CertMgr Configuration
The component accepts one or more of the following configuration settings. Configuration settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the component, access to these internal properties is provided through the Config method.CertMgr Configuration Settings
CertComment:
A comment to include in a saved certificate.This settings specifies the certificate comment when calling ExportCertificate.
This setting is only applicable when ExportFormat is set to one of the following values:
| |||||||||||||||||||
CertCustomExtensionCount:
The number of records in the CertCustomExtension arrays.This property controls the size of the following arrays:
The array indices start at 0 and end at CertExtensionCount-1. | |||||||||||||||||||
CertCustomExtensionCritical[i]:
Whether or not the extension is defined as critical.Whether or not the certificate extension at index 'i' is defined as critical.
Valid array indices are from 0 to CertCustomExtensionCount - 1. | |||||||||||||||||||
CertCustomExtensionOID[i]:
The ASN of the extension at index 'i'.The ASN.1 Object-Identifier (OID) that defines the certificate extension at index 'i'.
Valid array indices are from 0 to CertCustomExtensionCount - 1. | |||||||||||||||||||
CertCustomExtensionValue[i]:
The raw value of the extension at index 'i'.The raw value of this certificate extension (as a byte string). This value is encoded
according to the extension's ASN.1 specification.
Valid array indices are from 0 to CertCustomExtensionCount - 1. | |||||||||||||||||||
CertExtendedKeyUsage:
The extended key usage of the certificate.This setting specifies the extended key usage flags of the certificate created by calling CreateCertificate or IssueCertificate.
If specified, the value is a comma separated list of OIDs. Common OIDs are:
For instance, the following value specified the extended key usage for Server Authentication, Client Authentication, and Code Signing: 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2, 1.3.6.1.5.5.7.3.3 | |||||||||||||||||||
CertKeyLength: The public key length for created certificates and keys.When CreateCertificate creates a new certificate and associated key, or when CreateKey creates a key, this setting determines the length of the new public key (in bits). The default value is 2048. | |||||||||||||||||||
CertKeyType: The types of keys created for new certificates.When CreateCertificate creates a new certificate and associated key, or when CreateKey creates a key, this setting determines the type of key generated: 1 for key exchange (encryption) keys, and 2 for digital signature keys. The default value is 1. | |||||||||||||||||||
CertPublicKeyAlgorithm:
The public key algorithm used when a certificate is created.When CreateCertificate creates a new certificate and associated key,
this setting determines the public key algorithm of the generated keys.
Valid values are:
| |||||||||||||||||||
CertSignatureAlgorithm:
The signature algorithm used when creating certificates.When CreateCertificate or IssueCertificate creates a new certificate,
the signature algorithm used is specified by this setting. Possible values are:
| |||||||||||||||||||
CertSubjectAltNames:
Subject Alternative Names for creating or issuing certificates.This allows the Subject Alternative Names extension to be specified when creating or issuing a certificate via CreateCertificate or IssueCertificate. This setting only supports email, DNS, URI, and IPv4 addresses. Separate alternative names should be separated by commas. For example:
string altNames = "email:copy,dns:domain.com,dns.1:other.domain.com,uri:http://www.domain.com,ip:192.168.1.102"
| |||||||||||||||||||
CertUsageFlags:
Sets the flags indicating the usage of the created certificate.This setting specifies the usage flags of the certificate created by calling CreateCertificate or IssueCertificate. If specified, the value is the binary or of one or more supported values. For instance a value of
12 or 0xC is the binary or of the Certificate Signing and Key Signing usage flags. Supported flags are:
| |||||||||||||||||||
CertValidityOffset: The number of days until the certificate becomes valid.This configuration setting can be used to change when a newly created certificate becomes valid. By default, the certificate is valid as soon as it is created. Set CertValidityOffset to the number of days that this starting period should be offset from the current day. This setting also accepts negative values for back-dating the validity of a certificate. The default value is 0. | |||||||||||||||||||
CertValidityTime:
The validity period for the certificate.This configuration setting determines the duration in days that a newly
created certificate remains valid. The certificate becomes valid
as soon as it is created, unless CertValidityOffset is set.
The duration is not changed if CertValidityOffset is set;
the certificate will still expire CertValidityTime days after the
validity period begins. The default value is 365 days.
| |||||||||||||||||||
CreatedKey: The PKCS8 formatted private and public key pair created after calling CreateKey.This setting returns the PKCS8 formatted private and public key pair of the key created when CreateKey is called. This is useful in scenarios where exporting the key for use in another environment is required. | |||||||||||||||||||
CSP: The Cryptographic Service Provider.The name of the Cryptographic Service Provider used to provide access to certificate signing operations. | |||||||||||||||||||
CSRIgnoredExtensions:
Extensions to be ignorned when signing a CSR.Set this configuration setting to a comma separated list of OID's of any extensions already present in the CSR that should be ignored when the CSR is signed.
For example if the SAN's in a CSR should be ignored the below code would work:
CertMgr1->Config("CSRIgnoredExtensions=2.5.29.17");
| |||||||||||||||||||
CSRKey: The PKCS8 formatted private key to use when generating a CSR.This setting optionally specifies a PKCS8 formatted private key to use when calling GenerateCSR. When set, the keyName parameter of GenerateCSR is ignored and the key specified by this setting is used instead. | |||||||||||||||||||
EncodeExportedCert:
Whether the certificate being exported to a string is encoded.This setting controls whether the certificate exported as a string when ExportCertificate is called
is encoded. If ExportFormat is set to PFX or P7B before calling ExportCertificate the exported certificate may be binary (EncodeExportedCert is False), or base64 encoded (EncodeExportedCert is True) to allow easier handling of the certificate data.
The default value is False. | |||||||||||||||||||
ImportCertAction:
Specified the action to take if a matching certificate or a link to a matching certificate already exists.When calling ImportCertificate if a matching certificate or a link to a matching certificate already exists
in the Windows certificate store this setting governs what action will be taken. Possible values are:
| |||||||||||||||||||
ImportCertStoreType:
The type of certificate store being specified for import.When calling ImportCertificate, this setting controls the type of the certificate being specified in the first parameter.
This config can take one of the following values:
| |||||||||||||||||||
JWKAlgorithm:
The JWK algorithm.This setting specifies the JWK algorithm. It can be set before calling ExportCertificate (if ExportFormat is set to JWK) to control the key algorithm used to create the JWK. This setting will also be populated after loading a JWK file.
Valid values are:
| |||||||||||||||||||
JWKExportX5C:
Whether to export a certificate chain to the x5c parameter.When set to true, the component will attempt to build the X.509 certificate chain for the certificate currently selected by CertSubject. If successful, the x5c parameter will be added to the JWK. It can be set before calling ExportCertificate (if ExportFormat is set to JWK).
The default value is False. | |||||||||||||||||||
JWKKeyId: The JWK key Id.This setting specifies the JWK key Id. It can be set before calling ExportCertificate (if ExportFormat is set to JWK). This setting will also be populated after loading a JWK file. | |||||||||||||||||||
JWKKeyOps:
The JWK intended key operations list.This setting specifies the intended key operations for the JWK. It can be set before calling ExportCertificate (if ExportFormat is set to JWK). This setting will also be populated after loading a JWK file.
This setting format is a JSON array. Examples: ["sign","verify"] or ["encrypt"]. | |||||||||||||||||||
JWKUse:
The JWK use parameter value.This setting specifies the intended usage of the key. It can be set before calling ExportCertificate (if ExportFormat is set to JWK). This setting will also be populated after loading a JWK file.
Valid values are enc and sig. | |||||||||||||||||||
KeyFormat:
How the public and private key are formatted.This setting controls the format of CertPublicKey and CertPrivateKey. By default
these properties hold PEM formatted public and private key data. When set to 1 (XML) the keys
are stored in a XML format. This only affects the values returned by the component; the actual keys remain
the same regardless of this setting. Possible values are:
| |||||||||||||||||||
LogLevel:
The level of detail that is logged.This setting controls the level of detail that is logged through the Log event. Possible values are:
| |||||||||||||||||||
ReplaceKey: Whether or not to replace an existing key when creating a new key.If this is false (default), the component will throw an error if a duplicate key exists while generating a new keyset using CreateKey. If set to true, the component will replace a key if it already exists when generating new keys. | |||||||||||||||||||
RequestSubjectAltNames:
Subject Alternative Names for a Certificate Signing Request.
This allows Subject Alternative Names to be added to a Certificate Signing request. The setting only supports
email, DNS, URI, and IPv4 addresses. Separate alternative names should be separated by commas. For example:
string altNames = "email:copy,dns:domain.com,dns.1:other.domain.com,uri:http://www.domain.com,ip:192.168.1.102"
| |||||||||||||||||||
X509Algorithm: Public Key Algorithm OID.This setting exposes the Public Key Algorithm object identifier (OID) value for the currently loaded Cert. | |||||||||||||||||||
X509SignatureAlgorithm: Signature Algorithm OID.This setting exposes the Signature Algorithm object identifier (OID) value for the currently loaded Cert. |