I got a splendid answer on creating a self-signed certificate to be consumed by Azure principals at Generating self-signed certificate without external libraries by the excellent bartonjs.
The following is the pretty much the code provided in the Azure sample. However, I'm stuck at that how could the signing algorithm be changed? It seem to be SHA-1 by default, I might be wrong, but perhaps this should be explicitly be set to something else like SHA-256.
public static X509Certificate2 CreateSelfSignedRsaCertificate(string subjectName, string friendlyName)
{
if(subjectName == null)
{
throw new ArgumentNullException(nameof(subjectName));
}
if(friendlyName == null)
{
throw new ArgumentNullException(nameof(friendlyName));
}
var keyParams = new CngKeyCreationParameters();
keyParams.Parameters.Add(new CngProperty("Length", BitConverter.GetBytes(2048), CngPropertyOptions.Persist));
using(var rsaKey = CngKey.Create(CngAlgorithm.Rsa, Guid.NewGuid().ToString(), keyParams))
{
using(RSA rsa = new RSACng(rsaKey))
{
var certRequest = new CertificateRequest(subjectName, rsa, HashAlgorithmName.SHA512, RSASignaturePadding.Pkcs1);
//Explicitly not a CA.
certRequest.CertificateExtensions.Add(new X509BasicConstraintsExtension(false, false, 0, false));
certRequest.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyEncipherment, true));
//TLS Server EKU.
certRequest.CertificateExtensions.Add(new X509EnhancedKeyUsageExtension(new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, false));
//SubjectAlternativeName extension.
var sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddDnsName("localhost");
certRequest.CertificateExtensions.Add(sanBuilder.Build());
DateTimeOffset now = DateTimeOffset.UtcNow;
var certificate = certRequest.CreateSelfSigned(notBefore: now, notAfter: now.AddDays(1)/*now.AddDays(365.25)*/);
certificate.FriendlyName = friendlyName;
return certificate;
}
}
}