Discuss this help topic in SecureBlackbox Forum

Create certificate from certificate request

Certificate requests are widely used for remote signing of certificates. An entity willing to get a CA-authorized certificate generates a keypair, puts the public key together with its identity information (organization name, country, common name, etc.) to a specifically formatted document called certificate request. This request is signed with the private key and sent to the CA. The CA validates the signature with the enclosed public key. If the signature is correct, the CA generates a certificate using the provided identity information, and signs it with its private key. Then it sends the new certificate to the requester.

The following steps should be taken by the CA to process an incoming request and generate a certificate:

  1. Load the received request into a TElCertificateRequest object (SBPKCS10 namespace): TElCertificateRequest req = new TElCertificateRequest();
    req.LoadFromStream(reqStream);
  2. Validate the signature over the request to confirm that the information it contains was not forged during the transit: bool valid = req.ValidateSignature();
  3. Validate/check the solicited Subject field of the request. You might wish to alter it to match any policies before generating the certificate.
  4. Load your CA certificate together with its private key into a TElX509CertificateEx object: TElX509CertificateEx cacert = new TElX509CertificateEx();
    cacert.LoadFromFileAuto("cacert.pfx", "password");
  5. Create a brand new TElX509CertificateEx object where the new certificate will be stored. TElX509CertificateEx cert = new TElX509CertificateEx();
  6. Set its validity period and, optionally, configure extensions:
    
    cert.ValidFrom = DateTime.UtcNow;
    cert.ValidTo = DateTime.UtcNow.AddYears(2);
    cert.Extensions.Included = SBX509Ext.Unit.ceKeyUsage;
    cert.Extensions.KeyUsage = SBX509Ext.Unit.kuDigitalSignature;
    			
    There's no need in setting the subject and issuer fields. The subject information will be taken from the corresponding fields of the request, and the issuer information will be taken from the CA certificate.
  7. Generate the certificate with the CA certificate's Generate() method: cacert.Generate(req, cert); You can specify the hash algorithm used by this function via the CA certificate's PreferredHashAlgorithm property (should be set before the Generate() is called): cacert.PreferredHashAlgorithm = SBConstants.Unit.SB_ALGORITHM_DGST_SHA256;
  8. Save the new certificate to a stream or file: cert.SaveToFile("cert.cer", "", TSBCertFileFormat.cfDER); Now it can be sent to the requester.

Certificate-related How To articles

Discuss this help topic in SecureBlackbox Forum