📖 FluentCertificates Overview

⚠️ Note: while version numbers are v0.x.y, this software is under initial development and there'll be breaking-changes in its API from version to version.

FluentCertificates is a library using the Immutable Fluent Builder pattern for easily creating, finding and exporting certificates. Makes it simple to generate your own certificate chains, or just stand-alone self-signed certificates.

This project is published in several NuGet packages:

FluentCertificates: Top-level package that doesn't introduce any new functionality, it just imports the FluentCertificates.Builder, FluentCertificates.Extensions and FluentCertificates.Finder packages.
FluentCertificates.Builder: Provides CertificateBuilder for building certificates and also includes a bunch of convenient extension-methods. Examples below
FluentCertificates.Extensions: Provides a bunch of convenient extension-methods. Examples below
FluentCertificates.Finder: Provides CertificateFinder for finding certificates across a collection of X509Stores. Examples below

Unfortunately documentation is incomplete. You may find more examples within the project's unit tests.

`CertificateBuilder` examples

CertificateBuilder requires the FluentCertificates.Builder package and is found under the FluentCertificates namespace.

The absolute minimum needed to create a certificate (although it may not be a very useful one):

using var cert = new CertificateBuilder().Create();

Create a `CertificateSigningRequest` for signing, exporting and passing to a 3rd party CA:

//A public & private keypair must be created first, outside of the CertificateBuilder, otherwise you'd have no way to retrieve the private-key used for the new CertificateSigningRequest object
using var keys = RSA.Create();

//Creating a CertificateSigningRequest
var csr = new CertificateBuilder()
    .SetUsage(CertificateUsage.Server)
    .SetSubject(b => b.SetCommonName("*.fake.domain"))
    .SetDnsNames("*.fake.domain", "fake.domain")
    .SetKeyPair(keys)
    .CreateCertificateSigningRequest();

//The CertificateRequest object is accessible here:
var certRequest = csr.CertificateRequest;

//CSR can be exported to a string
Console.WriteLine(csr.ToPemString());

//Or to a file or StringWriter instance
csr.ExportAsPem("csr.pem");

Build a self-signed web server certificate:

//Using a fluent style
using var cert = new CertificateBuilder()
    .SetUsage(CertificateUsage.Server)
    .SetFriendlyName("Example self-signed web-server certificate")
    .SetSubject(b => b.SetCommonName("*.fake.domain"))
    .SetDnsNames("*.fake.domain", "fake.domain")
    .SetNotAfter(DateTimeOffset.UtcNow.AddMonths(1))
    .Create();

//And just to demonstrate using object initializers (I'll use fluent style from now on though)
using var builder = new CertificateBuilder() {
    Usage = CertificateUsage.Server,
    FriendlyName = "Example self-signed web-server certificate",
    Subject = new X500NameBuilder().SetCommonName("*.fake.domain"),
    DnsNames = new[] { "*.fake.domain", "fake.domain" },
    NotAfter = DateTimeOffset.UtcNow.AddMonths(1)
};
var cert = builder.Create();

Build a CA (certificate authority):

//A CA's expiry date must be later than that of any certificates it will issue
using var issuer = new CertificateBuilder()
    .SetUsage(CertificateUsage.CA)
    .SetFriendlyName("Example root CA")
    .SetSubject(b => b.SetCommonName("Example root CA"))
    .SetNotAfter(DateTimeOffset.UtcNow.AddYears(100))
    .Create();

Build a client-auth certificate signed by a CA:

//Note: the 'issuer' certificate used must have a private-key attached in order to sign this new certificate
using var cert = new CertificateBuilder()
    .SetUsage(CertificateUsage.Client)
    .SetFriendlyName("Example client-auth certificate")
    .SetSubject(b => b.SetCommonName("User: Michael"))
    .SetNotAfter(DateTimeOffset.UtcNow.AddYears(1))
    .SetIssuer(issuer)
    .Create();

Advanced: Build a certificate with customized extensions:

using var cert = new CertificateBuilder()
    .SetFriendlyName("Example certificate with customized extensions")
    .SetSubject(b => b.SetCommonName("Example certificate with customized extensions"))
    .AddExtension(new X509BasicConstraintsExtension(false, false, 0, true))
    .AddExtension(new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DataEncipherment, true))
    .AddExtension(new X509EnhancedKeyUsageExtension(new OidCollection { new(KeyPurposeID.AnyExtendedKeyUsage.Id) }, false))
    .SetIssuer(issuer)
    .Create();

`CertificateFinder` examples

CertificateFinder requires the FluentCertificates.Finder package and is found under the FluentCertificates namespace.

TODO: document this

`X500NameBuilder` examples

X500NameBuilder requires the FluentCertificates.Builder package and is found under the FluentCertificates namespace.

TODO: document this; see unit tests for more examples