EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Certificate Subject and SerialNo

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
#17212
Posted: 08/05/2011 11:52:08
by San P (Standard support level)
Joined: 11/07/2009
Posts: 37

The documentation from third party vendor asks me to to pick Subject Info from X509 certificate, and use that value again to create new PKSCS#10 Certificate request. I am not quite sure how I should pick it. If I check the contents of my Certificate with Firefox and IE, they show the following Subject values.
Code
FIREFOX, SUBJECT
----------------
Object Identifier (2 5 4 5) = 009557243772
Given Name = Company Demo
Surname = Certificate
CN = Company Demo Certificate
C = SE

IE, SUBJECT
-----------
Serial Number = 009557243772
G = Company Demo
SN = Certificate
CN = Company Demo Certificate
C = SE
The various BlackBox demos are able to show those values, but with Serial number there is some difference. Both FF and IE say that Serial number is 009557243772, but when I try to check it like:
Code
Label1.Caption := BinaryToString(ElX509Cert1.SerialNumber);
I get values like 19033564. Is there some other way to ask Serial Number to get also those bigger values?

Also, is there some shortcut how I could pick that whole Subject from Certificate by one call, and then generate the Request like:
Code
TElCertificateRequest.Generate(Algorithm, KeySize, Hash);
Or do I have to manually fill those 5 fields like
Code
TElCertificateRequest.Subject.Values[1] := 'Company Demo' etc...
and then call the Generate.

It would be great to get some answer to that Serial Number difference anyway.

Thanks
SP
#17213
Posted: 08/05/2011 12:00:40
by Ken Ivanov (EldoS Corp.)

Thank you for contacting us.

1) You can easily copy the subject in the following way:

Request.Subject.Assign(Cert.SubjectRDN);

2) Two different serial numbers are confused here. The first one (returned by the ElX509Cert1.SerialNumber call) is a serial number contained in the relevant certificate field. The second one (shown by the browsers as a part of certificate subject) is an attribute stored together with other subject attributes (such as common name, country etc.). Generally there is no requirements for those two numbers to be equal, as they have no relation to each other.
#17241
Posted: 08/09/2011 12:24:53
by San P (Standard support level)
Joined: 11/07/2009
Posts: 37

Quote
Innokentiy Ivanov wrote:
Request.Subject.Assign(Cert.SubjectRDN);

Thanks, that was just the line I was looking. Now my certificate request does bring me new certificate. This time it come DER encoded, with .CER extension, and my earlier keys were PFX encoded, with .P12 extension.

Maybe I am doing something wrong now, I keep getting "RSA key data expected" error when I try to use this DER key. I use exactly the same code as i used when loading PFX keys, like this:
Code
case CertFormat of
      cfDER: X509KeyData.Certificate.LoadFromStream(F);
      cfPEM: X509KeyData.Certificate.LoadFromStreamPEM(F, Password);
      cfPFX: X509KeyData.Certificate.LoadFromStreamPFX(F, Password);  
    end
BlackBox recognizes that the type is cfDER this time, I wonder what is the difference here? Should the CER certificates be treated somehow differently?

IE and Firefox do import this DER key happily, as there is no password protection, compared to P12 files. But BlackBox asks for RSA key, any suggestions?

Thanks
SP
#17242
Posted: 08/09/2011 12:38:33
by Ken Ivanov (EldoS Corp.)

Could you please elaborate how exactly and what for are you trying to use the key? A piece of your code illustrating the problem would be helpful.
#17243
Posted: 08/09/2011 13:10:37
by San P (Standard support level)
Joined: 11/07/2009
Posts: 37

Quote
Innokentiy Ivanov wrote:
Could you please elaborate how exactly and what for are you trying to use the key? A piece of your code illustrating the problem would be helpful.

The task in general is SOAP and XML signing. I do not know what piece of my code should I send. I have earlier talked about XML siging probles for instance in here:
https://www.eldos.com/forum/read.php?FID=7&TID=2474&MID=15110#message15110
and in here
https://www.eldos.com/forum/read.php?FID=7&TID=&MID=15857#message15857

Currently everything works OK as far as I load the Envelope Signign key from .P12 certificate file. The error rising key code line is this:
Code
Signer.Sign;  // Perform Signing for Enveloped type sign.

I get exactly the same error if I for test try to load BlackBox certificate from here:
\blackBox\Extra\Certificates\cert.cer

So I am doing something wrong when dealing CER certificate files.

SP
#17245
Posted: 08/09/2011 13:16:51
by Vsevolod Ievgiienko (EldoS Corp.)

I think the problem is that .cer file does not contain private key that is needed for signing, but .p12 certificate does. You should additionaly load corresponding private key using one of TElX509Certificate.LoadKeyFrom* methods.
Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.

Reply

Statistics

Topic viewed 3948 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!