Create certificate request
Certificate requests or, alternatively, certificate signing requests (CSR) represent a common method for generating certificates without exposing private keys. Essentially, a person who wants to obtain a certificate from a CA, generates a keypair locally and includes its public key together with its identity information (common name, country, organisation etc.) in a blob called 'certificate request'. This request is then signed with the private key and sent to the CA. The CA validates the request's signature using the included public key, creates a certificate from this public key and identity information, and signs it with the CA's authorized key. This certificate is sent back to the requester. In this way the private key does not travel anywhere outside the requester's environment.
With SecureBlackbox, certificate requests are created and managed via the TElCertificateRequest class. To generate a brand new certificate request:
TElCertificateRequest req = new TElCertificateRequest();
req.Subject.Add(SBConstants.Unit.SB_CERT_OID_COMMON_NAME, SBStrUtils.Unit.StrToUTF8("John Johnson"), SBASN1Tree.Unit.SB_ASN1_UTF8STRING); req.Subject.Add(SBConstants.Unit.SB_CERT_OID_COUNTRY, SBStrUtils.Unit.StrToUTF8("CA"), SBASN1Tree.Unit.SB_ASN1_PRINTABLESTRING); req.Subject.Add(SBConstants.Unit.SB_CERT_OID_ORGANIZATION, SBStrUtils.Unit.StrToUTF8("Johnson&Co"), SBASN1Tree.Unit.SB_ASN1_UTF8STRING);
You might wish to include one or both SBPKCS10.Unit.croGenerateKeyIdentifier and SBPKCS10.Unit.croUseMSExtensionIdentifier flags to the request's Options to pre-generate the subject key identifier and the MSExtensionIdentifier extensions. These might be required by certain CAs.
req.Extensions.Included = SBX509Ext.Unit.ceKeyUsage; req.Extensions.KeyUsage.kuNonRepudiation;
That's it, the request has been generated. Learn how to save the new request here.
req.Generate( SBConstants.Unit.SB_CERT_ALGORITHM_ID_RSA_ENCRYPTION, // key algorithm 2048, // bits in key SBConstants.Unit.SB_CERT_ALGORITHM_SHA256_RSA_ENCRYPTION // signature algorithm (must include hash algorithm, e.g. SHA256) );