Creating self-signed certificate on MacOS/Linux, works fine in Windows

[gautamdsheth]

I have the below code that we use to generate self-signed certificates, this works perfectly fine in Windows machines, however when trying this via a Mac or Azure cloud shell, it throws error like Windows Cryptography Next Generation (CNG) is not supported on this platform.

Not sure what we are doing wrong here, would appreciate somebody's help on this as I am not at all familiar in this area.
Googling it shows me that , CNG is windows only, so I guess I need to change this line new RSACng(2048) but not sure what it should be changed to ?

internal static X509Certificate2 CreateSelfSignedCertificate(string commonName, string country, string state, string locality, string organization, string organizationUnit, SecureString password, string friendlyName, DateTimeOffset from, DateTimeOffset to)
{
	SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder();
	sanBuilder.AddDnsName("localhost");
	sanBuilder.AddDnsName(Environment.MachineName);

	var x500Values = new List<string>();
	if (!string.IsNullOrWhiteSpace(commonName)) x500Values.Add($"CN={commonName}");
	if (!string.IsNullOrWhiteSpace(country)) x500Values.Add($"C={country}");
	if (!string.IsNullOrWhiteSpace(state)) x500Values.Add($"S={state}");
	if (!string.IsNullOrWhiteSpace(locality)) x500Values.Add($"L={locality}");
	if (!string.IsNullOrWhiteSpace(organization)) x500Values.Add($"O={organization}");
	if (!string.IsNullOrWhiteSpace(organizationUnit)) x500Values.Add($"OU={organizationUnit}");

	string distinguishedNameString = string.Join("; ", x500Values);

	X500DistinguishedName distinguishedName = new X500DistinguishedName(distinguishedNameString);

	using (RSA rsa = MakeExportable(new RSACng(2048)))
	{
		var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);

		request.CertificateExtensions.Add(
			new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false));


		request.CertificateExtensions.Add(
		   new X509EnhancedKeyUsageExtension(
			   new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, false));

		request.CertificateExtensions.Add(sanBuilder.Build());

		var certificate = request.CreateSelfSigned(from, to);

		if (Platform.IsWindows)
		{
			certificate.FriendlyName = friendlyName;
		}

		return new X509Certificate2(certificate.Export(X509ContentType.Pfx, password), password, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet);
	}
}

internal static RSA MakeExportable(RSA rsa)
{
	if (rsa is RSACng rsaCng)
	{
		const CngExportPolicies Exportability =
			CngExportPolicies.AllowExport |
			CngExportPolicies.AllowPlaintextExport;

		if ((rsaCng.Key.ExportPolicy & Exportability) == CngExportPolicies.AllowExport)
		{
			RSA copy = RSA.Create();

			copy.ImportEncryptedPkcs8PrivateKey(
				nameof(MakeExportable),
				rsa.ExportEncryptedPkcs8PrivateKey(
					nameof(MakeExportable),
					new PbeParameters(
						PbeEncryptionAlgorithm.TripleDes3KeyPkcs12,
						HashAlgorithmName.SHA1,
						2048)),
				out _);
			return copy;
		}
	}

	return rsa;
}      

Thanks in advance and much appreciate your help in this.
You can also find the full code here:

https://github.com/pnp/powershell/blob/dev/src/Commands/Utilities/CertificateHelper.cs

If there is anything else that we need to change/improve , would be happy to change it.

[bartonjs]

so I guess I need to change this line new RSACng(2048) but not sure what it should be changed to ?

RSA.Create(2048)

[bartonjs]

If there is anything else that we need to change/improve , would be happy to change it.

• Don't use PersistKeySet unless you're adding it to an X509Store.
• You can use X500DistinguishedNameBuilder instead of your custom string concatenator.
• You don't need MakeExportable, since ephemeral keys are always exportable.

[gautamdsheth]

Thank you very much @bartonjs , will make the changes that you suggested and get back to you !

[gautamdsheth]

Thank you @bartonjs , it worked for Linux and Mac as well !!!

About the MakeExportable thing, we added that piece of code because it didnt work when we opened this code in admin mode.

Some background here, we are executing this code as part of a PowerShell cmdlet. This MakeExportable code was added because it didnt work in when PowerShell was opened as administrator. After adding this code, it started working.

[bartonjs]

Hm, if the PowerShell build was based on an old version of .NET Framework that would make sense. new RSACng() wasn't exportable in .NET Framework 4.6.0 or 4.6.1, but we fixed that in 4.6.2 (and it was always exportable on .NET Core)