how do I create a pfx compatible with X509Certificate2 with openssl

Question

I'm trying to create an RSA keypair that I can use with System.Security.Cryptography.X509Certificates.X509Certificate2 using OpenSSL.

The PFX I've managed to generate gives me this stack trace

create a private key, unencrypted (I realize this is not best practice)

openssl genrsa -out private.pem 2048

create a public key from the private key

openssl rsa -in private.pem -outform PEM -pubout -out public.pem

create a certificate file from the private key

openssl req -x509 -key private.pem -out cert.pem -days 365 -nodes -subj "/C=US/ST=Colorado/L=Colorado Springs/O=Contoso/OU=Security/CN=mypurpose.contoso.org"

create a pfx file using the self-signed certificate

openssl pkcs12 -in cert.pem -inkey private.pem -export -out combined.pfx

prompts for a password to secure the pkcs

Trying to instantiate the instance of X509Certificate2 with

new X509Certificate2(@"C:\\path\\to\\combined.pfx", "password", X509KeyStorageFlags.Exportable);

   at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
   at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromFile(String fileName, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx)
   at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromFile(String fileName, Object password, X509KeyStorageFlags keyStorageFlags)
   at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags)
   at Program.Main()

Answer 1

The stack trace is telling me everything.

at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromFile(String fileName, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx)
at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromFile(String fileName, Object password, X509KeyStorageFlags keyStorageFlags)

This means that there's no CERTIFICATE in my PFX file, because I used -nocerts in the openssl pkcs12 command.

In cryptography, PKCS #12 defines an archive file format for storing many cryptography objects as a single file. It is commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust. PKCS 12

A pkcs12 file really wants to contain something besides just a Private/Public Key, It wants an X.509 certificate; which is:

• Certificate Version
• Serial Number
• Signature Algorithm
• Issuer
• Validity Not Before
• Validity Not After.

This is the final command that worked the way I wanted to:

openssl pkcs12 -in cert.pem -inkey private.pem -export -clcerts -out combined.pfx -passout pass:

This allows me to instantiate using this code:

new X509Certificate2(@"C:\\path\\to\\combined.pfx", (string)null, X509KeyStorageFlags.Exportable);

There's some additional code I'm using to load the private.pem and public.pem generated by openssl genrsa and openssl rsa here: https://stackoverflow.com/a/32243171/26877 . This code is loading the raw PEM data (just the private/public keys) into RSACryptoServiceProvider instance, which can be used to encrypt & decrypt.