Compact examples for certificate management. → Details: Management Scenarios
var caCert = new X509Certificate2("intermediate-ca.pfx", "password"); var oldCert = new X509Certificate2("server.pfx", "password"); var privateKey = oldCert.GetECDsaPrivateKey(); var request = new CertificateRequest( oldCert.SubjectName, (ECDsa)privateKey, HashAlgorithmName.SHA384); // Copy extensions (except SKI) foreach (var ext in oldCert.Extensions) if (ext.Oid?.Value != "2.5.29.14") request.CertificateExtensions.Add(ext); // New serial number var serial = new byte[20]; RandomNumberGenerator.Fill(serial); serial[0] &= 0x7F; var renewedCert = request.Create(caCert, DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddYears(1), serial);
→ Details: Renewal
var oldCert = new X509Certificate2("server.crt"); using var newKey = ECDsa.Create(ECCurve.NamedCurves.nistP384); var request = new CertificateRequest( oldCert.SubjectName, newKey, HashAlgorithmName.SHA384); // Copy SANs and EKU if (oldCert.Extensions["2.5.29.17"] is { } san) request.CertificateExtensions.Add(san); if (oldCert.Extensions["2.5.29.37"] is { } eku) request.CertificateExtensions.Add(eku); // Create new certificate, revoke old one!
→ Details: Re-Key
var caCert = new X509Certificate2("intermediate-ca.pfx", "password"); var crlBuilder = new CertificateRevocationListBuilder(); crlBuilder.AddEntry( serialNumber: new byte[] { 0x01, 0x23, 0x45 }, revocationTime: DateTimeOffset.UtcNow, reason: X509RevocationReason.KeyCompromise); var crl = crlBuilder.Build(caCert, crlNumber: BitConverter.GetBytes(1L), nextUpdate: DateTimeOffset.UtcNow.AddDays(7), HashAlgorithmName.SHA384); File.WriteAllBytes("intermediate.crl", crl);
→ Details: Create CRL
Before Expiry (30 days):
On Compromise:
« <- Quick Reference | -> Management Scenarios (Details) »
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional