4
votes

I am building a certificate with dotnet core like this:

    private X509Certificate2 buildSelfSignedServerCertificate(string CertificateName,string password,string dns)
    {
        SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder();
        sanBuilder.AddIpAddress(IPAddress.Loopback);
        sanBuilder.AddIpAddress(IPAddress.IPv6Loopback);
        if (!string.IsNullOrEmpty(dns))
        {
            sanBuilder.AddDnsName(dns);
        }
      // 
      //  sanBuilder.AddDnsName(Environment.MachineName);

        X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN={CertificateName}");

        using (RSA rsa = RSA.Create(2048*2))
        {
            var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);

            //request.CertificateExtensions.Add(
            //    new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false));


            //request.CertificateExtensions.Add(
            //   new X509EnhancedKeyUsageExtension(
            //       new OidCollection { new Oid("1.3.6.1.5.5.7.3.1"), new Oid("1.3.6.1.5.5.7.3.2") }, false));

            request.CertificateExtensions.Add(sanBuilder.Build());

            var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(3650)));
             bool isWindows = System.Runtime.InteropServices.RuntimeInformation
                           .IsOSPlatform(OSPlatform.Windows);
            if(isWindows)
                certificate.FriendlyName = CertificateName;

            return certificate;
           // return new X509Certificate2(certificate.Export(X509ContentType.Pfx, password), password, X509KeyStorageFlags.MachineKeySet);
        }
    }

and its not working with service fabric and from the following comment i read:

If the output contains something like this: Provider = Microsoft Software Key Storage Provider then indeed this is a CNG certificate (issued with a Key Storage Provider).

I presume the certificate was created with the New-SelfSignedCertificate PowerShell cmdlet, which, unless otherwise specified, will use a CNG provider. If that is the case, and it is possible for you to create another certificate to be used for this cluster, you may try the following:

The cert output looks like this and indeed the provider is wrong. Is there a way to fix my c# method above to solve this? using 'Microsoft Enhanced RSA and AES Cryptographic Provider'

================ Certificate 1 ================
X509 Certificate:
Version: 3
Serial Number: 5963adde77be6b83
Signature Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
    Algorithm Parameters:
    05 00
Issuer:
    CN=sf-gw-win-13mar2019
  Name Hash(sha1): 660160d3b7e821d759d865d20e22f0f0c9b448da
  Name Hash(md5): 2161360e8739cdf9b660479f2176505c

 NotBefore: 3/12/2019 9:14 AM
 NotAfter: 3/10/2029 9:14 AM

Subject:
    CN=sf-gw-win-13mar2019
  Name Hash(sha1): 660160d3b7e821d759d865d20e22f0f0c9b448da
  Name Hash(md5): 2161360e8739cdf9b660479f2176505c

Public Key Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA
    Algorithm Parameters:
    05 00
Public Key Length: 4096 bits
Public Key: UnusedBits = 0
    0000  30 82 02 0a 02 82 02 01  00 ca 8c 25 62 ca b1 60
    0010  54 91 3e bb 45 21 1d db  79 46 01 4f 8c 05 de 7f
    0020  f0 8a 7f 3b f0 68 b9 7f  a6 53 cb d6 b8 cb 81 90
    0030  b5 70 8d cc e0 8f eb f4  cc e5 cd 9c 83 31 9d 25
    0040  2c ac 9b 91 9a f8 47 f1  d9 e1 49 21 3e f7 e4 ca
    0050  32 4c ff 72 0c de b0 b9  c2 16 85 fa bf 37 2f ca
    0060  ed bc 8a 4b 30 81 e9 f8  2a ef 46 48 0f 2d 42 65
    0070  78 b5 76 ae a5 bf c1 f4  ae 8d a2 11 5e dd 95 f1
    0080  7c 49 c1 81 a4 a5 ee 3a  60 39 51 28 40 11 de 37
    0090  e6 57 30 71 ea d1 13 59  82 69 c7 a0 bf 74 b6 5b
    00a0  1f 15 1f b0 aa 3a 85 5b  54 bc 30 8c 08 6b 0a 92
    00b0  3a 9f 28 06 21 10 d2 a3  a9 dc 64 ce 2d 08 67 c3
    00c0  92 f5 c4 c8 c8 59 da a5  a8 a1 5f 3d a1 55 d2 41
    00d0  d7 c7 88 5c db 2b d2 91  0a 9e cc 7f da 0c b1 28
    00e0  6a 55 b9 38 45 00 e2 39  04 27 a4 24 09 88 36 ce
    00f0  be 72 63 d3 11 4d a8 50  12 c9 4e df 45 7f 1b 17
    0100  26 7b 63 1a a6 76 e1 0e  41 95 b8 9c dc eb 4d b2
    0110  e1 7c ee 8f 72 00 94 62  a7 84 45 2a 75 06 2d b9
    0120  b4 d6 3d 6f 81 6c 73 de  48 fe 8b 85 76 0c c4 df
    0130  0c c9 67 ca cd 89 08 7c  89 b5 89 f3 23 d4 fc 29
    0140  07 ac cc 87 c6 3d 34 63  fa f7 3b 52 ea 48 a3 0c
    0150  2a 23 ad cd 84 c0 9a 4b  a1 97 41 78 7c ed f8 e0
    0160  25 1e 88 28 96 be e8 1e  24 3c 80 69 dc 4f 21 27
    0170  72 eb 4d 1f d3 83 44 6b  d3 8d d7 0b d1 1f 2c 37
    0180  fe 08 03 fb 88 a3 cd 37  e5 7e 44 60 a8 51 b8 c8
    0190  e3 a5 86 90 0f d0 c0 74  25 b9 79 20 d4 b8 a5 8a
    01a0  01 0c a8 17 ba eb e9 34  35 5f b1 69 75 48 9f 41
    01b0  dd ac 7c 0a 1a 95 f2 8e  34 84 73 f5 cb 81 5a a1
    01c0  e9 f5 00 f9 c8 6a 07 7c  84 4d c7 25 87 ff dd f7
    01d0  81 ad 04 e2 79 1e 7f e9  f2 49 ac c3 cb e1 09 25
    01e0  7c 0e a1 79 0f 83 6c cf  54 cc 12 d4 c4 72 ae e7
    01f0  8e c2 f2 c8 fc 2e d7 ee  50 79 fa d6 17 c1 bc fa
    0200  48 2b f1 9b 07 b7 4f 79  f5 02 03 01 00 01
Certificate Extensions: 3
    2.5.29.15: Flags = 0, Length = 4
    Key Usage
        Digital Signature, Key Encipherment, Data Encipherment (b0)

    2.5.29.37: Flags = 0, Length = 16
    Enhanced Key Usage
        Server Authentication (1.3.6.1.5.5.7.3.1)
        Client Authentication (1.3.6.1.5.5.7.3.2)

    2.5.29.17: Flags = 0, Length = 4d
    Subject Alternative Name
        IP Address=127.0.0.1
        IP Address=0000:0000:0000:0000:0000:0000:0000:0001
        DNS Name=sf-gw-win-13mar2019.westeurope.cloudapp.azure.com

Signature Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
    Algorithm Parameters:
    05 00
Signature: UnusedBits=0
    0000  55 c0 a0 25 ca f9 a9 06  5e f2 82 a3 50 10 73 f0
    0010  aa 09 3e c4 2a ee 40 74  b1 ef d9 e9 2b 1c eb e3
    0020  0d 1b ab 84 02 1d 5a 61  e0 e9 dd 05 52 60 e3 c7
    0030  69 53 c3 57 69 1f 0a 9e  a3 16 0e 7c b8 05 72 53
    0040  f6 03 a7 08 89 ed 70 57  1b cc f1 9b de b4 29 f4
    0050  84 d9 6a 28 d3 6c 32 e3  7a 2a f8 6c cd 0e e4 0e
    0060  7b 21 17 03 01 5c af f4  1f 54 c6 cc f5 42 dd 17
    0070  e8 3e 05 a7 db ac c9 97  e7 8d 1d a2 3b 11 a6 6f
    0080  75 26 9c b2 c6 7f ca b1  61 d7 75 e8 ce c2 2b ab
    0090  39 c6 66 da 80 2f 8e 92  1f 12 ef 78 ce 2a c2 76
    00a0  2e ad bc 5f a1 33 7f 5d  bf a3 42 54 ca 48 4f 27
    00b0  b4 c8 a0 3d 8e ce 69 f6  4b 82 2a 31 b3 e2 dc 06
    00c0  e4 14 09 5d 7a 0b 36 c7  1b 09 50 2d 3c 44 05 c6
    00d0  fe 73 d6 61 53 23 5a 5d  62 5a 00 52 e6 6f 9d a2
    00e0  05 0c c0 8d 2e 9b 73 35  5b f7 16 6e c9 59 61 44
    00f0  e4 c8 14 de 52 c5 98 49  af a0 f9 93 83 57 59 22
    0100  d9 08 04 3f ae d8 23 e0  c6 90 ec b7 cd 79 d9 f4
    0110  e6 0d 2b 3c bd b1 07 9e  1e dc 58 2d 67 17 82 48
    0120  eb 0c 1a d3 6f 21 8a ef  68 e8 60 09 25 d8 55 15
    0130  fd f7 b0 ca 31 90 66 a6  70 01 1a 59 f2 17 06 99
    0140  1b c1 81 c5 da ef 26 a9  ee 8e c8 04 4e 79 dc e2
    0150  c1 bb 51 7c 5f b1 06 63  64 27 ce b7 f9 40 c6 6a
    0160  bc 64 52 ce 0a 1a 6c 89  12 45 9e 80 3e 52 70 fc
    0170  b4 c8 2d d8 6e c6 f7 53  d6 53 3b 77 ee 50 d3 b0
    0180  16 e5 04 98 53 ef e2 15  c9 9b 04 79 06 67 6e d8
    0190  52 30 d8 96 c7 6d 43 d7  6e 11 6a e9 61 3e bf 9d
    01a0  2e 6f 33 21 f8 68 9c 11  79 e5 ae 0f f4 12 f5 fc
    01b0  ec e5 01 08 e5 11 4d 2a  da 0d c4 d9 29 f5 63 9b
    01c0  94 4f 45 b9 25 de ba 07  1a 75 fd 99 de 35 5d c1
    01d0  df 02 5a 9b f0 9b 10 82  4e 7f 13 19 6f 55 dd c8
    01e0  5f ed 55 e4 05 24 41 b2  94 ef 72 48 65 25 6a ca
    01f0  c3 ae c5 ad 57 7c e2 1b  e4 a7 77 7d 8c f1 3d 1e
Signature matches Public Key
Root Certificate: Subject matches Issuer
Key Id Hash(rfc-sha1): f9f756a3919d0b5dfa8e43ac43ea6414583ff71f
Key Id Hash(sha1): 81f9fb2ed9d259c4a40a634ab77ae99606a776c5
Key Id Hash(bcrypt-sha1): 151b830389beb8a5ed529dabd28c9d8e098fe3fa
Key Id Hash(bcrypt-sha256): d75be37ab42837b51c0a25111fdc6210eaf48e2bed19010ab5f71ddb488e3f2c
Key Id Hash(md5): 9f202798ceeb0d277d6b20cb97ccbcfd
Key Id Hash(sha256): cd77cd0f4ad33dc13bc41077359bf0965423ac1bd64633351aa8ac81c7d25567
Key Id Hash(pin-sha256): GSLM/gfacBd2FM3u2SkbsXR15PSRp62uLQnvGiNa2WM=
Key Id Hash(pin-sha256-hex): 1922ccfe07da70177614cdeed9291bb17475e4f491a7adae2d09ef1a235ad963
Cert Hash(md5): 377d5f5f05aa9c376063305a60933e35
Cert Hash(sha1): 6a7f2ca4244e4fa1c7699de9a2e55cc0bb6f6657
Cert Hash(sha256): 2f56cfcdad9a8da8ba79b34cd4383eab88bc001a6ace1d1dc9befb2154e59ca9
Signature Hash: bb32fdc4357935eafeeafa8384d4ce98f711ce9f6b60cbb147edda1aba39af7c

  CERT_SIGNATURE_HASH_PROP_ID(15) disallowedHash:
 bb32fdc4357935eafeeafa8384d4ce98f711ce9f6b60cbb147edda1aba39af7c

  CERT_SIGN_HASH_CNG_ALG_PROP_ID(89):
    RSA/SHA256

  CERT_KEY_IDENTIFIER_PROP_ID(20):
    81f9fb2ed9d259c4a40a634ab77ae99606a776c5

  CERT_SHA1_HASH_PROP_ID(3):
    6a7f2ca4244e4fa1c7699de9a2e55cc0bb6f6657

  CERT_KEY_PROV_INFO_PROP_ID(2):
    Key Container = {FBF56CC1-7B2A-46AD-8AF4-26FFA7549481}
  Unique container name: c08961a3547a2c6cddac263c86108d7c_1e5dd0bd-f8a7-46af-b76b-b93aacf81c8c
    Provider = Microsoft Software Key Storage Provider
    ProviderType = 0
  Flags = 20 (32)
    CRYPT_MACHINE_KEYSET -- 20 (32)
    KeySpec = 0 -- XCN_AT_NONE

  CERT_FRIENDLY_NAME_PROP_ID(11):
    sf-gw-win-13mar2019

  CERT_SUBJECT_PUBLIC_KEY_MD5_HASH_PROP_ID(25):
    9f202798ceeb0d277d6b20cb97ccbcfd

  CERT_MD5_HASH_PROP_ID(4):
    377d5f5f05aa9c376063305a60933e35

  CERT_SUBJECT_PUB_KEY_BIT_LENGTH_PROP_ID(92):
    0x00001000 (4096)

  CERT_ACCESS_STATE_PROP_ID(14):
  AccessState = 6
    CERT_ACCESS_STATE_SYSTEM_STORE_FLAG -- 2
    CERT_ACCESS_STATE_LM_SYSTEM_STORE_FLAG -- 4

  Provider = Microsoft Software Key Storage Provider
  ProviderType = 0
  Unique container name: c08961a3547a2c6cddac263c86108d7c_1e5dd0bd-f8a7-46af-b76b-b93aacf81c8c
  AD(AT_NONE): f799d17e7d8a5d5a81599bb26ee3e7aceba62907
  AD(AT_KEYEXCHANGE): eca8f2abcda4d7d8db20107b071bdb60ea5b63df
  AD(AT_SIGNATURE): 43a9c8854a9dc659d5266748036a9658b9344557
  RSA
  Export Policy = 0
  Name: {FBF56CC1-7B2A-46AD-8AF4-26FFA7549481}
  Algorithm Group: RSA
  Algorithm Name: RSA
  Length: 4096 (0x1000)
  Lengths:
    dwMinLength = 512 (0x200)
    dwMaxLength = 16384 (0x4000)
    dwIncrement = 8 (0x8)
    dwDefaultLength = 1024 (0x400)
  Block Length: 512 (0x200)
  Export Policy: 0 (0x0)

  HWND Handle:Binary:
0000    10 00 01 00 00 00 00 00                            ........
  Key Usage: 16777215 (0xffffff)
    NCRYPT_ALLOW_DECRYPT_FLAG -- 1
    NCRYPT_ALLOW_SIGNING_FLAG -- 2
    NCRYPT_ALLOW_KEY_AGREEMENT_FLAG -- 4
    NCRYPT_ALLOW_KEY_IMPORT_FLAG -- 8
    NCRYPT_ALLOW_ALL_USAGES -- ffffff (16777215)

  Security Descr: D:P(A;;0xd01f01ff;;;SY)(A;;0x80120089;;;NS)(A;;0xd01f01ff;;;BA)
  Modified: 3/13/2019 9:48 AM
  Virtual Iso: 0 (0x0)
  Per Boot Key: 0 (0x0)
  Key Usage = ffffff (16777215)
    NCRYPT_ALLOW_DECRYPT_FLAG -- 1
    NCRYPT_ALLOW_SIGNING_FLAG -- 2
    NCRYPT_ALLOW_KEY_AGREEMENT_FLAG -- 4
    NCRYPT_ALLOW_KEY_IMPORT_FLAG -- 8
    NCRYPT_ALLOW_ALL_USAGES -- ffffff (16777215)

  D:P(A;;0xd01f01ff;;;SY)(A;;0x80120089;;;NS)(A;;0xd01f01ff;;;BA)

    Allow Write NT AUTHORITY\SYSTEM
    Allow Write NT AUTHORITY\NETWORK SERVICE
    Allow Write BUILTIN\Administrators

Private key is NOT exportable
Encryption test passed

================ Certificate 2 ================

2
I would try to use more specific implementation of RSA, i.e. RSACryptoServiceProvider. Try the last constructor RSACryptoServiceProvider (int dwKeySize, System.Security.Cryptography.CspParameters parameters). You can specify the CSP in CspParameters - ProviderName. Set ProviderType to 24. The hard part will be figuring and correctly setting CspParameters.Flags.pepo
I tried new RSACryptoServiceProvider(2048*2, new CspParameters(24, "Microsoft Enhanced RSA and AES Cryptographic Provider", Guid.NewGuid().ToString())) - no exceptions but debugger still shows it using the Microsoft Software Key Storage ProviderPoul K. Sørensen
looks like the certificate generated is correct thoughPoul K. Sørensen

2 Answers

4
votes

The answer depends on what you want to do with the certificate.

PersistKeySet behavior

If you want to add it to an X509Store where it will stay "forever" (and thus you would have imported it as a PFX with the PersistKeySet flag), then the self-discovered solution is correct:

using (RSA rsa = new RSACryptoServiceProvider(4096, new CspParameters(24, "Microsoft Enhanced RSA and AES Cryptographic Provider", Guid.NewGuid().ToString())))
{
     CertificateRequest req = ...;
     return req.CreateSelfSigned(...);
}

The most important thing was that the key was given a name (Guid.NewGuid().ToString()), making it a persisted key. That allowed the call to cert.CopyWithPrivateKey buried inside CreateSelfSigned to attach to the key on disk.

EphemeralKeySet behavior, with controlled PFX export

If your only call to this method is to export it to a PFX then you want to do things slightly differently.

using (RSACryptoServiceProvider rsa = <same as above>)
{
    // Delete this key on Dispose / finalization.
    rsa.PersistKeyInCsp = false;

    CertificateRequest req = ...;

    using (X509Certificate2 cert = req.CreateSelfSigned(...))
    {
        // At this line the persisted key still exists so it reports its name and CSP/KSP into the PFX.
        return cert.Export(X509ContentType.Pkcs12, password);
    }
}

Again, the key was named, making the CSP and name persist into the PFX/PKCS12. But the object was marked as self-deleting, so it cleaned up after itself.

Had you returned the certificate at that point instead of exporting, the cert would have no longer been able to use its private key, and a later PFX export would fail.

"PerphemeralKeySet" behavior certificate

If you want to use the cert for a bit, and control the PFX export, and have the key not live forever... combine the previous two things.

using (RSACryptoServiceProvider rsa = ...)
{
    rsa.PersistKeyInCsp = false;

    CertificateRequest req = ...;

    using (X509Certificate2 cert = req.CreateSelfSigned(...))
    {
        // Export the PFX using the current key.  Re-import it with no flags to
        // make it a normal "perphemeral" key behavior.
        return new X509Certificate2(cert.Export(X509ContentType.Pkcs12), "", X509KeyStorageFlags.Exportable);
    }
}

The PFX import here, since it occurs before the original key is disposed/deleted moves to a new GUID-based key name. If you care that the same name gets used, export to a byte[] before letting Dispose get called on the key object, then re-import, and the same key name will be used (on all current versions of Windows)... but now the delete semantics are tied to the life of the certificate instead of the life of the RSA object.

1
votes

The following code do seems to work, and i confirmed that it worked with Service Fabric.

    private X509Certificate2 buildSelfSignedServerCertificate(string CertificateName,string password,string dns)
    {

        SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder();
        sanBuilder.AddIpAddress(IPAddress.Loopback);
        sanBuilder.AddIpAddress(IPAddress.IPv6Loopback);
        if (!string.IsNullOrEmpty(dns))
        {
            sanBuilder.AddDnsName(dns);
        }
      // 
      //  sanBuilder.AddDnsName(Environment.MachineName);

        X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN={CertificateName}");

        using (RSA rsa = new RSACryptoServiceProvider(2048 * 2, new CspParameters(24, "Microsoft Enhanced RSA and AES Cryptographic Provider", Guid.NewGuid().ToString())))
        {

            var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);

            //request.CertificateExtensions.Add(
            //    new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false));


            //request.CertificateExtensions.Add(
            //   new X509EnhancedKeyUsageExtension(
            //       new OidCollection { new Oid("1.3.6.1.5.5.7.3.1"), new Oid("1.3.6.1.5.5.7.3.2") }, false));

            request.CertificateExtensions.Add(sanBuilder.Build());

            var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(3650)));
             bool isWindows = System.Runtime.InteropServices.RuntimeInformation
                           .IsOSPlatform(OSPlatform.Windows);
            if(isWindows)
                certificate.FriendlyName = CertificateName;

            return certificate;
           // return new X509Certificate2(certificate.Export(X509ContentType.Pfx, password), password, X509KeyStorageFlags.MachineKeySet);
        }
    }

generated the following cert

================ Certificate 2 ================
X509 Certificate:
Version: 3
Serial Number: 5f35de2753dd8527
Signature Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
    Algorithm Parameters:
    05 00
Issuer:
    CN=CN=Test
  Name Hash(sha1): 6ef7a8d0891b98b0093b19c9421fdb9e5b344b99
  Name Hash(md5): 252ddd96b0338b433e7d73b2697a63c7

 NotBefore: 3/12/2019 1:49 PM
 NotAfter: 3/10/2029 1:49 PM

Subject:
    CN=CN=Test
  Name Hash(sha1): 6ef7a8d0891b98b0093b19c9421fdb9e5b344b99
  Name Hash(md5): 252ddd96b0338b433e7d73b2697a63c7

Public Key Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
    Algorithm Parameters:
    05 00
Public Key Length: 4096 bits
Public Key: UnusedBits = 0
    0000  30 82 02 0a 02 82 02 01  00 ad 51 42 bd 46 df d1
    0010  af 96 8e 13 3d 1c 52 34  95 d3 dd be 4f eb 9e ac
    0020  60 54 fb 54 2c 39 c8 43  4d 84 76 60 b7 3a 65 94
    0030  d0 bb 52 7e d6 de 7e 86  c2 cc c7 63 6d 95 1b fb
    0040  2f 94 97 cb 75 2f eb 7f  cc de f8 66 58 3d 59 a5
    0050  50 0c a6 86 d6 84 87 ae  fb 4f 71 30 20 f3 43 be
    0060  78 9e a0 0c 38 e8 63 79  1f 90 e7 28 97 8d 48 9c
    0070  86 c7 66 63 83 61 6a 11  58 f6 70 ed 1f ce 68 e5
    0080  a0 2a 76 66 28 d9 80 77  3f f5 38 47 fa 7b cf 43
    0090  38 8c 46 0e 00 ed 93 30  69 8b c8 22 93 ca eb a1
    00a0  0b 52 20 e1 3b 83 15 3f  4d 3b 10 b1 a6 d7 d4 f5
    00b0  8f 7f 29 53 ad 9c 14 a6  4e 09 71 05 0d da 4d e6
    00c0  d2 52 d4 64 4c 79 9d bf  cb bd 27 cd 72 86 84 77
    00d0  1d 33 6a b8 93 32 11 a7  3d 8a 33 92 54 d4 ae 9b
    00e0  18 15 e1 35 b5 d3 08 cf  63 d1 d7 ab a9 60 2a 59
    00f0  d6 1c e4 3c a0 c8 4c 03  07 75 e0 e2 08 23 02 63
    0100  ce 53 c8 d4 8c e1 58 2a  f4 0a eb 96 3a e1 45 4f
    0110  19 34 89 bc 57 c2 37 be  ee 86 54 b1 ac a4 44 02
    0120  54 66 7d 1a 8c d1 05 45  c5 b8 4b 08 c7 a9 4e 84
    0130  a1 8b dc 1f e9 7f 78 c6  77 f4 7d 69 78 3b 81 e1
    0140  8b 4c 12 0d ad a5 ea 21  e7 3a 26 f6 3c 18 46 e7
    0150  09 f9 35 93 05 84 3b d2  2d e1 d9 2d 40 ee 8b 48
    0160  55 5c f5 6b 0f af 6f ef  13 28 65 5d 13 83 df ed
    0170  97 23 57 31 07 4e 52 1d  93 49 2e 20 90 0b c9 a4
    0180  16 56 b5 74 97 df 6e 16  4a b4 38 c6 25 a2 b8 ad
    0190  2f 73 96 5c 58 01 73 14  af 79 c1 a6 a1 d0 21 ae
    01a0  ff f2 ec a4 61 28 bc c7  f8 0f de fb e0 4c 33 46
    01b0  f4 e2 c5 3f ee a0 c2 f4  cd 78 c0 f1 ce 56 d9 bb
    01c0  78 f0 a7 43 ea d7 01 ab  c1 aa 9f 06 3a 9e ab f9
    01d0  47 ef 1e f1 6f 33 d3 e7  d0 ba 31 1c 92 71 4a 10
    01e0  cc f9 76 c6 75 d0 f4 90  e9 3d 2f d6 49 d9 c2 81
    01f0  42 e2 1e 32 f5 de 97 11  45 42 a1 ef a0 86 aa 69
    0200  a2 8b 7a ea 28 fe 36 ae  61 02 03 01 00 01
Certificate Extensions: 1
    2.5.29.17: Flags = 0, Length = 1a
    Subject Alternative Name
        IP Address=127.0.0.1
        IP Address=0000:0000:0000:0000:0000:0000:0000:0001

Signature Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
    Algorithm Parameters:
    05 00
Signature: UnusedBits=0
    0000  f8 3a 99 42 b4 05 c1 6c  e5 64 fa 07 b0 0f 6d a0
    0010  a4 b3 bf cd 9d cf b1 67  57 67 0c 62 b2 6c 6e 59
    0020  ab eb ca ae fc d3 ff 08  d4 5a 87 11 f2 24 36 8f
    0030  0b 28 50 9a ae 57 ea 6e  0c 75 70 d7 71 b0 b3 2c
    0040  d3 d7 2d cb d1 9d c0 f3  d6 bf 56 c1 6e 4e 20 78
    0050  2e 8c e1 82 4b 54 db c9  a9 c5 ac 6e 29 f7 ec 0f
    0060  df 57 a2 93 80 23 b1 45  ac fb a4 a2 ec a2 b0 eb
    0070  53 ef 81 71 5b 68 c3 dc  97 5f 58 4d d1 e5 1e e7
    0080  e4 5a 30 2a f5 23 8a 44  10 5d 66 62 47 d4 9c b0
    0090  20 98 2b 0d c0 1a 56 94  5c 57 97 53 a8 fb ed 10
    00a0  db d3 f9 76 ae ba 55 52  fc 4e d4 a9 1a 56 cf 0b
    00b0  59 45 cb 5f 32 72 00 e4  9c 47 45 fb 46 91 8f d2
    00c0  9e f4 6a b4 74 22 b1 59  e8 1e 90 46 1f 66 16 32
    00d0  7b b2 df f3 d5 14 77 f4  6b 0c d5 09 e8 d5 f0 07
    00e0  06 48 97 f5 d4 9a c1 db  d1 70 49 66 12 d8 b7 05
    00f0  18 d1 3d fa 03 37 85 89  23 6b 90 b1 ce c0 29 f7
    0100  dd bd 60 3c 9c e0 d8 4e  28 4f 1c 0a f2 a9 73 69
    0110  09 e9 61 87 e2 31 e0 3e  bd 36 af 51 4c 2a 01 d1
    0120  c1 62 67 0d 89 f2 2e b8  ac 67 eb 65 fb c4 1b 92
    0130  b3 e6 7c c6 9a 96 bd a0  e5 aa a3 4e 49 05 ac a9
    0140  7c 4b e8 55 98 d2 5b 27  21 45 36 e8 f7 59 31 ef
    0150  e8 fc 71 15 0d 1b a9 e7  6b c7 c4 98 39 4d 22 4a
    0160  19 72 67 92 7c bf 61 8d  aa 2c 41 1f ba ec dc b2
    0170  5d df 56 f1 2c 35 80 fa  c9 9d de 33 b0 26 2d 00
    0180  ba 5e 75 c4 ac 6d 08 d9  6c a0 72 74 37 7d dd 4e
    0190  31 83 4d 30 9d 07 79 68  40 38 ed e5 7d b0 2b 58
    01a0  c1 64 2d 69 5f 3d 46 ba  7a 75 9b 29 10 1b b3 11
    01b0  95 9b f3 2d a2 50 94 d8  36 92 79 57 16 53 8c 07
    01c0  e1 3b d5 1c a7 5d bc 91  2d ed 21 3e 1d 4f 2b a0
    01d0  b6 6c a0 de 78 e1 eb ee  45 b3 16 ea bc f9 4f 18
    01e0  37 c8 a8 62 8d 80 54 c3  99 1e a1 6d cb 5c 0e be
    01f0  96 ef ad 6b ee ad 4e b7  4e ae b1 9a 62 27 2e 43
Signature matches Public Key
Root Certificate: Subject matches Issuer
Key Id Hash(rfc-sha1): 109b354c4ebab3e38ea9badfbe1d82026dfa3596
Key Id Hash(sha1): 30becd4cbc82ee17ed3b3339b1e06e59426a47e1
Key Id Hash(bcrypt-sha1): 4f636b55894c3952f2c0b286e14b1c4097a33430
Key Id Hash(bcrypt-sha256): dd688647c0bfacf902ca2641503b47626cba4c068700ff9c0966755e07c34631
Key Id Hash(md5): 7463515ce976eff5b43e4a35dab5e4be
Key Id Hash(sha256): bdadaf178abb608a5be995790a1c13c233d0dd21a9de6b7a6f8c7446b6f68006
Key Id Hash(pin-sha256): v1omdJppKmUlS2HN29QXBMLLvAMjSSSAjl1HnkoaVD0=
Key Id Hash(pin-sha256-hex): bf5a26749a692a65254b61cddbd41704c2cbbc03234924808e5d479e4a1a543d
Cert Hash(md5): 8242f9a9036b0181d4ae3bef505f926f
Cert Hash(sha1): bb0df29ab8ac261dc07512f0c503ccac3b94b685
Cert Hash(sha256): 87274aaef464f71120f9b198ca9b19be4c112d3cc51ab7a148639d1dd9a96f93
Signature Hash: 67b6a0ab301683da7f113d13415acdb02cd3213118eaa995458c39e50b79c228

  CERT_MD5_HASH_PROP_ID(4):
    8242f9a9036b0181d4ae3bef505f926f

  CERT_KEY_IDENTIFIER_PROP_ID(20):
    30becd4cbc82ee17ed3b3339b1e06e59426a47e1

  CERT_KEY_PROV_INFO_PROP_ID(2):
    Key Container = 9de3ab72-be6a-4a5a-85b4-321110eadb5d
  Unique container name: 736f334a421c52ddfb83677bfcefa723_dbb26849-7c5e-48f1-871d-8a3e25ef9376
    Provider = Microsoft Enhanced RSA and AES Cryptographic Provider
    ProviderType = 18
  Flags = 20 (32)
    CRYPT_MACHINE_KEYSET -- 20 (32)
    KeySpec = 1 -- AT_KEYEXCHANGE

  CERT_SHA1_HASH_PROP_ID(3):