IPWorks WebSockets 2020 Delphi Edition

Questions / Feedback?

CertMgr Configuration

The component accepts one or more of the following configuration settings. Configuration settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the component, access to these internal properties is provided through the Config method.

CertMgr Configuration Settings

CertComment:   A comment to include in a saved certificate.

This settings specifies the certificate comment when calling ExportCertificate. This setting is only applicable when ExportFormat is set to one of the following values:

When ExportFormat is set to "SSH2PublicKey" the value of this setting must be the full header. For instance: Comment: My Comment.
CertCustomExtensionCount:   The number of records in the CertCustomExtension arrays.

This property controls the size of the following arrays:

The array indices start at 0 and end at CertExtensionCount-1.

CertCustomExtensionCritical[i]:   Whether or not the extension is defined as critical.

Whether or not the certificate extension at index 'i' is defined as critical.

Valid array indices are from 0 to CertCustomExtensionCount - 1.

CertCustomExtensionOID[i]:   The ASN of the extension at index 'i'.

The ASN.1 Object-Identifier (OID) that defines the certificate extension at index 'i'.

Valid array indices are from 0 to CertCustomExtensionCount - 1.

CertCustomExtensionValue[i]:   The raw value of the extension at index 'i'.

The raw value of this certificate extension (as a byte string). This value is encoded according to the extension's ASN.1 specification.

Valid array indices are from 0 to CertCustomExtensionCount - 1.

CertExtendedKeyUsage:   The extended key usage of the certificate.

This setting specifies the extended key usage flags of the certificate created by calling CreateCertificate or IssueCertificate. If specified, the value is a comma separated list of OIDs. Common OIDs are:

1.3.6.1.5.5.7.3.1 Server Authentication
1.3.6.1.5.5.7.3.2 Client Authentication
1.3.6.1.5.5.7.3.3 Code Signing
1.3.6.1.5.5.7.3.4 Secure Email
1.3.6.1.5.5.7.3.8 Time Stamping
1.3.6.1.5.5.7.3.9 OCSP Signing

For instance, the following value specified the extended key usage for Server Authentication, Client Authentication, and Code Signing: 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2, 1.3.6.1.5.5.7.3.3

CertKeyLength:   The public key length for created certificates and keys.

When CreateCertificate creates a new certificate and associated key, or when CreateKey creates a key, this setting determines the length of the new public key (in bits). The default value is 2048.

CertKeyType:   The types of keys created for new certificates.

When CreateCertificate creates a new certificate and associated key, or when CreateKey creates a key, this setting determines the type of key generated: 1 for key exchange (encryption) keys, and 2 for digital signature keys. The default value is 1.

CertPublicKeyAlgorithm:   The public key algorithm used when a certificate is created.

When CreateCertificate creates a new certificate and associated key, this setting determines the public key algorithm of the generated keys. Valid values are:

  • RSA (default)
  • DSA
  • ECDSA_P256
  • ECDSA_P384
  • ECDSA_P521
  • ECDSA_Secp256k1
  • ECDSA_Secp224k1
  • ECDSA_Secp192k1
  • ECDSA_Secp160k1
  • Ed25519
  • Ed448

CertSignatureAlgorithm:   The signature algorithm used when creating certificates.

When CreateCertificate or IssueCertificate creates a new certificate, the signature algorithm used is specified by this setting. Possible values are:

  • MD2
  • MD5
  • SHA1
  • SHA256 (default)
  • SHA384
  • SHA512

CertSubjectAltNames:   Subject Alternative Names for creating or issuing certificates.

This allows the Subject Alternative Names extension to be specified when creating or issuing a certificate via CreateCertificate or IssueCertificate. This setting only supports email, DNS, URI, and IPv4 addresses. Separate alternative names should be separated by commas. For example:


string altNames = "email:copy,dns:domain.com,dns.1:other.domain.com,uri:http://www.domain.com,ip:192.168.1.102"

CertUsageFlags:   Sets the flags indicating the usage of the created certificate.

This setting specifies the usage flags of the certificate created by calling CreateCertificate or IssueCertificate. If specified, the value is the binary or of one or more supported values. For instance a value of 12 or 0xC is the binary or of the Certificate Signing and Key Signing usage flags. Supported flags are:

0x80 Digital Signatures
0x40 Key Authentication
0x20 Key Encryption
0x10 Data Encryption
0x08 Key Agreement
0x04 Certificate Signing
0x02 Key Signing

CertValidityOffset:   The number of days until the certificate becomes valid.

This configuration setting can be used to change when a newly created certificate becomes valid. By default, the certificate is valid as soon as it is created. Set CertValidityOffset to the number of days that this starting period should be offset from the current day. This setting also accepts negative values for back-dating the validity of a certificate. The default value is 0.

CertValidityTime:   The validity period for the certificate.

This configuration setting determines the duration in days that a newly created certificate remains valid. The certificate becomes valid as soon as it is created, unless CertValidityOffset is set. The duration is not changed if CertValidityOffset is set; the certificate will still expire CertValidityTime days after the validity period begins. The default value is 365 days.

CreatedKey:   The PKCS8 formatted private and public key pair created after calling CreateKey.

This setting returns the PKCS8 formatted private and public key pair of the key created when CreateKey is called. This is useful in scenarios where exporting the key for use in another environment is required.

CSP:   The Cryptographic Service Provider.

The name of the Cryptographic Service Provider used to provide access to certificate signing operations.

CSRIgnoredExtensions:   Extensions to be ignorned when signing a CSR.

Set this configuration setting to a comma separated list of OID's of any extensions already present in the CSR that should be ignored when the CSR is signed.

For example if the SAN's in a CSR should be ignored the below code would work:

CertMgr1->Config("CSRIgnoredExtensions=2.5.29.17");

CSRKey:   The PKCS8 formatted private key to use when generating a CSR.

This setting optionally specifies a PKCS8 formatted private key to use when calling GenerateCSR. When set, the keyName parameter of GenerateCSR is ignored and the key specified by this setting is used instead.

EncodeExportedCert:   Whether the certificate being exported to a string is encoded.

This setting controls whether the certificate exported as a string when ExportCertificate is called is encoded. If ExportFormat is set to PFX or P7B before calling ExportCertificate the exported certificate may be binary (EncodeExportedCert is False), or base64 encoded (EncodeExportedCert is True) to allow easier handling of the certificate data.

The default value is False.

ImportCertAction:   Specified the action to take if a matching certificate or a link to a matching certificate already exists.

When calling ImportCertificate if a matching certificate or a link to a matching certificate already exists in the Windows certificate store this setting governs what action will be taken. Possible values are:

1CERT_STORE_ADD_NEW - Imports a certificate only if no existing certificate is present.
2CERT_STORE_ADD_USE_EXISTING - If an existing certificate is found, it is not replaced.
3 (default)CERT_STORE_ADD_REPLACE_EXISTING - If an existing certificate is found it is replaced.
4CERT_STORE_ADD_ALWAYS - No checks are performed and a new certificate is always added to the store. This can result in duplicates.
5CERT_STORE_ADD_REPLACE_EXISTING_INHERIT_PROPERTIES - If an existing certificate is found it is replaced, and the new certificate inherits properties from the certificate it replaces.
6CERT_STORE_ADD_NEWER - Imports a certificate only if the certificate is newer than an existing matching certificate.
7CERT_STORE_ADD_NEWER_INHERIT_PROPERTIES - Imports a certificate only if the certificate is newer than an existing matching certificate, and inherits the properties of old certificate it replaces.

ImportCertStoreType:   The type of certificate store being specified for import.

When calling ImportCertificate, this setting controls the type of the certificate being specified in the first parameter.

This config can take one of the following values:

2 (cstPFXFile)The certificate store is the name of a PFX (PKCS12) file containing certificates.
3 (cstPFXBlob)The certificate store is a string (binary or base64-encoded) representing a certificate store in PFX (PKCS12) format.
6 (cstPEMKeyFile)The certificate store is the name of a PEM-encoded file that contains a private key and an optional certificate.
7 (cstPEMKeyBlob)The certificate store is a string (binary or base64-encoded) that contains a private key and an optional certificate.
8 (cstPublicKeyFile)The certificate store is the name of a file that contains a PEM- or DER-encoded public key certificate.
9 (cstPublicKeyBlob)The certificate store is a string (binary or base64-encoded) that contains a PEM- or DER-encoded public key certificate.
10 (cstSSHPublicKeyBlob)The certificate store is a string (binary or base64-encoded) that contains an SSH-style public key.
13 (cstSSHPublicKeyFile)The certificate store is the name of a file that contains an SSH-style public key.
99 (cstAuto - default)The certificate type is automatically determined from the input.

Note that this functionality is currently for Windows platforms only.

JWKAlgorithm:   The JWK algorithm.

This setting specifies the JWK algorithm. It can be set before calling ExportCertificate (if ExportFormat is set to JWK) to control the key algorithm used to create the JWK. This setting will also be populated after loading a JWK file.

Valid values are:

  • (empty string)
  • HS256
  • HS384
  • HS512
  • RS256
  • RS384
  • RS512
  • EC256
  • EC384
  • EC512
  • EC256K

JWKExportX5C:   Whether to export a certificate chain to the x5c parameter.

When set to true, the component will attempt to build the X.509 certificate chain for the certificate currently selected by CertSubject. If successful, the x5c parameter will be added to the JWK. It can be set before calling ExportCertificate (if ExportFormat is set to JWK).

The default value is False.

JWKKeyId:   The JWK key Id.

This setting specifies the JWK key Id. It can be set before calling ExportCertificate (if ExportFormat is set to JWK). This setting will also be populated after loading a JWK file.

JWKKeyOps:   The JWK intended key operations list.

This setting specifies the intended key operations for the JWK. It can be set before calling ExportCertificate (if ExportFormat is set to JWK). This setting will also be populated after loading a JWK file.

This setting format is a JSON array. Examples: ["sign","verify"] or ["encrypt"].

JWKUse:   The JWK use parameter value.

This setting specifies the intended usage of the key. It can be set before calling ExportCertificate (if ExportFormat is set to JWK). This setting will also be populated after loading a JWK file.

Valid values are enc and sig.

KeyFormat:   How the public and private key are formatted.

This setting controls the format of CertPublicKey and CertPrivateKey. By default these properties hold PEM formatted public and private key data. When set to 1 (XML) the keys are stored in a XML format. This only affects the values returned by the component; the actual keys remain the same regardless of this setting. Possible values are:

  • 0 (PEM - default)
  • 1 (XML)
The default value is 0 (PEM).
LogLevel:   The level of detail that is logged.

This setting controls the level of detail that is logged through the Log event. Possible values are:

0 (None) No events are logged.
1 (Info - default) Informational events are logged.
2 (Verbose) Detailed data is logged.
3 (Debug) Debug data is logged.

ReplaceKey:   Whether or not to replace an existing key when creating a new key.

If this is false (default), the component will throw an error if a duplicate key exists while generating a new keyset using CreateKey. If set to true, the component will replace a key if it already exists when generating new keys.

RequestSubjectAltNames:   Subject Alternative Names for a Certificate Signing Request.

This allows Subject Alternative Names to be added to a Certificate Signing request. The setting only supports email, DNS, URI, and IPv4 addresses. Separate alternative names should be separated by commas. For example:


string altNames = "email:copy,dns:domain.com,dns.1:other.domain.com,uri:http://www.domain.com,ip:192.168.1.102"

X509Algorithm:   Public Key Algorithm OID.

This setting exposes the Public Key Algorithm object identifier (OID) value for the currently loaded Cert.

X509SignatureAlgorithm:   Signature Algorithm OID.

This setting exposes the Signature Algorithm object identifier (OID) value for the currently loaded Cert.

Copyright (c) 2022 /n software inc. - All rights reserved.
IPWorks WebSockets 2020 Delphi Edition - Version 20.0 [Build 8155]