Create x509 certificate with openssl/makecert tool

5
votes

I'm creating a x509 certificate using makecert with the following parameters:

makecert -r -pe -n "CN=Client" -ss MyApp

I want to use this certificate to encrypt and decrypt data with RSA algoritm. I look to generated certificate in windows certificate store and everything seems ok (It has a private key, public key is a RSA key with 1024 bits and so on..)

Now i use this C# code to encrypt data: 

X509Store store = new X509Store("MyApp", StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certs = store.Certificates.Find(X509FindType.FindBySubjectName, "Client", false);
X509Certificate2 _x509 = certs[0];

using (RSACryptoServiceProvider rsa = (RSACryptoServiceProvider)_x509.PublicKey.Key)
{
    byte[] dataToEncrypt = Encoding.UTF8.GetBytes("hello");
    _encryptedData = rsa.Encrypt(dataToEncrypt, true);
}

When executing the Encrypt method, i receive a CryptographicException with message "Bad key".

I think the code is fine. Probably i'm not creating the certificate properly. Any comments? Thanks

---------------- EDIT --------------
If anyone know how to create the certificate using OpenSsl, its also a valid answer for me.

2
securityencryptionopensslrsamakecert
When creating your cert what is the bit of the private/public key pairs you specify ? probably you have to specify longer keys 4048 bits? - berkay
I not sure what option are you talking about. I just used the options i show above in makecert command. If you are talking about one other, assume the default value. But my public key has 1024 bits. - Zé Carlos
okey then i never use makecert just search to create it 4048 bits.1024 bits is broken for that reason you can get the error. - berkay
Thanks Berkay.I tried the option -len 2048 and -len 4096. But the problem continues. - Zé Carlos
This: enterprisedt.com/products/edtftpnetpro/doc/manual/… site has a nice set of steps for creating and exporting certificates. - Steve Wranovsky

2 Answers

4
votes

To allow the key to be used for encryption, you should use the -sky-option. Per default ´makecert` uses the AT_SIGNATURE key specification, which will not work with encryption/decryption. Instead have it use the AT_KEYEXCHANGE specification by issuing the following command:

makecert -r -pe -n "CN=Client" -ss MyApp -sky Exchange

(Remember to delete the previous key or use another container-name).

1
votes

This was another page I stumbled across when I was trying to find examples of makcert usage with x509 certificates and rsa using c#, and unfortunately it only provided part of the solution. I put all the bits together in a blog entry that people might be interested in, and it can be found here: http://nick-howard.blogspot.com/2011/05/makecert-x509-certificates-and-rsa.html