Error setting X509Certificate2 PrivateKey

The provided solution did not help me, so I'll be leaving this solution here hoping it will help the next person having this problem.

Using CertBuilder().ConvertBouncyCert it's possible to convert a BouncyCastle X509Certificate to a X509Certificate2 with the public/private key embedded.

X509Certificate2 _x509certificate2 = new CertBuilder().ConvertBouncyCert(_bouncyCertificate, subjectKeyPair);

And the full example i'm using it in (based on the answer provided here: Bouncy Castle's X509V3CertificateGenerator.SetSignatureAlgorithm marked obsolete. What do I do?).

        public static X509Certificate2 CreateSelfSignedCertificateBasedOnCertificateAuthorityPrivateKey(string ipAddress, string issuerName, AsymmetricKeyParameter issuerPrivKey)
    {
        const int keyStrength = 4096;

        // Generating Random Numbers            
        CryptoApiRandomGenerator randomGenerator = new CryptoApiRandomGenerator();
        SecureRandom random = new SecureRandom(randomGenerator);
        ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA512WITHRSA", issuerPrivKey, random);
        // The Certificate Generator
        X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();
        certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage((new List<DerObjectIdentifier>() { new DerObjectIdentifier("1.3.6.1.5.5.7.3.1"), new DerObjectIdentifier("1.3.6.1.5.5.7.3.2") })));

        // Serial Number
        BigInteger serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
        certificateGenerator.SetSerialNumber(serialNumber);

        // Issuer and Subject Name
        X509Name subjectDN = new X509Name("CN=" + ipAddress);
        X509Name issuerDN = new X509Name(issuerName);
        certificateGenerator.SetIssuerDN(issuerDN);
        certificateGenerator.SetSubjectDN(subjectDN);

        // Valid For
        DateTime notBefore = DateTime.UtcNow.Date;
        DateTime notAfter = notBefore.AddYears(2);

        certificateGenerator.SetNotBefore(notBefore);
        certificateGenerator.SetNotAfter(notAfter);

        // Subject Public Key
        AsymmetricCipherKeyPair subjectKeyPair;
        var keyGenerationParameters = new KeyGenerationParameters(random, keyStrength);
        var keyPairGenerator = new RsaKeyPairGenerator();
        keyPairGenerator.Init(keyGenerationParameters);
        subjectKeyPair = keyPairGenerator.GenerateKeyPair();

        certificateGenerator.SetPublicKey(subjectKeyPair.Public);

        GeneralNames subjectAltName = new GeneralNames(new GeneralName(GeneralName.IPAddress, ipAddress));
        certificateGenerator.AddExtension(X509Extensions.SubjectAlternativeName, false, subjectAltName);

        // self sign certificate
        Org.BouncyCastle.X509.X509Certificate certificate = certificateGenerator.Generate(signatureFactory);

        X509Certificate2 certificate2 = new CertBuilder().ConvertBouncyCert(certificate, subjectKeyPair);
        return certificate2;
    }

Used nuget packages:

  • Portable.BouncyCastle by Oren Novotny version 1.8.5
  • CryptLink.CertBuilder by Jermy Peterson version 1.1.0

As LexLi said, setting the private key on an existing certificate is not possible by design in .net core.

Following what is described here, what you can do is use the method RSACertificateExtensions.CopyWithPrivateKey.

Instead of

x509certificate.PrivateKey = DotNetUtilities.ToRSA(rsaParams);

you could have

var rsa = DotNetUtilities.ToRSA(rsaParams);
var cert = x509certificate.CopyWithPrivateKey(rsa);
return cert;

To get access to the "CopyWithPrivateKey" extension method, add this using :

using System.Security.Cryptography.X509Certificates; /* for getting access to extension methods in RSACertificateExtensions */

"(CopyWithPrivateKey) Combines a private key with the public key of an RSA certificate to generate a new RSA certificate."

https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.rsacertificateextensions.copywithprivatekey?view=netcore-3.0

Tags:

C#

.Net Core