How to create a X509Certificate2 object with der certificate and pem private key file

Question

The format of the private key is as below and it has password like 123

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,4D58B420357E8F3A5528539062B3CE0A

hfuamWEa7FijcPBoYuyRxHFGYcaSQeMqGBpGq8YkmJ3sdP9l/emOodhwRRyTONCv
h98rV1KTFOVjNqvNrt43x27VFHlKkSnWyfAOpp+7cg6NAMUnks7f09cR6za8Takt
xzkA73O+hzAnHeYgmvp41dVxG2UsENrfMGZFe1obr34Gc8pMmAeY5YcmXRReLgPk
nCeIfwoyNdzXJI/Q+KrmH7/RnEN9YNBerjw6wVouUSVgPEzxmRVfzWTAyWHnlYJj
8mFhjTNPl7onnj0eAZQMm7UA3W9J4pUD0MWr48AC2sB7Hfax+xpZS41FTTlSblPO
P0tKBPrmvAv7C8uGw+LgYX2t/ai5J1ZhK5zHI5cHK8CGV+LbSvXR1X0I47Qmmip3
FLAp7e8wxp2jzQkjaE09rY2glfuJ0OHPiO3GoLExd1cqu25QZKjCR5g5ZdkXQ35w
LsZ4BprCB778tY5z3g5gbHSX+L4tq+xTHPjSIGTOInbnyH5VhS+D+z5Gq/EmL82W
EO7JPpYtU5R1Uq3i6/qUkhN0fi2Loow1qtSn9dygXaXcIFxEDW7xBZ9eaVPa4mrH
bqd/TZQd/rx8U4x/b5JWh5Qz3XxxoR16uD2WAG1POreXrWSeRepTANofY1T+/VQK
w4WCnpd8fnLHa1c7h+r1hEGC8uC6ZKtSFsf4u0a9bPfeeDMWkC4V8tkMt5Thh70H
SxLjjJx2Irn8RYCuZ4L84aYFoHviNPINcoo5DjmcJBE9p+IQxE4XbJy/KCm8/iaD
Qr4Wqn615a/2VuT/nqi4og3HIAYae6k9z38QSKA54MsxfqApOIQGTkrKGqX09kQ4
o2dt+LELsTmBlNshLV0ysXpNVtU/pM6xefCnM9j4r2s6MMD6Bv+OHz7yCnfuXOx3
rppUxNNIVn8elwTmPBo9E3f3uRQ537Sp7wNSjOUIWcJHi3yYLFpMibG9T80xoTWZ
B0/rOMI33nl/HZCGwmg91KhDpeUGP37ggiw9FfFAz4Kh+y18X1ZMzWsWBzUV41dD
gLI3CALdrUKZJ8BTSJ0CCxzyD8OX6uwWQVvdoYoLzsM+ndczofch3j5y7fNy9px0
PsS2Q3X+Yq2tqJeVqfkGQtseck9DvMo+4OkCQ0jgEvAKNusIkGG5evWHnto1Fl54
rfuSuHhoanSsMdYmxEVQZnszJfaqr/Bb5d9xCMxvvAFwakip9JZrQNuBSlTiUyw0
rKxvovwRhUlemYX9I+UNJeHpUyQAa4Ky1twfrwZ47vAPreCrQrcAAomkx+QLmxjl
coi48GkWKtbr2mQwhjDoiNWW2F7ZzuX0FVheaay9QlyHlFeDcezxcae44k+eD7jc
FmqH05uQrrlBPQLG5brhqZdhq0skwWwIMeA7yW0oEXmoQ5fyRChgXxiXeYcEblhV
PaBJnVM81Rgrvsys3TdgCHgtUIlJDm+gEp6s8X3yhls8aqXN7R65j9jzXLIzYO40
0tLoistWlRQ5G7MCDgazw/hkIiRaEhSuZZs+e6fa4zyxYYq/UenMpAst7+YyXon2
4nSYd88OEvhpAaoCfQomUdIxjcLsZoheJc19RMv/LHy2stL8ZAFyT62HqOCIhH+A
-----END RSA PRIVATE KEY-----

The format of certificate file is der. I want to know how to create X509Certificate2 object using the above two files in the .NET Core project without using OpenSSL?

Is it possible to convert der certificates into PEM certificates in NET Core? Because it's my first time doing it, I really don't understand.

Answer 1

The .NET PEM key loader does not support "PEM with attributes", which is to say that the lines

Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,4D58B420357E8F3A5528539062B3CE0A

make your PEM invalid (as far as .NET is concerned). You can't just delete those lines, because they're an instruction to the reader that the contents are encrypted and it gives them information (when combined with the password) as to how to decrypt it.

I don't know how to produce a file like that any more, so I can't come up with a good way of verifying the instructions to clean it up... but if you do a one-time conversion from that to a compliant encrypted PKCS8 you should then be able to load it in .NET (with X509Certificate2.CreateFromEncryptedPem). But, hopefully this works:

openssl pkcs8 -in oldformat.key -out newformat.key -topk8

Th particular style for encrypting keys that your file is in is pretty old. OpenSSL's documentation even refers to it as non-standard: https://www.openssl.org/docs/man1.0.2/man3/PEM_read_PrivateKey.html#PEM-ENCRYPTION-FORMAT

Answer 2

Associate a private key with the X509Certificate2 class in .net

The following one is what I used now.

using Org.BouncyCastle.OpenSsl;
using Org.BouncyCastle.Security;
using Org.BouncyCastle.Crypto.Parameters;
using System.IO;
using System.Security.Cryptography.X509Certificates;

private X509Certificate2 GetCert(string  certPath,string keyPath)
{
  X509Certificate2 cert = new X509Certificate2(certPath);
  StreamReader reader = new StreamReader(keyPath);
  PemReader pemReader = new PemReader(reader);
  RsaPrivateCrtKeyParameters keyPair=(RsaPrivateCrtKeyParameters)pemReader.ReadObject();
  RSA rsa = DotNetUtilities.ToRSA(keyPair);
  cert.PrivateKey = rsa;
  return new X509Certificate2(cert.Export(X509ContentType.Pfx));
}