Discuss this help topic in SecureBlackbox Forum

Configure certificate extensions

Certificate extensions specify the its usage restrictions and/or provide additional information about the PKI environment (e.g., the certificate's CRL endpoint). You can configure the extensions of the new certificate prior to its generation using the Extensions property of the corresponding TElX509CertificateEx object. The extensions must be configured before the Generate method is called.

To add a standard extension (the vast majority of which is supported by SecureBlackbox):

  1. Switch on the corresponding flag(s) in the TElX509CertificateEx.Extensions.Included set: cert.Extensions.Included = SBX509Ext.Unit.ceKeyUsage | SBX509Ext.Unit.ceBasicConstraints | SBX509Ext.Unit.ceExtendedKeyUsage;
  2. Tune up the extension data using the relevant TElX509CertificateEx.Extensions object properties:
    cert.Extensions.KeyUsage.DigitalSignature = true;
    cert.Extensions.KeyUsage.NonRepudiation = true;
    cert.Extensions.Critical = true;
    cert.Extensions.BasicConstraints.CA = true;
    cert.Extensions.BasicConstraints.PathLenConstraint = 5;
    cert.Extensions.Critical = true;
    cert.Extensions.ExtendedKeyUsage.ClientAuthentication = true;

To add a custom extension (an extension not supported by SecureBlackbox), encode it into an ASN.1 record according to the extension's specification. You also need to know the correct object identifier (OID) for your extension. Not doing so may invalidate the whole certificate. You can use SecureBlackbox's components TElASN1ConstrainedTag and TElASN1SimpleTag from the SBASN1Tree namespace to create an ASN.1 structure and serialize it in BER/DER representation. Custom extensions are added via the Extensions object's OtherExtensions[] property:

// Generating DER representation of our custom extension. For simplicity, assuming that the contents of our extension is a simple ASN.1 OBJECT entry:
byte[] extValue = SBASN1Tree.Unit.FormatAttributeValue(SBASN1Tree.Unit.SB_ASN1_OBJECT, SBStrUtils.Unit.StrToOID(""));

// Adding custom extension
cert.Extensions.OtherCount = 1;
TElCustomExtension myext = cert.Extensions.get_OtherExtensions(0);
myext.OID = SBStrUtils.Unit.StrToOID("");
myext.Critical = false; // setting Critical to false will allow processing applications to accept the certificate even if they don't support your extension
myext.Value = extValue;
You can add as many custom extensions as you like.

Certificate-related How To articles

Discuss this help topic in SecureBlackbox Forum