Hi Edward, Thank you for your reply. You are indeed correct that I do not understand much at all about this. This is one of those topics where I learn a bunch, don't use it for a few years (or much longer) and then revisit it only to learn that I have forgotten it all. :)
In this case, I am not only learning self-signing certificates (and all of their implications), but I am also learning about the Azure Key Vault, which suggests using certificates in addition to sending a client id when making requests. You can see more about this here with a sample article: https://github.com/Azure/azure-content/blob/master/articles/key-vault/key-vault-use-from-web-application.md#authenticate-with-a-certificate-instead-of-a-client-secret The root of the problem I am trying to solve is that I do not want to check in sensitive information into (public, ala github) source control, but yet have an elegant system that allows me to retrieve necessary data for both local development and for production environments. The path I *was* taking was to generate self-signed certificates that also have additional needed information embedded in the certificate's extensions. Additional information would be the client ID as mentioned above along with the root URL in which the vault is stored. As you state, this is something that is personal to my process and would not be shared online. The problem I am facing now is that I do not know if creating a new certificate extension is the best guidance. :D Additionally, I found out this morning after some digging that Azure provides "Application Settings" that replace configuration settings provided with the app.config after deployment. In my case, the application I am running is a Console Application. While I knew that "Application Settings" worked for Web Applications (web.config), I did not know that you can also deploy a Console Application as an Azure Web Job and get the same benefits. It will also account for the App.config -> Web.config conversion as well. You can see more here: https://azure.microsoft.com/en-us/documentation/articles/websites-dotnet-deploy-webjobs/ Anyways, long story short here... I think I have what I need to continue with the core problem, but it is nice to know I have a resource here and also with the link you suggest below, which I will definitely use going forward. :) Thank you for your advice and feedback! Michael -----Original Message----- From: Edward Ned Harvey (bouncycastle) [mailto:bouncycas...@nedharvey.com] Sent: Monday, February 22, 2016 8:41 AM To: Michael DeMond <mich...@dragonspark.us>; dev-crypto-csharp@bouncycastle.org Subject: RE: Dynamically Signing X509 Certificates at Runtime > From: Michael DeMond [mailto:mich...@dragonspark.us] > > Apologies if I have or am already breaking any sort of rules and/or > protocol here in reaching out to you here. Your email is completely appropriate here. There is also a strong community on stackoverflow, and http://crypto.stackexchange.com/ > Anyways, my question is actually the same as the question asked within > the comments of this blog post, and that is: is it possible to > generate a certificate from a provided CA root certificate? I am > learning about all of this, and I > *mostly* have things working in the test environment, but at some > point I will have to put the big boy pants on, and use a trusted > certificate from an external source (from what I understand). Will I > be able to use this approach with that certificate? Unless I miss my guess, you seem to not really understand how certificates work, or even, what exactly they are. My first response is to say: If what you want is the academic learning experience, start by reading Cryptography Engineering, and/or attend an intro to cryptography class. There is a free video course on coursera, and probably other locations too. I've done both of these, and personally I think the book is better, but the coursera class is also very good. If your goal is to use something practical, rather than learn everything about cryptography, you should probably just get a real cert from a trusted CA. Free certs are available from https://startssl.com or https://letsencrypt.org. There are also various low-cost cert providers (like $11/yr) for example https://namecheap.com. You can create a self-signed cert, but then you should never expose it to the internet, so what's the point. If you know enough to tell me the nuances of when it would be ok and my overly broad generalized statement here is wrong - then you wouldn't be asking this question. ;-) You can create your own private CA, and build and deploy a private key infrastructure (PKI), but if you want to do this, you really should have a solid understanding of cryptography first. It's a lot of work, very complex, with lots of ways to shoot yourself. Most likely you wouldn't do that in a programming language such as C#; most likely you would use some preexisting tools such as openssl.
