I have been following a guide that covers signing authorization tokens for Web API security. One of the aspects was storing the X509 certificate as a Base-64 string in the web.config. However, the steps necessary on how to get a X509 certificate and convert it into a Base-64 string were not explained. I found some guides on how to generate an X509 certificate using OpenSSL however I remain confused on which parts to use and how to convert to Base-64. Here is what I want to end up with.
- A Base-64 representation of the certificate that I can store in the web.config
- A password that goes along with the certificate
The code I want to use in my authentication server is ..
SigningCertificate = new X509Certificate2(certificate, password);
Where certificate
is a Base 64 encoded representation of the certificate and password
is the signing certificate password.
So with the OpenSSL tool I am able to generate two files …
- Cert file – MyCert.pem
- Key file – MyKey.pem
Question #1 – Do I only need to use the MyCert.pem
file when converting to Base-64? Or do both files need to combined both files as a single PFX
file before representing as Base-64?
Question #2 – Is there a utility that I can use that accepts a file and then exports a Base-64 string?
Best Answer
The PEM file format is encoded in base64. It can be applied to private keys, certificates or also certificate signing requests. The files have a header/foot to distinguish them starting with
----BEGIN PRIVATE KEY----
or----BEGIN CERTIFICATE----
A PFX is a container for private keys and certificates protected with a password. You need to include your both PEM files. A PFX is encoded in pkcs#12 format( binary).
Concatenate the cert with the key file and then have OpenSSL convert it to PKCS#12 (PFX)
If you are using this service ( I have searched in google), you will need the pkcs12 file and the assigned password
I normally use a texteditor like Notepad++ with the MIME plugin. Alternatively, all programming languages have a method to convert an array of bytes to Base64 if you need to do it programmatically.