EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Create a certificate based on a request (PKCS#10) in DELPHI

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.
#8267
Posted: 11/26/2008 03:16:23
by Maxim Ivanov (Basic support level)
Joined: 11/26/2008
Posts: 9

I want to use PKI Black box (VCL) (for DELPHI) to generate Certificates based on a certificate request (PKCS#10) (sample of my request file 'richard.zip' in attachment, password: 777). I can't make it self correctly:(( Please, help me!! I need DELPHI code for what I am trying to do! THANKS A LOT!


[ Download ]
#8268
Posted: 11/26/2008 03:33:24
by Mykola Olshevsky (Basic support level)
Joined: 07/07/2005
Posts: 450

Have you read a how-to article at http://www.eldos.com/documentation/sbb/documentation/ref_howto_pki_certreq_use.html ?
#8269
Posted: 11/26/2008 03:44:53
by Maxim Ivanov (Basic support level)
Joined: 11/26/2008
Posts: 9

Yes of course! But my simple code does not work​:(

var FRequest : TElCertificateRequest;
FCert, CreatedCert : TElX509Certificate;
Stream : TFileStream;
begin
FRequest := TElCertificateRequest.Create(nil);
Stream := TFileStream.Create('e:\richard.p10', fmOpenRead or fmShareDenyRead);
try
FRequest.LoadFromStream(Stream);
FCert := TElX509Certificate.Create(nil);
FCert.SubjectRDN.Assign(FRequest.Subject);
FCert.ValidFrom := Now;
FCert.ValidTo := Now+500;
FCert.IssuerRDN.Assign(FRequest.Subject);
FCert.LoadKeyFromStream(Stream);
FCert.Extensions.KeyUsage.DigitalSignature := True;
CreatedCert := TElX509Certificate.Create(nil);
FCert.Generate(FRequest, CreatedCert);
finally
Stream.Free;
FRequest.Free;
FCert.Free;
end;
end;

As result - 'ERROR: Private key not found!'.
But it's good request file and it seems to me that problem in me!:) My code is incorrect, may be... And the function 'ValidateSignature()' back 'False' everytime...
#8270
Posted: 11/26/2008 03:49:03
by Mykola Olshevsky (Basic support level)
Joined: 07/07/2005
Posts: 450

In your code you didn't load CA certificate itself, just a key for it. So you should add something like
CertStream := TFileStream.Create('CACert.cer', fmOpenRead or fmShareDenyRead);
FCert.LoadFromStream(CertStream);
#8271
Posted: 11/26/2008 04:34:19
by Maxim Ivanov (Basic support level)
Joined: 11/26/2008
Posts: 9

Thanks, but no results...:(

1. I've create CACert.cer by means of code from samples "Eldos X.509 Certificate Demo": Certificate -> New Certificate -> Self-signed Certificate -> Save to file "CACert.cer".

2. I've change the code:

var FRequest : TElCertificateRequest;
FCert, CreatedCert : TElX509Certificate;
Stream, CertStream : TFileStream;
Thread : TThread;
i: integer;
begin
FRequest := TElCertificateRequest.Create(nil);
Stream := TFileStream.Create('e:\richard.p10', fmOpenRead or fmShareDenyRead);
try
FRequest.LoadFromStream(Stream);

FCert := TElX509Certificate.Create(nil);
FCert.SubjectRDN.Assign(FRequest.Subject);
FCert.ValidFrom := Now;
FCert.ValidTo := Now+500;
FCert.IssuerRDN.Assign(FRequest.Subject);
FCert.LoadKeyFromStream(Stream);
FCert.Extensions.KeyUsage.DigitalSignature := True;
CertStream := TFileStream.Create('e:\CACert.cer', fmOpenRead or fmShareDenyRead);
FCert.LoadFromStream(CertStream);
CreatedCert := TElX509Certificate.Create(nil);
FCert.Generate(FRequest, CreatedCert);
finally
Stream.Free;
FRequest.Free;
FCert.Free;
end;

As result - 'ERROR: Private key not found!'. Where my mistake? May be in creation "CACert.cer"?
p.s. At the moment of creation richard.p10 I have set the password 777. Is this password need at the moment of reading the request and generation the certificate?
#8272
Posted: 11/26/2008 04:40:38
by Mykola Olshevsky (Basic support level)
Joined: 07/07/2005
Posts: 450

Now you are trying to load CA key from Stream from which you have loaded the request, which is incorrect.
You should save key of generated CA cert independently, and load it, or save (and load after) CA Certificate in PFX format.

Password is used only for the decryption of the private key in your request, and it is not used in certificate generation.
#8273
Posted: 11/26/2008 05:10:39
by Maxim Ivanov (Basic support level)
Joined: 11/26/2008
Posts: 9

Changed, but now - "Invalid request signature".
Sorry for trouble you, but what the problem?...


var FRequest : TElCertificateRequest;
FCert, CreatedCert : TElX509Certificate;
Stream, KeyStream, CertStream, CreatedCertStream : TFileStream;
Thread : TThread;
i: integer;
begin
FRequest := TElCertificateRequest.Create(nil);
Stream := TFileStream.Create('e:\richard.p10', fmOpenRead or fmShareDenyRead);
try
FRequest.LoadFromStream(Stream);
FCert := TElX509Certificate.Create(nil);
FCert.SubjectRDN.Assign(FRequest.Subject);
FCert.ValidFrom := Now;
FCert.ValidTo := Now+500;
FCert.IssuerRDN.Assign(FRequest.Subject);
CertStream := TFileStream.Create('e:\CACert.cer', fmOpenRead or fmShareDenyRead);
FCert.LoadFromStream(CertStream);
KeyStream := TFileStream.Create('e:\CACert.key', fmOpenRead or fmShareDenyRead);
FCert.LoadKeyFromStream(KeyStream);
FCert.Extensions.KeyUsage.DigitalSignature := True;
CreatedCert := TElX509Certificate.Create(nil);
FCert.Generate(FRequest, CreatedCert);
CreatedCertStream := TFileStream.Create('e:\richard.pem', fmCreate or fmShareDenyWrite);
CreatedCert.SaveToStreamPEM(CreatedCertStream, '');
CreatedCert.SaveKeyToStreamPEM(Stream, '777');
finally
Stream.Free;
CertStream.Free;
KeyStream.Free;
FRequest.Free;
FCert.Free;
CreatedCert.Free;
end;
#8274
Posted: 11/26/2008 05:26:59
by Mykola Olshevsky (Basic support level)
Joined: 07/07/2005
Posts: 450

You have two mistakes in your code:
1) FCert.Extensions.KeyUsage.DigitalSignature := True; - you shouldn't change certificate properties on already-generated certificate;
2) CreatedCert.SaveKeyToStreamPEM(Stream, '777');
this line appends your CreateCert's key to the file with certificate request, making it invalid.
#8275
Posted: 11/26/2008 05:33:01
by Maxim Ivanov (Basic support level)
Joined: 11/26/2008
Posts: 9

Changed, but problem still here...

I try to check Signature immediately after loading the request from file:

FRequest.LoadFromStream(Stream);
FRequest.ValidateSignature();

...ValidateSignature back 'FALSE' value!
#8276
Posted: 11/26/2008 05:43:28
by Maxim Ivanov (Basic support level)
Joined: 11/26/2008
Posts: 9

p.s. Error message at "FCert.Generate(FRequest, CreatedCert);" line...
Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.

Reply

Statistics

Topic viewed 6573 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!