EldoS | Feel safer!

Software components for data protection, secure storage and transfer

SetFriendlyName

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
#28711
Posted: 03/06/2014 13:33:46
by James Reilly (Standard support level)
Joined: 03/06/2014
Posts: 4

I see the TElX509CertificateEx class has a method named SetFriendlyName, but when I set it and create a certificate using PKI, I do not see the Friendly Name in the "Name" column in Windows IIS Manager under the "Name" column. It is blank for that column. Do I need to do something more to make this happen. In the CX509Enrollment API, it is also named CertificateFriendlyName and when I set it, I see the name in that column.
#28712
Posted: 03/06/2014 14:10:14
by Eugene Mayevski (EldoS Corp.)

FriendlyName is an attribute stored and used by CryptoAPI. It is not a part of an X.509 certificate.


Sincerely yours
Eugene Mayevski
#28716
Posted: 03/07/2014 03:11:31
by Ken Ivanov (EldoS Corp.)

Hi James,

A small addition to Eugene's answer: you can only set friendly names for certificates stored in the Windows system stores. That is, the sequence of operations should be as following:

- Generate the certificate;
- Add it to a system store;
- Set the friendly name for the added certificate.
#28729
Posted: 03/07/2014 12:12:18
by James Reilly (Standard support level)
Joined: 03/06/2014
Posts: 4

Ken -

To be clear, in your post when you say "Set the friendly name for the added certificate", do you mean in code (i.e. TElX509CertificateEx.SetFriendlyName("My New Product Certificate") and I should expect to see that refected in Windows Certificate Store? Or is there another way to set the Friendly Name outside of code?
#28732
Posted: 03/07/2014 13:40:42
by Ken Ivanov (EldoS Corp.)

James,

Sorry for being unclear. That's right, the friendly name that you set in code will be reflected in the certificate residing in the Windows system store - provided that you set it on the object retrieved straight from that store using TElWinCertStorage object (and not, for instance, loaded from a file).
#28734
Posted: 03/07/2014 14:13:39
by James Reilly (Standard support level)
Joined: 03/06/2014
Posts: 4

I tried this:

hostName = System.Net.Dns.GetHostEntry("localhost").HostName;

TName issuer = new TName();
issuer.CommonName = hostName;

TName subject = new TName();
subject.CommonName = hostName;

TElX509CertificateEx x509 = new TElX509CertificateEx();

x509.SetIssuer(issuer);
x509.SetSubject(subject);

x509.ValidFrom = DateTime.UtcNow.AddDays(-1d);
x509.ValidTo = new DateTime(2039, 12, 31, 23, 59, 59, DateTimeKind.Utc);

x509.CAAvailable = false;

// create a random serial number for the certificate
Random r = new Random((int)DateTime.Now.Ticks);
byte[] sn = new byte[10];
r.NextBytes(sn);
x509.SerialNumber = sn;

int algorithm = SBConstants.__Global.SB_CERT_ALGORITHM_MD5_RSA_ENCRYPTION;
int dwords = 1024 / 32;

x509.Generate(algorithm, dwords);

TElWinCertStorage storage = new TElWinCertStorage();
storage.StorageType = TSBStorageType.stSystem;
storage.SystemStores.Add("MY");

storage.AccessType = TSBStorageAccessType.atLocalMachine;
storage.Provider = TSBStorageProviderType.ptRSASchannel;

storage.Add(x509, "MY", true, false, false);
storage.Add(x509, "ROOT", true, false, false);

x509.SetFriendlyName("My New SSL");


//get the thumb print and add it to the desired instance of the web server
TMessageDigest160 messageDigest = x509.GetHashSHA1();

// thumbprint is held in 160 bits
// retrieve the 20 bytes of the thumb print in five 32 bit integers
UInt32 uA = messageDigest.A;
UInt32 uB = messageDigest.B;
UInt32 uC = messageDigest.C;
UInt32 uD = messageDigest.D;
UInt32 uE = messageDigest.E;

// convert each 32 bit integer to a byte array
byte[] bA = System.BitConverter.GetBytes(uA);
byte[] bB = System.BitConverter.GetBytes(uB);
byte[] bC = System.BitConverter.GetBytes(uC);
byte[] bD = System.BitConverter.GetBytes(uD);
byte[] bE = System.BitConverter.GetBytes(uE);

// put them all together to form a 20 byte hex string
certHash = BitConverter.ToString(bA) + "-" + BitConverter.ToString(bB) + "-" + BitConverter.ToString(bC) + "-"
+ BitConverter.ToString(bD) + "-" + BitConverter.ToString(bE);
certThumbprint = certHash.Replace("-", String.Empty);

// open IIS
DirectoryEntry dePath = new DirectoryEntry("IIS://localhost/W3SVC/" + instance);
PropertyValueCollection propValues = dePath.Properties["SSLCertHash"];
certHash = certHash.Trim();

// thumb print looks like FF-03-AC-12-DD...
string[] strArrayValueSplit = certHash.Split(new Char[] { '-' });
object[] oArray = new object[strArrayValueSplit.Length];
strArrayValueSplit.CopyTo(oArray, 0);

propValues.Clear();
propValues.Add(oArray);
dePath.CommitChanges();

propValues = dePath.Properties["SSLStoreName"];
propValues.Clear();
propValues.Add("MY");

dePath.CommitChanges();

But after it runs, I don't see the FriendlyName in the Windows IIS Manager.

Jim
#28735
Posted: 03/07/2014 14:22:29
by James Reilly (Standard support level)
Joined: 03/06/2014
Posts: 4

Never mind, I figured it out, if I add:

// Get the certificate from the store we can set FriendlyName
Int32 index = storage.IndexOf(x509);
TElX509Certificate myCert = storage.get_Certificates(index);
myCert.SetFriendlyName("My Friendly Name");

It then works.

Jim
#28736
Posted: 03/07/2014 18:13:36
by Ken Ivanov (EldoS Corp.)

Hello James,

You've understood it correctly. When you add a certificate with the Add() call, the object passed as the Certificate parameter is not changed (so it is still referencing the in-memory generated certificate and not the certificate residing in the system store). You therefore have to re-acquire the certificate from the storage object before setting the friendly name.

Ken
Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.

Reply

Statistics

Topic viewed 1437 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!