Create X509 certificate and save as Base-64

1
votes

I have been following a guide that covers signing authorization tokens for Web API security. One of the aspects was storing the X509 certificate as a Base-64 string in the web.config. However, the steps necessary on how to get a X509 certificate and convert it into a Base-64 string were not explained. I found some guides on how to generate an X509 certificate using OpenSSL however I remain confused on which parts to use and how to convert to Base-64. Here is what I want to end up with.

  1. A Base-64 representation of the certificate that I can store in the web.config
  2. A password that goes along with the certificate

The code I want to use in my authentication server is ..

SigningCertificate = new X509Certificate2(certificate, password);

Where certificate is a Base 64 encoded representation of the certificate and password is the signing certificate password.

So with the OpenSSL tool I am able to generate two files ...

  • Cert file - MyCert.pem
  • Key file - MyKey.pem

Question #1 - Do I only need to use the MyCert.pem file when converting to Base-64? Or do both files need to combined both files as a single PFX file before representing as Base-64?

Question #2 - Is there a utility that I can use that accepts a file and then exports a Base-64 string?

2
certificatebase64ssl-certificatex509certificate

2 Answers

1
votes

Question #1 - Do I only need to use the MyCert.pem file when converting to Base-64? Or do both files need to combined both files as a single PFX file before representing as Base-64?

The PEM file format is encoded in base64. It can be applied to private keys, certificates or also certificate signing requests. The files have a header/foot to distinguish them starting with ----BEGIN PRIVATE KEY---- or ----BEGIN CERTIFICATE----

A PFX is a container for private keys and certificates protected with a password. You need to include your both PEM files. A PFX is encoded in pkcs#12 format( binary).

Concatenate the cert with the key file and then have OpenSSL convert it to PKCS#12 (PFX)

cat MyKey.pem MyCert.pem > cert.pem
openssl pkcs12 -export -in cert.pem -out mykeystore.p12 -name myalias
#Enter Export Password:

If you are using this service ( I have searched in google), you will need the pkcs12 file and the assigned password

Question #2 - Is there a utility that I can use that accepts a file and then exports a Base-64 string?

I normally use a texteditor like Notepad++ with the MIME plugin. Alternatively, all programming languages have a method to convert an array of bytes to Base64 if you need to do it programmatically.

0
votes

This is how to get a valid certificate in .NET, taking into account that you have a local IIS:

  1. Open your IIS
  2. Click on Server Certificates
  3. Click on Create Self-Signed Certificate
  4. Specify a name and select Web Hosting, then click Ok
  5. Select the certificate you just created and click on Export
  6. When exporting it, select a location and choose a password(1)

To get the Base64 string, you can use this code on C#:

var certificate = Convert.ToBase64String(File.ReadAllBytes(@"C:\Temp\DemoCert.pfx"));

I am storing the base64 string and the password in my web config as such:

<appSettings>
 <add key="SigningCertificate" value="MIIKLwIBAzCCCesGCSqGSIb3DQEHAaCCCdwk...." />
 <add key="SigningCertificatePassword" value="password"/>         
</appSettings>

(1) The password you use in the key="SigningCertificatePassword" attribute is the same that you used when creating the certificate.

And then using it in my Startup.cs class:

var certificate = Convert.FromBase64String(ConfigurationManager.AppSettings["SigningCertificate"]);

var options = new IdentityServerOptions
        {
            SigningCertificate = new X509Certificate2(certificate, ConfigurationManager.AppSettings["SigningCertificatePassword"]),
            RequireSsl = false,
            Factory = factory
        };