Creating root and intermediate certificates in .NET

Question

Creating root and intermediate certificates in .NET

Omar Navarro 331

Instead of using the bash scripts for root & intermediate certificate generation, the X509 library with .NET is being used to generate the certificates for device provisioning. When attempting to create & sign the intermediate using the root, the following error is encountered

 The issuer certificate public key algorithm (1.2.###.#####.2.1) does not match the value for this certificate request (1.2.###.#####.1.1.1), use the X509SignatureGenerator overload. (Parameter 'issuerCertificate')

Create root cert

Sander van de Velde | MVP 36,761 Reputation points MVP Volunteer Moderator

2023-01-17T19:44:39.7366667+00:00

Hello Omar,

why are you not using the documented approach?
Omar Navarro 331 Reputation points

2023-01-17T21:11:20.8+00:00

The team is shifting towards the use of certificates during development.
LeelaRajeshSayana-MSFT 17,766 Reputation points Moderator

2023-01-19T23:27:12.22+00:00

Hi Omar, Can you provide a reference to the resources you have used in generating the test certificates and the steps you have followed in testing this. Thank you
LeelaRajeshSayana-MSFT 17,766 Reputation points Moderator

2023-01-24T23:15:44.22+00:00

Hi Omar, Greetings! I am following up to see if you can share the above requested information to better understand the issue you are facing with the certificates.
Omar Navarro 331 Reputation points

2023-01-26T20:52:15.2933333+00:00

@LeelaRajeshSayana-MSFT X509 Certificate Namespace Documentation

Do you recommend any resources?
LeelaRajeshSayana-MSFT 17,766 Reputation points Moderator

2023-01-30T23:33:57.0433333+00:00

Hi Omar, looking at the error message you have posted, it implies that the format generated by the SDK is different from what is required. If you do not want to use the provided bash scripts for certificate generation, I would recommend generating Self-signed certificates using OepnSSL that provides two self-signed device certificates. I hope this approach works for you.

1 answer

Your answer

Sander van de Velde | MVP 36,761 Reputation points MVP Volunteer Moderator

2023-01-17T19:44:39.7366667+00:00

Hello Omar,

why are you not using the documented approach?
Omar Navarro 331 Reputation points

2023-01-17T21:11:20.8+00:00

The team is shifting towards the use of certificates during development.
LeelaRajeshSayana-MSFT 17,766 Reputation points Moderator

2023-01-19T23:27:12.22+00:00

Hi Omar, Can you provide a reference to the resources you have used in generating the test certificates and the steps you have followed in testing this. Thank you
LeelaRajeshSayana-MSFT 17,766 Reputation points Moderator

2023-01-24T23:15:44.22+00:00

Hi Omar, Greetings! I am following up to see if you can share the above requested information to better understand the issue you are facing with the certificates.
Omar Navarro 331 Reputation points

2023-01-26T20:52:15.2933333+00:00

@LeelaRajeshSayana-MSFT X509 Certificate Namespace Documentation

Do you recommend any resources?
LeelaRajeshSayana-MSFT 17,766 Reputation points Moderator

2023-01-30T23:33:57.0433333+00:00

Hi Omar, looking at the error message you have posted, it implies that the format generated by the SDK is different from what is required. If you do not want to use the provided bash scripts for certificate generation, I would recommend generating Self-signed certificates using OepnSSL that provides two self-signed device certificates. I hope this approach works for you.

Answer 1

Hi,

The issuer certificate public key algorithm (1.2.###.#####.2.1) does not match the value for this certificate request (1.2.###.#####.1.1.1), use the X509SignatureGenerator overload. (Parameter 'issuerCertificate')

This error message indicates that the public key algorithm of the issuer certificate is different from the algorithm specified in the certificate request. This can occur if you are attempting to sign a certificate with a root or intermediate certificate that was generated using a different algorithm.

To resolve this error, you should use the X509SignatureGenerator overload in the X509Certificate2 class to specify the signature algorithm explicitly. This will ensure that the signature algorithm used to sign the certificate matches the algorithm specified in the certificate request.

But, you can follow the suggested method in the document: Create demo certificates to test IoT Edge device features

Below code snippet is taken as an example and not tested from my side, so please make sure to test it fully before using it!!!

using System;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;

// Load the root certificate
var rootCert = new X509Certificate2("path-to-root-cert.pfx", "password");

// Create a certificate request for the intermediate certificate
var request = new CertificateRequest(
    "CN=My Intermediate Certificate",
    ECDsa.Create(),
    HashAlgorithmName.SHA256);

// Set the certificate extensions
request.CertificateExtensions.Add(
    new X509BasicConstraintsExtension(true, false, 0, true));
request.CertificateExtensions.Add(
    new X509SubjectKeyIdentifierExtension(request.PublicKey, false));

// Sign the certificate with the root certificate
var signatureGenerator = X509SignatureGenerator.CreateForSigning(rootCert.GetRSAPrivateKey(), HashAlgorithmName.SHA256);
var intermediateCert = request.Create(
    rootCert.SubjectName,
    DateTimeOffset.UtcNow.AddDays(-1),
    DateTimeOffset.UtcNow.AddDays(365),
    Guid.NewGuid().ToByteArray(),
    signatureGenerator);

// Save the intermediate certificate to a file
File.WriteAllBytes("path-to-intermediate-cert.pfx", intermediateCert.Export(X509ContentType.Pfx, "password"));

Share via

Creating root and intermediate certificates in .NET

1 answer

Your answer