EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Save CA & Client certificate to 1 file in pkcs12?

Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages
#4051
Posted: 10/18/2007 07:57:56
by Farrel Coetzee (Basic support level)
Joined: 10/18/2007
Posts: 11

Hi,

I have managed to create a client certificate from a root certificate given to me. My client has requested that the root certificate and client certificate should now be one file instead of 2, due to the fact that customers must always install the root certificate to verify the client certificate. eg.

ABC COMPANY CERTIFICATE (ROOT)
|
|____ CLIENT CERTIFICATE FOR ABC (CLIENT)

I have tried to use the following in a nutshell:

- Load CA Certificate from file "server.crt"(CA Certificate);
- Load CA private key from file "server.key"(CA Private Key);

- Create Client Certificate and sign with CA
- Save Client Certificate and CA certificate to one file in pkcs12 format "client.pfx"

Am I using the correct class for this. If I add both, it does not work, if I add the client, it installs correctly.

Some help would be appreciated. Let me know if I should be giving more info.
#4052
Posted: 10/18/2007 08:11:09
by Ken Ivanov (EldoS Corp.)

Actually, you are doing everything correctly. PKCS#12 is the only format that allows to keep several certificates and private keys in the same file (actually, PEM also allows it, but PFX is more widely used).

Quote
If I add both, it does not work, if I add the client, it installs correctly.

Would you be so kind to clarify the problem? How exactly are you trying to install the certificate and what exactly fails?
#4053
Posted: 10/18/2007 08:17:59
by Eugene Mayevski (EldoS Corp.)

You have not specified the class that you attempted to use. You should use ElMemoryCertStorage class and use it's SaveToStreamPFX method in order to save both certificates to one file.


Sincerely yours
Eugene Mayevski
#4054
Posted: 10/18/2007 08:43:51
by Farrel Coetzee (Basic support level)
Joined: 10/18/2007
Posts: 11

I am installing the certificate into internet explorer by double clicking the pfx file. I managed to get it installed successfully now, but visually I do not see the following:

ABC COMPANY CERTIFICATE (ROOT)
|
|____ CLIENT CERTIFICATE FOR ABC (CLIENT)

Should I be seeing it in this format or is it fine if I just see 2 entries like this:
ABC COMPANY CERTIFICATE (ROOT)
CLIENT CERTIFICATE FOR ABC (CLIENT)

When I view the Client Certificate, it seems fine, but the CA Certificate now sais:
"This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store."

What am I still missing in my code?

Thanks for the rapid response.

Regards,
Farrel
#4055
Posted: 10/18/2007 09:09:17
by Eugene Mayevski (EldoS Corp.)

Man, we didn't see your code. We don't know, what you are doing and how you are doing that. How can we say anything?


Sincerely yours
Eugene Mayevski
#4062
Posted: 10/19/2007 04:34:40
by Farrel Coetzee (Basic support level)
Joined: 10/18/2007
Posts: 11

Hi,

Please find my code attached. This is not the complete piece of code, but the section that creates the client certificate. I somehow have to set the "store" and the client must be dependent or chained to the CA.

Hope you can help.

Thanks,
Farrel


[ Download ]
#4075
Posted: 10/19/2007 08:37:10
by Farrel Coetzee (Basic support level)
Joined: 10/18/2007
Posts: 11

Let me rephrase my question

If I have 2 certificates.
1 is the CA Certificate that authenticates the client and the other is the Client certificate.

What class or method should I use to put both in one certificate and that whne it is installed on Internet Explorer or Firefox the client will be chained to the CA?

I'm not sure what class or function to call. Does someone have sample code for this?
#4076
Posted: 10/19/2007 08:47:00
by Ken Ivanov (EldoS Corp.)

We have reviewed your code. First of all, please use TElMemoryCertStorage instead of TElFileCertStorage. Second, use SB_ALGORITHM_PBE_SHA1_RC2_40 algorithm for certificate encryption (this takes place only if you need your certificate to be understood by Windows).
#4077
Posted: 10/19/2007 08:48:39
by Ken Ivanov (EldoS Corp.)

Quote
What class or method should I use to put both in one certificate and that whne it is installed on Internet Explorer or Firefox the client will be chained to the CA?

Eugene answered this in one of his posts -- you have to use TElMemoryCertStorage.SaveToStreamPFX (SaveToBufferPFX).

#4078
Posted: 10/19/2007 09:26:19
by Farrel Coetzee (Basic support level)
Joined: 10/18/2007
Posts: 11

Ok, thanks. I see both certificates installed now, however the CA Certificate does not appear under the "Trusted Root Authorities" folder in Windows? If I install my root certificate seperatly, it does go there, but not when it is part of the client. Am I missing a property somewhere?
Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.

Reply

Statistics

Topic viewed 9922 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!