EldoS | Feel safer!

Software components for data protection, secure storage and transfer


Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.
Posted: 03/06/2014 13:33:46
by James Reilly (Standard support level)
Joined: 03/06/2014
Posts: 4

I see the TElX509CertificateEx class has a method named SetFriendlyName, but when I set it and create a certificate using PKI, I do not see the Friendly Name in the "Name" column in Windows IIS Manager under the "Name" column. It is blank for that column. Do I need to do something more to make this happen. In the CX509Enrollment API, it is also named CertificateFriendlyName and when I set it, I see the name in that column.
Posted: 03/06/2014 14:10:14
by Eugene Mayevski (EldoS Corp.)

FriendlyName is an attribute stored and used by CryptoAPI. It is not a part of an X.509 certificate.

Sincerely yours
Eugene Mayevski
Posted: 03/07/2014 03:11:31
by Ken Ivanov (EldoS Corp.)

Hi James,

A small addition to Eugene's answer: you can only set friendly names for certificates stored in the Windows system stores. That is, the sequence of operations should be as following:

- Generate the certificate;
- Add it to a system store;
- Set the friendly name for the added certificate.
Posted: 03/07/2014 12:12:18
by James Reilly (Standard support level)
Joined: 03/06/2014
Posts: 4

Ken -

To be clear, in your post when you say "Set the friendly name for the added certificate", do you mean in code (i.e. TElX509CertificateEx.SetFriendlyName("My New Product Certificate") and I should expect to see that refected in Windows Certificate Store? Or is there another way to set the Friendly Name outside of code?
Posted: 03/07/2014 13:40:42
by Ken Ivanov (EldoS Corp.)


Sorry for being unclear. That's right, the friendly name that you set in code will be reflected in the certificate residing in the Windows system store - provided that you set it on the object retrieved straight from that store using TElWinCertStorage object (and not, for instance, loaded from a file).
Posted: 03/07/2014 14:13:39
by James Reilly (Standard support level)
Joined: 03/06/2014
Posts: 4

I tried this:

hostName = System.Net.Dns.GetHostEntry("localhost").HostName;

TName issuer = new TName();
issuer.CommonName = hostName;

TName subject = new TName();
subject.CommonName = hostName;

TElX509CertificateEx x509 = new TElX509CertificateEx();


x509.ValidFrom = DateTime.UtcNow.AddDays(-1d);
x509.ValidTo = new DateTime(2039, 12, 31, 23, 59, 59, DateTimeKind.Utc);

x509.CAAvailable = false;

// create a random serial number for the certificate
Random r = new Random((int)DateTime.Now.Ticks);
byte[] sn = new byte[10];
x509.SerialNumber = sn;

int algorithm = SBConstants.__Global.SB_CERT_ALGORITHM_MD5_RSA_ENCRYPTION;
int dwords = 1024 / 32;

x509.Generate(algorithm, dwords);

TElWinCertStorage storage = new TElWinCertStorage();
storage.StorageType = TSBStorageType.stSystem;

storage.AccessType = TSBStorageAccessType.atLocalMachine;
storage.Provider = TSBStorageProviderType.ptRSASchannel;

storage.Add(x509, "MY", true, false, false);
storage.Add(x509, "ROOT", true, false, false);

x509.SetFriendlyName("My New SSL");

//get the thumb print and add it to the desired instance of the web server
TMessageDigest160 messageDigest = x509.GetHashSHA1();

// thumbprint is held in 160 bits
// retrieve the 20 bytes of the thumb print in five 32 bit integers
UInt32 uA = messageDigest.A;
UInt32 uB = messageDigest.B;
UInt32 uC = messageDigest.C;
UInt32 uD = messageDigest.D;
UInt32 uE = messageDigest.E;

// convert each 32 bit integer to a byte array
byte[] bA = System.BitConverter.GetBytes(uA);
byte[] bB = System.BitConverter.GetBytes(uB);
byte[] bC = System.BitConverter.GetBytes(uC);
byte[] bD = System.BitConverter.GetBytes(uD);
byte[] bE = System.BitConverter.GetBytes(uE);

// put them all together to form a 20 byte hex string
certHash = BitConverter.ToString(bA) + "-" + BitConverter.ToString(bB) + "-" + BitConverter.ToString(bC) + "-"
+ BitConverter.ToString(bD) + "-" + BitConverter.ToString(bE);
certThumbprint = certHash.Replace("-", String.Empty);

// open IIS
DirectoryEntry dePath = new DirectoryEntry("IIS://localhost/W3SVC/" + instance);
PropertyValueCollection propValues = dePath.Properties["SSLCertHash"];
certHash = certHash.Trim();

// thumb print looks like FF-03-AC-12-DD...
string[] strArrayValueSplit = certHash.Split(new Char[] { '-' });
object[] oArray = new object[strArrayValueSplit.Length];
strArrayValueSplit.CopyTo(oArray, 0);


propValues = dePath.Properties["SSLStoreName"];


But after it runs, I don't see the FriendlyName in the Windows IIS Manager.

Posted: 03/07/2014 14:22:29
by James Reilly (Standard support level)
Joined: 03/06/2014
Posts: 4

Never mind, I figured it out, if I add:

// Get the certificate from the store we can set FriendlyName
Int32 index = storage.IndexOf(x509);
TElX509Certificate myCert = storage.get_Certificates(index);
myCert.SetFriendlyName("My Friendly Name");

It then works.

Posted: 03/07/2014 18:13:36
by Ken Ivanov (EldoS Corp.)

Hello James,

You've understood it correctly. When you add a certificate with the Add() call, the object passed as the Certificate parameter is not changed (so it is still referencing the in-memory generated certificate and not the certificate residing in the system store). You therefore have to re-acquire the certificate from the storage object before setting the friendly name.

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.



Topic viewed 1446 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!