Private Key missing in X509Certificate2 after creating certificate

[ahmadjqureshi]

Hi Team,

The following code which was copied from UA.NETStandard 1.4.366.38 method CertificateFactory.CreateCertificate works correctly with OPCFoundation.NetStandard.Opc.Ua 1.4.370.12 but NOT with OPCFoundation.NetStandard.Opc.Ua 1.4.371.86 and later versions. The resulting X509Certificate2 certificate from method call “createBuilder.CreateForRSA();” does not contain private key despite HasPrivateKey property is true and PrivateKey property is null.

Is this some bug in OPCFoundation.NetStandard.Opc.Ua or is there any other way to create certificate including private key?

private static X509Certificate2 CertificateFactoryCreateCertificate(string applicationUri, string applicationName, string subjectName, IList domainNames, ushort keySize, DateTime startTime, ushort lifetimeInMonths, ushort hashSizeInBits, bool isCA = false, X509Certificate2 issuerCAKeyCert = null, byte[] publicKey = null, int pathLengthConstraint = 0)
{
ICertificateBuilder builder = null;
if (isCA)
{
builder = CertificateFactory.CreateCertificate(subjectName);
}
else
{
builder = CertificateFactory.CreateCertificate(applicationUri, applicationName, subjectName, domainNames);
}

builder.SetNotBefore(startTime);
builder.SetNotAfter(startTime.AddMonths(lifetimeInMonths));
builder.SetHashAlgorithm(X509Utils.GetRSAHashAlgorithmName(hashSizeInBits));
if (isCA)
{
	builder.SetCAConstraint(pathLengthConstraint);
}

ICertificateBuilderCreateForRSA createBuilder;
if (issuerCAKeyCert != null)
{
	var issuerBuilder = builder.SetIssuer(issuerCAKeyCert);
	if (publicKey != null)
	{
		createBuilder = issuerBuilder.SetRSAPublicKey(publicKey);
	}
	else
	{
		createBuilder = issuerBuilder.SetRSAKeySize(keySize);
	}
}
else
{
	createBuilder = builder.SetRSAKeySize(keySize);
}

return createBuilder.CreateForRSA();

}

[mregen]

hi @ahmadjqureshi , which platform are you using? windows or linux? .NET 8 or .NET Framework?
There are subtle differences when a new certificate is created. By default on newer .NET versions the OS supported CertificateRequest API is used to create the certificate. In older version it was created by BouncyCastle. BC requires a reload of the certificate as pfx to get the private key in the key store for crypto operations. Even more, the latest libraries try to use the Ephemeral keyset to avoid that private keys are stored on disk.
So often times having a private key may also mean it is not exportable. We try to keep this as a default, for security reasons.
Hope this helps.

[ahmadjqureshi]

Hi @mregen

Thanks for your comment.

As for your questions I am using Windows 10 22H2 and .Net Framework 4.8.1.

Can you explain more concerning bouncy castle requires reload of certificate as pfx?

Regards
Ahmad

[mregen]

Hi @ahmadjqureshi, in your case bouncy castle is not used to create a certificate, on .NET Framework 4.8 bc is just used for PEM import/export. Also .NET Framework 4.8 supports the ephemeral keyset. The new certificate has a private key, but it may require a reload to use crypto, but I may not remember correctly.
the PrivateKey property is not used to access the private key. To access the private key you would:

        using (RSA rsaPrivateKey = certificate.GetRSAPrivateKey())
        {
            RSAParameters rsaParams = rsa.ExportParameters(true);
        }