EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Certificate is not visible for windows

Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.
#4886
Posted: 02/07/2008 08:21:07
by Scratch  (Standard support level)
Joined: 02/07/2008
Posts: 34

Hi there. I've got some strage issue and think i need help with that.
First I'm generating the CA certificate:
Code
var m: TMemoryStream;
    i:integer;
begin
  with CACert do
  begin
    SubjectRDN.Count := 6;
      For i:=0 to 5 do   SubjectRDN.Tags[i] := SB_ASN1_PRINTABLESTRING;
    SubjectRDN.OIDs[0] := SB_CERT_OID_COUNTRY;
    SubjectRDN.Values[0] := 'XX';
    SubjectRDN.OIDs[1] := SB_CERT_OID_STATE_OR_PROVINCE;
    SubjectRDN.Values[1] := 'XXXXXX';
    SubjectRDN.OIDs[2] := SB_CERT_OID_LOCALITY;
    SubjectRDN.Values[2] := 'XXXXX';
    SubjectRDN.OIDs[3] := SB_CERT_OID_ORGANIZATION;
    SubjectRDN.Values[3] := 'Org';
    SubjectRDN.OIDs[4] := SB_CERT_OID_ORGANIZATION_UNIT;
    SubjectRDN.Values[4] := 'XXX';
    SubjectRDN.OIDs[5] := SB_CERT_OID_COMMON_NAME;
    SubjectRDN.Values[5] := 'XXX';
    ValidFrom := Now()-1000;
    ValidTo := Now()+10000;
    CAAvailable := False;

    with IssuerRDN do
    begin
    Count := 6;
       For i:=0 to 5 do   Tags[i] := SB_ASN1_PRINTABLESTRING;
      Tags[0] := SB_ASN1_PRINTABLESTRING;
      OIDs[0] := SB_CERT_OID_COUNTRY;
      Values[0] := 'XX';
      Tags[1] := SB_ASN1_PRINTABLESTRING;
      OIDs[1] := SB_CERT_OID_STATE_OR_PROVINCE;
      Values[1] := 'XXXXX';
      Tags[2] := SB_ASN1_PRINTABLESTRING;
      OIDs[2] := SB_CERT_OID_LOCALITY;
      Values[2] := 'XXXXX';
      Tags[3] := SB_ASN1_PRINTABLESTRING;
      OIDs[3] := SB_CERT_OID_ORGANIZATION;
      Values[3] := 'Org';
      Tags[4] := SB_ASN1_PRINTABLESTRING;
      OIDs[4] := SB_CERT_OID_ORGANIZATION_UNIT;
      Values[4] := 'XXX';
      Tags[0] := SB_ASN1_PRINTABLESTRING;
      OIDs[5] := SB_CERT_OID_COMMON_NAME;
      Values[5] := 'XXX';
    end;
    with Extensions.KeyUsage do
      begin
        DigitalSignature := True;
        NonRepudiation := True;
        KeyEncipherment := True;
        DataEncipherment := True;
        KeyAgreement := True;
        KeyCertSign  := True;
        CRLSign  := True;
        EncipherOnly  := True;
        DecipherOnly  := True;
      end;

    Generate(SB_CERT_ALGORITHM_SHA1_RSA_ENCRYPTION, 2048 div 32);

    m := TMemoryStream.Create;
    SaveToStreamPFX(m,'pass');
    m.SaveToFile('c:\CA.pfx');
    m.Free;
  end;


Second I generate CSR

Code
var i:integer;
begin
  with FRequest do
  begin
    with  Subject do
    begin
      Count := 6;
      For i:=0 to 5 do   Subject.Tags[i] := SB_ASN1_PRINTABLESTRING;
      OIDs[0] := SB_CERT_OID_COUNTRY;
      Values[0] := 'XX';
      OIDs[1] := SB_CERT_OID_STATE_OR_PROVINCE;
      Values[1] := 'XXXXX';
      OIDs[2] := SB_CERT_OID_LOCALITY;
      Values[2] := 'XXXXX';
      OIDs[3] := SB_CERT_OID_ORGANIZATION;
      Values[3] := 'Org';
      OIDs[4] := SB_CERT_OID_ORGANIZATION_UNIT;
      Values[4] := 'ClientSert';
      OIDs[5] := SB_CERT_OID_COMMON_NAME;
      Values[5] := 'ClientSert';
    end;
    with Extensions.KeyUsage do
      begin
        DigitalSignature := True;
        NonRepudiation := True;
        KeyEncipherment := True;
        DataEncipherment := True;
        KeyAgreement := True;
        KeyCertSign  := True;
        CRLSign  := True;
        EncipherOnly  := True;
        DecipherOnly  := True;
      end;

     Generate(SB_CERT_ALGORITHM_ID_RSA_ENCRYPTION,1024,SB_CERT_ALGORITHM_SHA1_RSA_ENCRYPTION);
  end;
end;


Third, I sign the CSR
Code
var
  m: TMemoryStream;
  TempCert: TElX509Certificate;
begin
  m := TMemoryStream.Create;
  m.LoadFromFile('c:\CA.pfx');
  m.Position := 0;
  CACert.LoadFromStreamPFX(m,'pass');
  TempCert := TElX509Certificate.Create(nil);
  TempCert.CAAvailable := True;
  TempCert.ValidFrom := Now()-1000;
  TempCert.ValidTo := Now()+10000;
  CACert.Generate(FRequest,TempCert);
  m.Size := 0;
  TempCert.SaveToStreamPFX(m,'xxx');
  m.SaveToFile('c:\client.pfx');
  m.Free;
  TempCert.Free;
end;


Then I install CA cert into win trusted CA storage and it is perfectly visible and working.
But when I install client cert into "My" win storage it's not visible, however the demo cert program sees it ok and moreover validates it.
#4888
Posted: 02/07/2008 08:34:22
by Ken Ivanov (EldoS Corp.)

Would you be so kind to clarify the following sentense:
Quote
But when I install client cert into "My" win storage it's not visible

1. How exactly the client certificate is installed,
2. What tool do you use to view it after installation?
#4889
Posted: 02/07/2008 08:45:39
by Scratch  (Standard support level)
Joined: 02/07/2008
Posts: 34

both certs are installed by double clicking on them and then manually (or automatically, it does not depend) selecting the storage.

the process (for both the client and CA cert) says it's all ok, but I see nothing in the list of certs in IE (I use it to view them)

Then I run the CertDemo from SBB PKI demos and it shows the client cert to me.
#4893
Posted: 02/07/2008 09:37:33
by Ken Ivanov (EldoS Corp.)

It is likely that the certificate is added to the Personal storage under *local machine* account (IE displays the certificates stored in the Personal storage under *current user* account). Please use MMC to check if it is so:
1. Run MMC (Start->Run->mmc),
2. File->Add/Remove snap-in,
3. Add->Certificates->Computer account->Local computer,
4. Close all opened dialog windows and expand the 'Console Root->Certificates (local computer)->Personal->Certificates' branch of the tree). Check if your certificate is visible in the list.
#4897
Posted: 02/07/2008 10:05:27
by Scratch  (Standard support level)
Joined: 02/07/2008
Posts: 34

Nope, it's not there ) Only your Cert demo can see it under "MY" storage.
By the way.
If i generate cert without CSR like this:

Code
tempCert := blablabla.Create
....

SubjectRDN.OIDs[0] := SB_CERT_OID_COUNTRY;
SubjectRDN.Values[0] :=  ...
....
TempCert.Generate(CACert,SB_CERT_ALGORITHM_ID_RSA_ENCRYPTION,1024 div 32);


Then save it to pfx and then import via double click it appears ok. The problem seems to be with the CSR signing. Maybe i'm just doing smth wrong with that.
#4899
Posted: 02/07/2008 10:19:25
by Ken Ivanov (EldoS Corp.)

Hmm, it is likely that IE is confused by some certificate properties like key usage flags. Would you be so kind to post the certificates (both CA and end-entity) here so that we could investigate them manually?
#4900
Posted: 02/07/2008 10:36:13
by Scratch  (Standard support level)
Joined: 02/07/2008
Posts: 34

Here you go )
The code which generates them is in the 1st post


[ Download ]
#4903
Posted: 02/07/2008 11:03:55
by Ken Ivanov (EldoS Corp.)

Got it. IE does not display the client certificate because it does not contain the associated private key (it seems that only certificates having the corresponding private key are displayed).
#4905
Posted: 02/07/2008 11:12:56
by Scratch  (Standard support level)
Joined: 02/07/2008
Posts: 34

BTW the passwords for both Ca and Client certs are 'xxx' without quotes.
Thanks for the answer, and i've got two more questions then.

First, how do I save Ca cert without private key, so i could distribute it over clients.
Now I just do
Code
CaCert.SaveToStreamPFX(stream,'pass');

Second seems less important, but still interesting on how do I merge the client cert with the private key.
#4906
Posted: 02/07/2008 11:26:49
by Ken Ivanov (EldoS Corp.)

Quote
First, how do I save Ca cert without private key, so i could distribute it over clients.

Please use one of formats that do not support private key storing -- DER, PEM or SPC. The corresponding saving methods are SaveToStream(), SaveToStreamPEM() and SaveToStreamSPC().

Quote
Second seems less important, but still interesting on how do I merge the client cert with the private key.

You can load the private key into the certificate instance using its LoadKeyFromStream() (LoadKeyFromStreamPEM(), LoadKeyFromStreamPVK()) method. The generated private key can be saved using TElCertificateRequest.SaveKeyToStream() (SaveKeyToStreamPEM(), SaveKeyToStreamPVK()) method.
Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.

Reply

Statistics

Topic viewed 4364 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!