I need to generate an RSA public/private key pair that will work with
PowerShell v5's DSC platform. With my current keys, I get this error message
[1]. Searching through the PowerShell documentation, I found a way to generate
a proper certificate using certreq.exe and a specific INF file [2]. The problem
is, certreq.exe puts the private key into the current user's certificate store,
so I have to manually export the key to get it. I want to be able to generate a
public/private key pair and export them into files without going through the
Windows certificate stores.
I was looking at the Bouncy Castle API and it isn't clear to me how to setup
the correct key usages. I'm a certificate newbie, so it isn't even clear to me
what the .INF file below is doing.
Does Bouncy Castle have a way of generating an RSA key pair from an .INF file?
If not, can someone translate the .INF below into Bouncy Castle API-speak?
[1]
Certificate '478B7793DC7CF246803D679F93670F13A5302602' cannot be used for
encryption.
Encryption certificates must contain the Data Encipherment or Key Encipherment
key usage, and include the Document Encryption Enhanced Key Usage
(1.3.6.1.4.1.311.80.1).
[2]
[Version]
Signature = "$Windows NT$"
[Strings]
szOID_ENHANCED_KEY_USAGE = "2.5.29.37"
szOID_DOCUMENT_ENCRYPTION = "1.3.6.1.4.1.311.80.1"
[NewRequest]
Subject = "cn=youral...@emailaddress.com"
MachineKeySet = false
KeyLength = 2048
KeySpec = AT_KEYEXCHANGE
HashAlgorithm = Sha1
Exportable = true
RequestType = Cert
KeyUsage = "CERT_KEY_ENCIPHERMENT_KEY_USAGE | CERT_DATA_ENCIPHERM
ValidityPeriod = "Years"
ValidityPeriodUnits = "1000"
[Extensions]
%szOID_ENHANCED_KEY_USAGE% = "{text}%szOID_DOCUMENT_ENCRYPTION%"
