How to create self-signed certificate using Ed25519 in C#

Question

I have to generate X509 certificates using Ed25519. I know I should use RequestCertificate class from System.Security.Cryptography.X509Certificates namespace but seems that it doesn't support ed25519.

That's my scenario: I have private ed25519 key and basing on it I need to generate self-signed X509 Certificate that will be able to use in mutual TLS.

I don't have any idea how can I do this while using ed25519, because it seems there is not support for this curve. How can I do this?

Answer 1

Create a configuration file for OpenSSL, e.g. openssl-25519.cnf:

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = DE
CN = www.example.com
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.example.com
DNS.2 = example.com

You can use File.WriteAllText to a temp file to use it during the certificate signing whereas openSsl25519Configuration is a string of the configuration above, where you can interpolate in your dynamic values.

string tempCnfName = Path.GetTempFileName();

File.WriteAllText(tempCnfName, openSsl25519Configuration);

Then use OpenSSL to request a certificate signing request file, using your private key (example.com.key).

openssl req -new -out example.com.csr -key example.com.key -config openssl-25519.cnf

If you already have an existing private key, refer to the file path to the .key file in the process arguments:

string tempCsrName = Path.GetTempFileName();

Process process = new Process() {
    StartInfo = {
        FileName = "openssl.exe",
        Arguments = $"req -new -out {tempCsrName} -key example.com.key -config {tempCnfName}"
    }
};

process.Start();
process.WaitForExit();

And now you can use OpenSSL again to self-sign example.com.csr:

openssl x509 -req -days 700 -in example.com.csr -signkey example.com.key -out example.com.crt

string tempCrtName = Path.GetTempFileName();

Process process = new Process() {
    StartInfo = {
        FileName = "openssl.exe",
        Arguments = $"req x509 -req -days 700 -in {tempCsrName} -signkey example.com.key -out {tempCrtName}"
    }
};

process.Start();
process.WaitForExit();

And now you have a self-signed ED25519 certificate that you can move or read as you need through tempCrtName.

If you don't already have a private key, you can generate one:

openssl genpkey -algorithm ED25519 > example.com.key

Source: https://blog.pinterjann.is/ed25519-certificates.html