CryptoAPI provider's name
-iy <type> Issuer's CryptoAPI provider's type
-sp <provider> Subject's CryptoAPI provider's name
-sy <type> Subject's CryptoAPI provider's type
-iky <keytype> Issuer key type
<signature|exchange|<integer>>.
-sky <keytype> Subject key type
<signature|exchange|<integer>>.
-l <link> Link to the policy information (such as a URL)
-cy <certType> Certificate types
<end|authority>
-b <mm/dd/yyyy> Start of the validity period; default to now.
-m <number> The number of months for the cert validity period
-e <mm/dd/yyyy> End of validity period; defaults to 2039
-h <number> Max height of the tree below this cert
-len <number> Generated Key Length (Bits)
-r Create a self signed certificate
-nscp Include Netscape client auth extension
-crl Generate a CRL instead of a certificate
-eku <oid[<,oid>]> Comma separated enhanced key usage OIDs
-? Return a list of basic options
-! Return a list of extended options
Please find below sample command for makecert
:
makecert -sk ABCSIT -iv HCAWRoot.pvk -n "CN=ABCSIT"
-ic HCAWRoot.cer -sr localmachine -ss my -sky exchange –pe -e 03/21/2014
"View Certificate" button allows the user to select any certificate from the store and view the properties. This option also allows the user to export certificate to PIX format for clients usage.
X509Store store = new X509Store(CertStoreName, CertStoreLocation);
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection selectedCert =
X509Certificate2UI.SelectFromCollection(store.Certificates,
"Select Certificate", "
Select Certificate to view details", X509SelectionFlag.SingleSelection, this.Handle);
Once the user selects any of the available certificates, the below section of code displays the properties of the certificate.
lblCertName.Text = Certificate.SubjectName.Name;
lblIssuer.Text = Certificate.IssuerName.Name;
lblSlNo.Text = Certificate.SerialNumber;
lblVersion.Text = Certificate.Version.ToString();
lblPrivateKey.Text = Certificate.HasPrivateKey.ToString();
lblSignAlgorithm.Text = Certificate.SignatureAlgorithm.FriendlyName;
lblThumbPrint.Text = Certificate.Thumbprint;
lblValidFrom.Text = Certificate.NotBefore.ToShortDateString();
lblValidTo.Text = Certificate.NotAfter.ToShortDateString();
View Certificate option open windows certificate viewer using the following code:
X509Certificate2UI.DisplayCertificate(SelectedCert,this.Handle);
Export Certificate option allows the user to export the selected certificate from "PIX" format.
X509Certificate2 x509 = SelectedCert;
if (x509 == null)
return;
NativeMethods.CRYPTUI_WIZ_EXPORT_INFO exportInfo =
new NativeMethods.CRYPTUI_WIZ_EXPORT_INFO();
exportInfo.dwSize = (uint)Marshal.SizeOf(
typeof(NativeMethods.CRYPTUI_WIZ_EXPORT_INFO));
exportInfo.dwSubjectChoice =
NativeMethods.CryptuiExportChoice.CRYPTUI_WIZ_EXPORT_CERT_CONTEXT;
exportInfo.pCertContext = x509.Handle;
exportInfo.cStores = 0;
IntPtr pExportInfo = Marshal.AllocHGlobal((int)exportInfo.dwSize);
Marshal.StructureToPtr(exportInfo, pExportInfo, false);
NativeMethods.CryptUIWizExport(0, IntPtr.Zero,
"Export of Certificate", pExportInfo, IntPtr.Zero);
NativeMethods
class helps to open the export wizard:
static internal class NativeMethods
{
internal enum CryptuiExportChoice : uint
{
CRYPTUI_WIZ_EXPORT_CERT_CONTEXT = 1,
CRYPTUI_WIZ_EXPORT_CTL_CONTEXT = 2,
CRYPTUI_WIZ_EXPORT_CRL_CONTEXT = 3,
CRYPTUI_WIZ_EXPORT_CERT_STORE = 4,
CRYPTUI_WIZ_EXPORT_CERT_STORE_CERTIFICATES_ONLY = 5,
CRYPTUI_WIZ_EXPORT_FORMAT_CRL = 6,
CRYPTUI_WIZ_EXPORT_FORMAT_CTL = 7
}
[StructLayout(LayoutKind.Sequential)]
internal struct CRYPTUI_WIZ_EXPORT_INFO
{
internal uint dwSize;
internal string pwszExportFileName;
internal CryptuiExportChoice dwSubjectChoice;
internal IntPtr pCertContext;
internal uint cStores;
internal HCERTSTORE rghStores;
};
[DllImport("Cryptui.dll", CharSet = CharSet.Unicode,
ExactSpelling = true, SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
internal static extern bool CryptUIWizExport(uint dwFlags,
HWND hwndParent, string pwszWizardTitle,
IntPtr pExportInfo, IntPtr pvoid);
}
Points of Interest
This tool require admin rights to the system.
The tool uses traditional "makecert
" command to create the certificate.
History