CertificateManager Component

Properties   Methods   Events   Config Settings   Errors  

The CertificateManager component supports importing, exporting, and generating X.509 certificates.

Syntax

TsbxCertificateManager

Remarks

Usage of this component includes importing and exporting certificates and keys in various formats, as well as certificate generation.

Loading certificates

In vast majority of SecureBlackbox-powered projects, this component is used to import certificates from files or memory objects for further use in other components, like PDFSigner.

To load a certificate from a file, use the ImportFromFile method. This method supports all existing certificate formats, including PFX, PEM, DER, and P7B. Note that keys contained in PFX and PEM certificates are often encrypted with a password, so you will likely need to provide one for the certificate to be loaded correctly. You can either provide the password via the method's parameter, or provide it on-demand by subscribing to the PasswordNeeded event.

Alternatively, you can use ImportCert to load a certificate from a different type of media, such as a database.

If your certificate and its private key are stored in separate files or buffers - which is often the case where PEM or DER format is used - please load the certificate with the ImportFromFile method first, and then add the key to it with a separate call to the ImportKeyFromFile method. You can mix and match the certificate and key formats in this case; CertificateManager will handle this automatically.

Note that CertificateManager can only keep one certificate at a time. If your PFX or PEM file contains more than one certificate, use CertificateStorage component to load it instead.

Generating certificates

You can use CertificateManager to generate your own certificates. To generate a certificate, please follow the below steps:

• set all the needed certificate properties - for example, its subject, serial number, and validity period - via the Certificate property.
• load the CA certificate to a different CertificateManager object, and assign it to the CACertificate property. Note that the CA certificate should have an associated private key. Alternatively, the CA certificate can be loaded using a CertificateStorage object, which allows to import it from a hardware device or a system store.

  Note: you do not need to load and set the CA certificate if generating a self-signed certificate.

• Call Generate to generate a new keypair and wrap it into a certificate.
• Save the certificate using ExportToFile or ExportCert methods.

  Note: take care to choose a format that supports storing private keys. If you do not save the new private key at this stage, you won't be able to recover it later.

  Note: you can save the private key separately using the ExportKey method.

Note: you can use the GetSampleCert shortcut to generate a simple certificate for test or debug purposes.

Generating certificate requests

Apart from certificates, CertificateManager can generate certificate requests (PKCS10). The procedure is the same as when generating certificates. The only difference is that you need to use CertificateRequest object to set up the certificate request parameters, and GenerateCSR method to generate the request. You can then save the resulting request to a file using the ExportCSR method.

Property List

---

The following is the full list of the properties of the component with short descriptions. Click on the links for further details.

Method List

---

The following is the full list of the methods of the component with short descriptions. Click on the links for further details.

Event List

---

The following is the full list of the events fired by the component with short descriptions. Click on the links for further details.

Config Settings

---

The following is a list of config settings for the component with short descriptions. Click on the links for further details.

CACertBytes Property (CertificateManager Component)

Returns the raw certificate data in DER format.

Syntax

__property DynamicArray CACertBytes = { read=FCACertBytes };

Remarks

Returns the raw certificate data in DER format.

This property is read-only and not available at design time.

Data Type

Byte Array

CACertHandle Property (CertificateManager Component)

Allows to get or set a 'handle', a unique identifier of the underlying property object.

Syntax

__property __int64 CACertHandle = { read=FCACertHandle, write=FSetCACertHandle };

Default Value

0

Remarks

Allows to get or set a 'handle', a unique identifier of the underlying property object. Use this property to assign objects of the same type in a quicker manner, without copying them fieldwise.

When you pass a handle of one object to another, the source object is copied to the destination rather than assigned. It is safe to get rid of the original object after such operation. pdfSigner.setSigningCertHandle(certMgr.getCertHandle());

This property is not available at design time.

Data Type

Long64

CertBytes Property (CertificateManager Component)

Returns the raw certificate data in DER format.

Syntax

__property DynamicArray CertBytes = { read=FCertBytes };

Remarks

Returns the raw certificate data in DER format.

This property is read-only and not available at design time.

Data Type

Byte Array

CertCA Property (CertificateManager Component)

Indicates whether the certificate has a CA capability (a setting in the BasicConstraints extension).

Syntax

__property bool CertCA = { read=FCertCA, write=FSetCertCA };

Default Value

false

Remarks

Indicates whether the certificate has a CA capability (a setting in the BasicConstraints extension).

This property is not available at design time.

Data Type

Boolean

CertCAKeyID Property (CertificateManager Component)

A unique identifier (fingerprint) of the CA certificate's private key.

Syntax

__property DynamicArray CertCAKeyID = { read=FCertCAKeyID };

Remarks

A unique identifier (fingerprint) of the CA certificate's private key.

Authority Key Identifier is a (non-critical) X.509 certificate extension which allows the identification of certificates produced by the same issuer, but with different public keys.

This property is read-only and not available at design time.

Data Type

Byte Array

CertCRLDistributionPoints Property (CertificateManager Component)

Locations of the CRL (Certificate Revocation List) distribution points used to check this certificate's validity.

Syntax

__property String CertCRLDistributionPoints = { read=FCertCRLDistributionPoints, write=FSetCertCRLDistributionPoints };

Default Value

""

Remarks

Locations of the CRL (Certificate Revocation List) distribution points used to check this certificate's validity.

This property is not available at design time.

Data Type

String

CertCurve Property (CertificateManager Component)

Specifies the elliptic curve of the EC public key.

Syntax

__property String CertCurve = { read=FCertCurve, write=FSetCertCurve };

Default Value

""

Remarks

Specifies the elliptic curve of the EC public key.

This property is not available at design time.

Data Type

String

CertFingerprint Property (CertificateManager Component)

Contains the fingerprint (a hash imprint) of this certificate.

Syntax

__property DynamicArray CertFingerprint = { read=FCertFingerprint };

Remarks

Contains the fingerprint (a hash imprint) of this certificate.

This property is read-only and not available at design time.

Data Type

Byte Array

CertFriendlyName Property (CertificateManager Component)

Contains an associated alias (friendly name) of the certificate.

Syntax

__property String CertFriendlyName = { read=FCertFriendlyName };

Default Value

""

Remarks

Contains an associated alias (friendly name) of the certificate.

This property is read-only and not available at design time.

Data Type

String

CertHandle Property (CertificateManager Component)

Allows to get or set a 'handle', a unique identifier of the underlying property object.

Syntax

__property __int64 CertHandle = { read=FCertHandle, write=FSetCertHandle };

Default Value

0

Remarks

Allows to get or set a 'handle', a unique identifier of the underlying property object. Use this property to assign objects of the same type in a quicker manner, without copying them fieldwise.

When you pass a handle of one object to another, the source object is copied to the destination rather than assigned. It is safe to get rid of the original object after such operation. pdfSigner.setSigningCertHandle(certMgr.getCertHandle());

This property is not available at design time.

Data Type

Long64

CertHashAlgorithm Property (CertificateManager Component)

Specifies the hash algorithm to be used in the operations on the certificate (such as key signing) SB_HASH_ALGORITHM_SHA1 SHA1 SB_HASH_ALGORITHM_SHA224 SHA224 SB_HASH_ALGORITHM_SHA256 SHA256 SB_HASH_ALGORITHM_SHA384 SHA384 SB_HASH_ALGORITHM_SHA512 SHA512 SB_HASH_ALGORITHM_MD2 MD2 SB_HASH_ALGORITHM_MD4 MD4 SB_HASH_ALGORITHM_MD5 MD5 SB_HASH_ALGORITHM_RIPEMD160 RIPEMD160 SB_HASH_ALGORITHM_CRC32 CRC32 SB_HASH_ALGORITHM_SSL3 SSL3 SB_HASH_ALGORITHM_GOST_R3411_1994 GOST1994 SB_HASH_ALGORITHM_WHIRLPOOL WHIRLPOOL SB_HASH_ALGORITHM_POLY1305 POLY1305 SB_HASH_ALGORITHM_SHA3_224 SHA3_224 SB_HASH_ALGORITHM_SHA3_256 SHA3_256 SB_HASH_ALGORITHM_SHA3_384 SHA3_384 SB_HASH_ALGORITHM_SHA3_512 SHA3_512 SB_HASH_ALGORITHM_BLAKE2S_128 BLAKE2S_128 SB_HASH_ALGORITHM_BLAKE2S_160 BLAKE2S_160 SB_HASH_ALGORITHM_BLAKE2S_224 BLAKE2S_224 SB_HASH_ALGORITHM_BLAKE2S_256 BLAKE2S_256 SB_HASH_ALGORITHM_BLAKE2B_160 BLAKE2B_160 SB_HASH_ALGORITHM_BLAKE2B_256 BLAKE2B_256 SB_HASH_ALGORITHM_BLAKE2B_384 BLAKE2B_384 SB_HASH_ALGORITHM_BLAKE2B_512 BLAKE2B_512 SB_HASH_ALGORITHM_SHAKE_128 SHAKE_128 SB_HASH_ALGORITHM_SHAKE_256 SHAKE_256 SB_HASH_ALGORITHM_SHAKE_128_LEN SHAKE_128_LEN SB_HASH_ALGORITHM_SHAKE_256_LEN SHAKE_256_LEN .

Syntax

__property String CertHashAlgorithm = { read=FCertHashAlgorithm, write=FSetCertHashAlgorithm };

Default Value

""

Remarks

Specifies the hash algorithm to be used in the operations on the certificate (such as key signing)

This property is not available at design time.

Data Type

String

CertIssuer Property (CertificateManager Component)

The common name of the certificate issuer (CA), typically a company name.

Syntax

__property String CertIssuer = { read=FCertIssuer };

Default Value

""

Remarks

The common name of the certificate issuer (CA), typically a company name.

This property is read-only and not available at design time.

Data Type

String

CertIssuerRDN Property (CertificateManager Component)

A collection of information, in the form of [OID, Value] pairs, uniquely identifying the certificate issuer.

Syntax

__property String CertIssuerRDN = { read=FCertIssuerRDN, write=FSetCertIssuerRDN };

Default Value

""

Remarks

A collection of information, in the form of [OID, Value] pairs, uniquely identifying the certificate issuer.

This property is not available at design time.

Data Type

String

CertKeyAlgorithm Property (CertificateManager Component)

Specifies the public key algorithm of this certificate.

Syntax

__property String CertKeyAlgorithm = { read=FCertKeyAlgorithm, write=FSetCertKeyAlgorithm };

Default Value

"0"

Remarks

Specifies the public key algorithm of this certificate.

This property is not available at design time.

Data Type

String

CertKeyBits Property (CertificateManager Component)

Returns the length of the public key.

Syntax

__property int CertKeyBits = { read=FCertKeyBits };

Default Value

0

Remarks

Returns the length of the public key.

This property is read-only and not available at design time.

Data Type

Integer

CertKeyFingerprint Property (CertificateManager Component)

Returns a fingerprint of the public key contained in the certificate.

Syntax

__property DynamicArray CertKeyFingerprint = { read=FCertKeyFingerprint };

Remarks

Returns a fingerprint of the public key contained in the certificate.

This property is read-only and not available at design time.

Data Type

Byte Array

CertKeyUsage Property (CertificateManager Component)

Indicates the purposes of the key contained in the certificate, in the form of an OR'ed flag set.

Syntax

__property int CertKeyUsage = { read=FCertKeyUsage, write=FSetCertKeyUsage };

Default Value

0

Remarks

Indicates the purposes of the key contained in the certificate, in the form of an OR'ed flag set.

This value is a bit mask of the following values:

This property is not available at design time.

Data Type

Integer

CertKeyValid Property (CertificateManager Component)

Returns True if the certificate's key is cryptographically valid, and False otherwise.

Syntax

__property bool CertKeyValid = { read=FCertKeyValid };

Default Value

false

Remarks

Returns True if the certificate's key is cryptographically valid, and False otherwise.

This property is read-only and not available at design time.

Data Type

Boolean

CertOCSPLocations Property (CertificateManager Component)

Locations of OCSP (Online Certificate Status Protocol) services that can be used to check this certificate's validity, as recorded by the CA.

Syntax

__property String CertOCSPLocations = { read=FCertOCSPLocations, write=FSetCertOCSPLocations };

Default Value

""

Remarks

Locations of OCSP (Online Certificate Status Protocol) services that can be used to check this certificate's validity, as recorded by the CA.

This property is not available at design time.

Data Type

String

CertOCSPNoCheck Property (CertificateManager Component)

Accessor to the value of the certificate's ocsp-no-check extension.

Syntax

__property bool CertOCSPNoCheck = { read=FCertOCSPNoCheck, write=FSetCertOCSPNoCheck };

Default Value

false

Remarks

Accessor to the value of the certificate's ocsp-no-check extension.

This property is not available at design time.

Data Type

Boolean

CertOrigin Property (CertificateManager Component)

Returns the origin of this certificate.

Syntax

__property int CertOrigin = { read=FCertOrigin };

Default Value

0

Remarks

Returns the origin of this certificate.

This property is read-only and not available at design time.

Data Type

Integer

CertPolicyIDs Property (CertificateManager Component)

Contains identifiers (OIDs) of the applicable certificate policies.

Syntax

__property String CertPolicyIDs = { read=FCertPolicyIDs, write=FSetCertPolicyIDs };

Default Value

""

Remarks

Contains identifiers (OIDs) of the applicable certificate policies.

The Certificate Policies extension identifies a sequence of policies under which the certificate has been issued, and which regulate its usage.

This property is not available at design time.

Data Type

String

CertPrivateKeyBytes Property (CertificateManager Component)

Contains the certificate's private key.

Syntax

__property DynamicArray CertPrivateKeyBytes = { read=FCertPrivateKeyBytes };

Remarks

Contains the certificate's private key. It is normal for this property to be empty if the private key is non-exportable.

This property is read-only and not available at design time.

Data Type

Byte Array

CertPrivateKeyExists Property (CertificateManager Component)

Indicates whether the certificate has an associated private key.

Syntax

__property bool CertPrivateKeyExists = { read=FCertPrivateKeyExists };

Default Value

false

Remarks

Indicates whether the certificate has an associated private key.

This property is read-only and not available at design time.

Data Type

Boolean

CertPrivateKeyExtractable Property (CertificateManager Component)

Indicates whether the private key is extractable.

Syntax

__property bool CertPrivateKeyExtractable = { read=FCertPrivateKeyExtractable };

Default Value

false

Remarks

Indicates whether the private key is extractable.

This property is read-only and not available at design time.

Data Type

Boolean

CertPublicKeyBytes Property (CertificateManager Component)

Contains the certificate's public key in DER format.

Syntax

__property DynamicArray CertPublicKeyBytes = { read=FCertPublicKeyBytes };

Remarks

Contains the certificate's public key in DER format.

This property is read-only and not available at design time.

Data Type

Byte Array

CertQualifiedStatements Property (CertificateManager Component)

Returns the qualified status of the certificate.

Syntax

__property TsbxCertificateManagerCertQualifiedStatements CertQualifiedStatements = { read=FCertQualifiedStatements, write=FSetCertQualifiedStatements };

enum TsbxCertificateManagerCertQualifiedStatements {
  qstNonQualified=0,
  qstQualifiedHardware=1,
  qstQualifiedSoftware=2
};

Default Value

qstNonQualified

Remarks

Returns the qualified status of the certificate.

This property is not available at design time.

Data Type

Integer

CertSelfSigned Property (CertificateManager Component)

Indicates whether the certificate is self-signed (root) or signed by an external CA.

Syntax

__property bool CertSelfSigned = { read=FCertSelfSigned };

Default Value

false

Remarks

Indicates whether the certificate is self-signed (root) or signed by an external CA.

This property is read-only and not available at design time.

Data Type

Boolean

CertSerialNumber Property (CertificateManager Component)

Returns the certificate's serial number.

Syntax

__property DynamicArray CertSerialNumber = { read=FCertSerialNumber, write=FSetCertSerialNumber };

Remarks

Returns the certificate's serial number.

This property is not available at design time.

Data Type

Byte Array

CertSigAlgorithm Property (CertificateManager Component)

Indicates the algorithm that was used by the CA to sign this certificate.

Syntax

__property String CertSigAlgorithm = { read=FCertSigAlgorithm };

Default Value

""

Remarks

Indicates the algorithm that was used by the CA to sign this certificate.

This property is read-only and not available at design time.

Data Type

String

CertSubject Property (CertificateManager Component)

The common name of the certificate holder, typically an individual's name, a URL, an e-mail address, or a company name.

Syntax

__property String CertSubject = { read=FCertSubject };

Default Value

""

Remarks

The common name of the certificate holder, typically an individual's name, a URL, an e-mail address, or a company name.

This property is read-only and not available at design time.

Data Type

String

CertSubjectAlternativeName Property (CertificateManager Component)

Returns or sets the value of the Subject Alternative Name extension of the certificate.

Syntax

__property String CertSubjectAlternativeName = { read=FCertSubjectAlternativeName, write=FSetCertSubjectAlternativeName };

Default Value

""

Remarks

Returns or sets the value of the Subject Alternative Name extension of the certificate.

This property is not available at design time.

Data Type

String

CertSubjectKeyID Property (CertificateManager Component)

Contains a unique identifier (fingerprint) of the certificate's private key.

Syntax

__property DynamicArray CertSubjectKeyID = { read=FCertSubjectKeyID, write=FSetCertSubjectKeyID };

Remarks

Contains a unique identifier (fingerprint) of the certificate's private key.

Subject Key Identifier is a (non-critical) X.509 certificate extension which allows the identification of certificates containing a particular public key. In SecureBlackbox, the unique identifier is represented with a SHA1 hash of the bit string of the subject public key.

This property is not available at design time.

Data Type

Byte Array

CertSubjectRDN Property (CertificateManager Component)

A collection of information, in the form of [OID, Value] pairs, uniquely identifying the certificate holder (subject).

Syntax

__property String CertSubjectRDN = { read=FCertSubjectRDN, write=FSetCertSubjectRDN };

Default Value

""

Remarks

A collection of information, in the form of [OID, Value] pairs, uniquely identifying the certificate holder (subject).

This property is not available at design time.

Data Type

String

CertValidFrom Property (CertificateManager Component)

The time point at which the certificate becomes valid, in UTC.

Syntax

__property String CertValidFrom = { read=FCertValidFrom, write=FSetCertValidFrom };

Default Value

""

Remarks

The time point at which the certificate becomes valid, in UTC.

This property is not available at design time.

Data Type

String

CertValidTo Property (CertificateManager Component)

The time point at which the certificate expires, in UTC.

Syntax

__property String CertValidTo = { read=FCertValidTo, write=FSetCertValidTo };

Default Value

""

Remarks

The time point at which the certificate expires, in UTC.

This property is not available at design time.

Data Type

String

CertRequestBytes Property (CertificateManager Component)

Provides access to raw certificate request data in DER format.

Syntax

__property DynamicArray CertRequestBytes = { read=FCertRequestBytes };

Remarks

Provides access to raw certificate request data in DER format.

This property is read-only and not available at design time.

Data Type

Byte Array

CertRequestCurve Property (CertificateManager Component)

Specifies the elliptic curve of the EC public key.

Syntax

__property String CertRequestCurve = { read=FCertRequestCurve, write=FSetCertRequestCurve };

Default Value

""

Remarks

Specifies the elliptic curve of the EC public key.

This property is not available at design time.

Data Type

String

CertRequestHandle Property (CertificateManager Component)

Allows to get or set a 'handle', a unique identifier of the underlying property object.

Syntax

__property __int64 CertRequestHandle = { read=FCertRequestHandle, write=FSetCertRequestHandle };

Default Value

0

Remarks

Allows to get or set a 'handle', a unique identifier of the underlying property object. Use this property to assign objects of the same type in a quicker manner, without copying them fieldwise.

When you pass a handle of one object to another, the source object is copied to the destination rather than assigned. It is safe to get rid of the original object after such operation. pdfSigner.setSigningCertHandle(certMgr.getCertHandle());

This property is not available at design time.

Data Type

Long64

CertRequestHashAlgorithm Property (CertificateManager Component)

Specifies the hash algorithm to be used in the operations on the certificate request (such as signing).

Syntax

__property String CertRequestHashAlgorithm = { read=FCertRequestHashAlgorithm, write=FSetCertRequestHashAlgorithm };

Default Value

""

Remarks

Specifies the hash algorithm to be used in the operations on the certificate request (such as signing).

This property is not available at design time.

Data Type

String

CertRequestKeyAlgorithm Property (CertificateManager Component)

Specifies the public key algorithm of this certificate request.

Syntax

__property String CertRequestKeyAlgorithm = { read=FCertRequestKeyAlgorithm, write=FSetCertRequestKeyAlgorithm };

Default Value

""

Remarks

Specifies the public key algorithm of this certificate request.

This property is not available at design time.

Data Type

String

CertRequestKeyBits Property (CertificateManager Component)

Returns the length of the public key.

Syntax

__property int CertRequestKeyBits = { read=FCertRequestKeyBits };

Default Value

0

Remarks

Returns the length of the public key.

This property is read-only and not available at design time.

Data Type

Integer

CertRequestKeyUsage Property (CertificateManager Component)

Indicates the purposes of the key contained in the certificate request, in the form of an OR'ed flag set.

Syntax

__property int CertRequestKeyUsage = { read=FCertRequestKeyUsage, write=FSetCertRequestKeyUsage };

Default Value

0

Remarks

Indicates the purposes of the key contained in the certificate request, in the form of an OR'ed flag set.

This value is a bit mask of the following values:

This property is not available at design time.

Data Type

Integer

CertRequestKeyValid Property (CertificateManager Component)

Returns True if the certificate's key is cryptographically valid, and False otherwise.

Syntax

__property bool CertRequestKeyValid = { read=FCertRequestKeyValid };

Default Value

false

Remarks

Returns True if the certificate's key is cryptographically valid, and False otherwise.

This property is read-only and not available at design time.

Data Type

Boolean

CertRequestPrivateKeyBytes Property (CertificateManager Component)

Contains the certificate's private key.

Syntax

__property DynamicArray CertRequestPrivateKeyBytes = { read=FCertRequestPrivateKeyBytes };

Remarks

Contains the certificate's private key. It is normal for this property to be empty if the private key is non-exportable.

This property is read-only and not available at design time.

Data Type

Byte Array

CertRequestPublicKeyBytes Property (CertificateManager Component)

Contains the public key incorporated in the request, in DER format.

Syntax

__property DynamicArray CertRequestPublicKeyBytes = { read=FCertRequestPublicKeyBytes };

Remarks

Contains the public key incorporated in the request, in DER format.

This property is read-only and not available at design time.

Data Type

Byte Array

CertRequestSigAlgorithm Property (CertificateManager Component)

Indicates the algorithm that was used by the requestor to sign this certificate request.

Syntax

__property String CertRequestSigAlgorithm = { read=FCertRequestSigAlgorithm };

Default Value

""

Remarks

Indicates the algorithm that was used by the requestor to sign this certificate request.

This property is read-only and not available at design time.

Data Type

String

CertRequestSubject Property (CertificateManager Component)

The common name of the certificate holder, typically an individual's name, a URL, an e-mail address, or a company name.

Syntax

__property String CertRequestSubject = { read=FCertRequestSubject };

Default Value

""

Remarks

The common name of the certificate holder, typically an individual's name, a URL, an e-mail address, or a company name.

This property is read-only and not available at design time.

Data Type

String

CertRequestSubjectRDN Property (CertificateManager Component)

A collection of information, in the form of [OID, Value] pairs, uniquely identifying the certificate holder (subject).

Syntax

__property String CertRequestSubjectRDN = { read=FCertRequestSubjectRDN, write=FSetCertRequestSubjectRDN };

Default Value

""

Remarks

A collection of information, in the form of [OID, Value] pairs, uniquely identifying the certificate holder (subject).

This property is not available at design time.

Data Type

String

CertRequestValid Property (CertificateManager Component)

Indicates whether or not the signature on the request is valid and matches the public key contained in the request.

Syntax

__property bool CertRequestValid = { read=FCertRequestValid };

Default Value

false

Remarks

Indicates whether or not the signature on the request is valid and matches the public key contained in the request.

This property is read-only and not available at design time.

Data Type

Boolean

ExternalCryptoAsyncDocumentID Property (CertificateManager Component)

Specifies an optional document ID for SignAsyncBegin() and SignAsyncEnd() calls.

Syntax

__property String ExternalCryptoAsyncDocumentID = { read=FExternalCryptoAsyncDocumentID, write=FSetExternalCryptoAsyncDocumentID };

Default Value

""

Remarks

Specifies an optional document ID for SignAsyncBegin() and SignAsyncEnd() calls.

Use this property when working with multi-signature DCAuth requests and responses to uniquely identify documents signed within a larger batch. On the completion stage, this value helps the signing component identify the correct signature in the returned batch of responses.

If using batched requests, make sure to set this property to the same value on both the pre-signing (SignAsyncBegin) and completion (SignAsyncEnd) stages.

Data Type

String

ExternalCryptoCustomParams Property (CertificateManager Component)

Custom parameters to be passed to the signing service (uninterpreted).

Syntax

__property String ExternalCryptoCustomParams = { read=FExternalCryptoCustomParams, write=FSetExternalCryptoCustomParams };

Default Value

""

Remarks

Custom parameters to be passed to the signing service (uninterpreted).

This property is not available at design time.

Data Type

String

ExternalCryptoData Property (CertificateManager Component)

Additional data to be included in the async state and mirrored back by the requestor.

Syntax

__property String ExternalCryptoData = { read=FExternalCryptoData, write=FSetExternalCryptoData };

Default Value

""

Remarks

Additional data to be included in the async state and mirrored back by the requestor.

This property is not available at design time.

Data Type

String

ExternalCryptoExternalHashCalculation Property (CertificateManager Component)

Specifies whether the message hash is to be calculated at the external endpoint.

Syntax

__property bool ExternalCryptoExternalHashCalculation = { read=FExternalCryptoExternalHashCalculation, write=FSetExternalCryptoExternalHashCalculation };

Default Value

false

Remarks

Specifies whether the message hash is to be calculated at the external endpoint. Please note that this mode is not supported by the DCAuth component.

If set to true, the component will pass a few kilobytes of to-be-signed data from the document to the OnExternalSign event. This only applies when SignExternal() is called.

Data Type

Boolean

ExternalCryptoHashAlgorithm Property (CertificateManager Component)

Specifies the request's signature hash algorithm.

Syntax

__property String ExternalCryptoHashAlgorithm = { read=FExternalCryptoHashAlgorithm, write=FSetExternalCryptoHashAlgorithm };

Default Value

"SHA256"

Remarks

Specifies the request's signature hash algorithm.

Data Type

String

ExternalCryptoKeyID Property (CertificateManager Component)

The ID of the pre-shared key used for DC request authentication.

Syntax

__property String ExternalCryptoKeyID = { read=FExternalCryptoKeyID, write=FSetExternalCryptoKeyID };

Default Value

""

Remarks

The ID of the pre-shared key used for DC request authentication.

Asynchronous DCAuth-driven communication requires that parties authenticate each other with a secret pre-shared cryptographic key. This provides an extra protection layer for the protocol and diminishes the risk of the private key becoming abused by foreign parties. Use this property to provide the pre-shared key identifier, and use ExternalCryptoKeySecret to pass the key itself.

The same KeyID/KeySecret pair should be used on the DCAuth side for the signing requests to be accepted.

Note: The KeyID/KeySecret scheme is very similar to the AuthKey scheme used in various Cloud service providers to authenticate users.

Example: signer.ExternalCrypto.KeyID = "MainSigningKey"; signer.ExternalCrypto.KeySecret = "abcdef0123456789";

Data Type

String

ExternalCryptoKeySecret Property (CertificateManager Component)

The pre-shared key used for DC request authentication.

Syntax

__property String ExternalCryptoKeySecret = { read=FExternalCryptoKeySecret, write=FSetExternalCryptoKeySecret };

Default Value

""

Remarks

The pre-shared key used for DC request authentication. This key must be set and match the key used by the DCAuth counterpart for the scheme to work.

Read more about configuring authentication in the ExternalCryptoKeyID topic.

Data Type

String

ExternalCryptoMethod Property (CertificateManager Component)

Specifies the asynchronous signing method.

Syntax

__property TsbxCertificateManagerExternalCryptoMethods ExternalCryptoMethod = { read=FExternalCryptoMethod, write=FSetExternalCryptoMethod };

enum TsbxCertificateManagerExternalCryptoMethods {
  asmdPKCS1=0,
  asmdPKCS7=1
};

Default Value

asmdPKCS1

Remarks

Specifies the asynchronous signing method. This is typically defined by the DC server capabilities and setup.

Available options:

Data Type

Integer

ExternalCryptoMode Property (CertificateManager Component)

Specifies the external cryptography mode.

Syntax

__property TsbxCertificateManagerExternalCryptoModes ExternalCryptoMode = { read=FExternalCryptoMode, write=FSetExternalCryptoMode };

enum TsbxCertificateManagerExternalCryptoModes {
  ecmDefault=0,
  ecmDisabled=1,
  ecmGeneric=2,
  ecmDCAuth=3,
  ecmDCAuthJSON=4
};

Default Value

ecmDefault

Remarks

Specifies the external cryptography mode.

Available options:

This property is not available at design time.

Data Type

Integer

ExternalCryptoPublicKeyAlgorithm Property (CertificateManager Component)

Provide the public key algorithm here if the certificate is not available on the pre-signing stage.

Syntax

__property String ExternalCryptoPublicKeyAlgorithm = { read=FExternalCryptoPublicKeyAlgorithm, write=FSetExternalCryptoPublicKeyAlgorithm };

Default Value

""

Remarks

Provide the public key algorithm here if the certificate is not available on the pre-signing stage.

Data Type

String

FIPSMode Property (CertificateManager Component)

Reserved.

Syntax

__property bool FIPSMode = { read=FFIPSMode, write=FSetFIPSMode };

Default Value

false

Remarks

This property is reserved for future use.

Data Type

Boolean

Config Method (CertificateManager Component)

Sets or retrieves a configuration setting.

Syntax

String __fastcall Config(String ConfigurationString);

Remarks

Config is a generic method available in every component. It is used to set and retrieve configuration settings for the component.

These settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the component, access to these internal properties is provided through the Config method.

To set a configuration setting named PROPERTY, you must call Config("PROPERTY=VALUE"), where VALUE is the value of the setting expressed as a string. For boolean values, use the strings "True", "False", "0", "1", "Yes", or "No" (case does not matter).

To read (query) the value of a configuration setting, you must call Config("PROPERTY"). The value will be returned as a string.

DoAction Method (CertificateManager Component)

Performs an additional action.

Syntax

String __fastcall DoAction(String ActionID, String ActionParams);

Remarks

DoAction is a generic method available in every component. It is used to perform an additional action introduced after the product major release. The list of actions is not fixed, and may be flexibly extended over time.

The unique identifier (case insensitive) of the action is provided in the ActionID parameter.

ActionParams contains the value of a single parameter, or a list of multiple parameters for the action in the form of PARAM1=VALUE1;PARAM2=VALUE2;....

Download Method (CertificateManager Component)

Downloads a certificate from a remote location.

Syntax

void __fastcall Download(String URL);

Remarks

URL specifies the remote location where the certificate should be downloaded from.

ExportCert Method (CertificateManager Component)

Exports the certificate in the chosen format.

Syntax

DynamicArray<Byte> __fastcall ExportCert(String Password, int Format, bool ExportKey);

Remarks

Use this method to save the certificate in one of the formats defined below.

ExportKey specifies whether to export the private key together with the certificate. Pass the encryption password via the Password parameter if needed.

Note that not all formats support encryption, and some (like PEM) only support partial encryption (key only). Keep this in mind when considering which format to choose for storing your certificates.

ExportCSR Method (CertificateManager Component)

Exports a Certificate Signing Request (CSR).

Syntax

DynamicArray<Byte> __fastcall ExportCSR(int Format);

Remarks

Use this method to save a certification request according to PKCS#10 specification.

Supported certificate request format values:

ExportKey Method (CertificateManager Component)

Exports the certificate's private key.

Syntax

DynamicArray<Byte> __fastcall ExportKey(String Password, int Format);

Remarks

Use this method to save the certificate private key in one of the formats given below. Pass the encryption password via the Password parameter.

Supported certificate key format values:

ExportKeyToFile Method (CertificateManager Component)

Exports the private key to a file in the chosen format.

Syntax

void __fastcall ExportKeyToFile(String KeyFile, String Password, int Format);

Remarks

Use this method to save the certificate key in one of the formats given below. Pass the encryption password via the Password parameter.

Supported certificate key format values:

ExportToFile Method (CertificateManager Component)

Exports the certificate to a file.

Syntax

void __fastcall ExportToFile(String CertFile, String Password, int Format, bool ExportKey);

Remarks

Use this method to save the certificate to a file in one of the formats given below. Pass the encryption password via the Password parameter. Set ExportKey to true to save the private key together with the certificate.

Note that not all formats support encryption, and some (like PEM) only support partial encryption (key only). Keep this in mind when considering which format to choose for storing your certificates.

Generate Method (CertificateManager Component)

Generates a new certificate.

Syntax

void __fastcall Generate(int KeyBits);

Remarks

Call this method to generate a new certificate based on the information provided via Certificate, CACertificate, and CertificateRequest parameters as given below:

If neither CACertificate nor CertificateRequest are set, a self-signed certificate will be generated based on the information set up in Certificate object.

If CACertificate is provided but CertificateRequest is not, a certificate signed by the CA certificate will be generated based on the information configured in the Certificate object.

If both CACertificate and CertificateRequest are set, a certificate based on the certificate request and signed by the CA certificate will be generated. The private key contained in the certificate request will be used.

KeyBits specifies the number of bits in the key to be generated. Note that this property is ignored in the case of request-based generation.

GenerateAsyncBegin Method (CertificateManager Component)

Initiates asynchronous (DC) certificate generation.

Syntax

String __fastcall GenerateAsyncBegin(int KeyBits);

Remarks

Call this method to initiate an asynchronous certificate generation process. Pass the obtained async state to the DC server for signing. To finalize the generation, pass the async state received from the DC server to GenerateAsyncEnd.

AsyncState is a message of the distributed cryptography (DC) protocol. The DC protocol is based on the exchange of async states between a DC client (an application that wants to sign a PDF, XML, or Office document) and a DC server (an application that controls access to the private key). An async state can carry one or more signing requests, comprised of document hashes, or one or more signatures produced over those hashes.

In a typical scenario you get a client-side async state from the SignAsyncBegin method. This state contains document hashes to be signed on the DC server side. You then send the async state to the DC server (often represented by the DCAuth component), which processes it and produces a matching signature state. The async state produced by the server is then passed to the SignAsyncEnd method.

GenerateAsyncEnd Method (CertificateManager Component)

Completes asynchronous certificate generation.

Syntax

void __fastcall GenerateAsyncEnd(String AsyncReply);

Remarks

Call this method to finalize the asynchronous generation process and pass the async state received from DC server via AsyncReply parameter.

AsyncState is a message of the distributed cryptography (DC) protocol. The DC protocol is based on the exchange of async states between a DC client (an application that wants to sign a PDF, XML, or Office document) and a DC server (an application that controls access to the private key). An async state can carry one or more signing requests, comprised of document hashes, or one or more signatures produced over those hashes.

In a typical scenario you get a client-side async state from the SignAsyncBegin method. This state contains document hashes to be signed on the DC server side. You then send the async state to the DC server (often represented by the DCAuth component), which processes it and produces a matching signature state. The async state produced by the server is then passed to the SignAsyncEnd method.

GenerateCSR Method (CertificateManager Component)

Creates a new certificate signing request (CSR).

Syntax

void __fastcall GenerateCSR(int KeyBits);

Remarks

Call this method to generate a new certificate request with the specified parameters. The newly generated CSR is saved in CertificateRequest property. Use ExportCSR and ExportKey to serialize the generated objects.

GenerateExternal Method (CertificateManager Component)

Generates a new certificate or request with an external signing device.

Syntax

void __fastcall GenerateExternal(bool CSR, DynamicArray<Byte> KeyBytes, String KeyPassword);

Remarks

Call this method to generate a new certificate based on the information provided via Certificate, CACertificate, and CertificateRequest parameters as given below:

If CACertificate is provided but CertificateRequest is not, a certificate signed by the CA certificate will be generated based on the information configured in the Certificate object.

If both CACertificate and CertificateRequest are set, a certificate based on the certificate request and signed by the CA certificate will be generated. The private key contained in the certificate request will be used.

If neither CACertificate nor CertificateRequest are set, an exception will be thrown: only CA-issued certificates can be generated remotely.

KeyBits specifies the number of bits in the key to be generated. Note that this property is ignored in the case of request-based generation.

GetExtensionData Method (CertificateManager Component)

Returns extension data.

Syntax

DynamicArray<Byte> __fastcall GetExtensionData(String OID);

Remarks

Use this method to retrieve extension data in ASN.1 encoded format. Use GetExtensionState to check the availability of the extension and establish its critical attribute.

GetExtensionState Method (CertificateManager Component)

Returns certificate extension state.

Syntax

int __fastcall GetExtensionState(String OID);

Remarks

Use this method to find out whether the extension is included in the certificate/CRL and check its critical attribute.

GetSampleCert Method (CertificateManager Component)

Generates a sample certificate for the specified purpose.

Syntax

void __fastcall GetSampleCert(String Purpose, String Subject);

Remarks

This method generates a sample self-signed certificate for the specified purpose. Use it as a quick method to get a working certificate to evaluate or test a piece of functionality that relies on certificates. The certificate will use pre-defined settings for most of its fields; use Generate method to generate bespoke real-world certificates. Purpose specifies the intended use of certificate:

• "generic": a generic certificate with no specific purpose
• "tls": a TLS server certificate
• "tls-client": a client-side TLS certificate
• "email": a secure e-mail (S/MIME) certificate

Subject specifies the common name to include in the certificate (e.g. "*.domain.com")

ImportCert Method (CertificateManager Component)

Imports a certificate.

Syntax

void __fastcall ImportCert(DynamicArray<Byte> CertBytes, String Password);

Remarks

Use this method to load a certificate from a byte array. Provide the password via the Password parameter. The Password parameter is optional. If it is omitted and it is later discovered that the key is password-encrypted, the PasswordNeeded event will be fired to request it. This method supports certificates in DER, PEM, PFX, and SPC formats.

ImportFromFile Method (CertificateManager Component)

Loads a certificate from a file.

Syntax

void __fastcall ImportFromFile(String Path, String Password);

Remarks

This method can load certificates saved in one of the following formats: DER, PEM, PFX, SPC.

Use the Path parameter to provide a path to the certificate, and Password to specify the password. The Password parameter is optional. If it is omitted and it is later discovered that the certificate is password-encrypted, the PasswordNeeded event will be fired to request it.

ImportFromObject Method (CertificateManager Component)

Imports a certificate from a platform object.

Syntax

void __fastcall ImportFromObject(__int64 SrcObj);

Remarks

Use this method to import a certificate from a native platform object, such as X509Certificate2. Depending on the platform, the ObjHandle parameter can be one of the following:

• .NET: X509Certificate2
• Java: X509Certificate
• Windows-based platforms: PCCERT_CONTEXT

ImportKey Method (CertificateManager Component)

Imports a private key.

Syntax

void __fastcall ImportKey(DynamicArray<Byte> Key, String Password);

Remarks

Use this method to load a private key from a byte array. Provide the encryption password via the Password parameter. The Password parameter is optional. If it is omitted and it is later discovered that the key is password-encrypted, the PasswordNeeded event will be fired to request it. If there is an initialized certificate or certificate request object inside the manager, the loaded key gets associated with that object. This method supports keys in DER, PEM, PKCS#8, and PVK formats.

ImportKeyFromFile Method (CertificateManager Component)

Imports a private key from a file.

Syntax

void __fastcall ImportKeyFromFile(String Path, String Password);

Remarks

Use this method to load a private key from a file. Provide the encryption password via the Password parameter. The Password parameter is optional. If it is omitted and it is later discovered that the key is password-encrypted, the PasswordNeeded event will be fired to request it. If there is an initialized certificate or certificate request object inside the manager, the loaded key gets associated with that object. This method supports keys in DER, PEM, PKCS#8, and PVK formats.

ListExtensions Method (CertificateManager Component)

List extensions currently available in the certificate or CRL.

Syntax

String __fastcall ListExtensions();

Remarks

Use this method to list the extensions included in the certificate or CRL. The method returns a list of OIDs separated by newline characters.

SetExtensionData Method (CertificateManager Component)

Sets extension data.

Syntax

void __fastcall SetExtensionData(String OID, DynamicArray<Byte> Value);

Remarks

Use this method to set extension data in encoded ASN.1 format. Use SetExtensionState to enable the extension or change its critical attribute.

SetExtensionState Method (CertificateManager Component)

Sets certificate extension state.

Syntax

void __fastcall SetExtensionState(String OID, int State);

Remarks

Use this method to enable or disable the extension and set its critical attribute.

Update Method (CertificateManager Component)

Renews the certificate.

Syntax

void __fastcall Update();

Remarks

This method renews a certificate by updating its validity period and re-signing the updated version.

Note that this operation expects both Certificate and CACertificate properties to be set.

Validate Method (CertificateManager Component)

Validates the certificate.

Syntax

int __fastcall Validate();

Remarks

Use this method to validate the certificate contained in Certificate. If the certificate being validated is not self-signed, please provide the CA certificate via CACertificate property.

Error Event (CertificateManager Component)

Information about errors during certificate loading, saving or validation.

Syntax

typedef struct {
  int ErrorCode;
  String Description;
} TsbxCertificateManagerErrorEventParams;
typedef void __fastcall (__closure *TsbxCertificateManagerErrorEvent)(System::TObject* Sender, TsbxCertificateManagerErrorEventParams *e);
__property TsbxCertificateManagerErrorEvent OnError = { read=FOnError, write=FOnError };

Remarks

Reports exceptional conditions during certificate loading, exporting, or validation.

ErrorCode contains an error code and Description contains a textual description of the error.

ExternalSign Event (CertificateManager Component)

Handles remote or external signing initiated by the SignExternal method or other source.

Syntax

typedef struct {
  String OperationId;
  String HashAlgorithm;
  String Pars;
  String Data;
  String SignedData;
} TsbxCertificateManagerExternalSignEventParams;
typedef void __fastcall (__closure *TsbxCertificateManagerExternalSignEvent)(System::TObject* Sender, TsbxCertificateManagerExternalSignEventParams *e);
__property TsbxCertificateManagerExternalSignEvent OnExternalSign = { read=FOnExternalSign, write=FOnExternalSign };

Remarks

Assign a handler to this event if you need to delegate a low-level signing operation to an external, remote, or custom signing engine. Depending on the settings, the handler will receive a hashed or unhashed value to be signed.

The event handler must pass the value of Data to the signer, obtain the signature, and pass it back to the component via the SignedData parameter.

OperationId provides a comment about the operation and its origin. It depends on the exact component being used, and may be empty. HashAlgorithm specifies the hash algorithm being used for the operation, and Pars contains algorithm-dependent parameters.

The component uses base16 (hex) encoding for the Data, SignedData, and Pars parameters. If your signing engine uses a different input and output encoding, you may need to decode and/or encode the data before and/or after the signing.

A sample MD5 hash encoded in base16: a0dee2a0382afbb09120ffa7ccd8a152 - lower case base16 A0DEE2A0382AFBB09120FFA7CCD8A152 - upper case base16

A sample event handler that uses the .NET RSACryptoServiceProvider class may look like the following: signer.OnExternalSign += (s, e) => { var cert = new X509Certificate2("cert.pfx", "", X509KeyStorageFlags.Exportable); var key = (RSACryptoServiceProvider)cert.PrivateKey; var dataToSign = e.Data.FromBase16String(); var signedData = key.SignHash(dataToSign, "2.16.840.1.101.3.4.2.1"); e.SignedData = signedData.ToBase16String(); };

Notification Event (CertificateManager Component)

This event notifies the application about an underlying control flow event.

Syntax

typedef struct {
  String EventID;
  String EventParam;
} TsbxCertificateManagerNotificationEventParams;
typedef void __fastcall (__closure *TsbxCertificateManagerNotificationEvent)(System::TObject* Sender, TsbxCertificateManagerNotificationEventParams *e);
__property TsbxCertificateManagerNotificationEvent OnNotification = { read=FOnNotification, write=FOnNotification };

Remarks

The component fires this event to let the application know about some event, occurrence, or milestone in the component. For example, it may fire to report completion of the document processing. The list of events being reported is not fixed, and may be flexibly extended over time.

The unique identifier of the event is provided in the EventID parameter. EventParam contains any parameters accompanying the occurrence. Depending on the type of the component, the exact action it is performing, or the document being processed, one or both may be omitted.

PasswordNeeded Event (CertificateManager Component)

This event is fired when a decryption password is needed.

Syntax

typedef struct {
  String Password;
  bool Cancel;
} TsbxCertificateManagerPasswordNeededEventParams;
typedef void __fastcall (__closure *TsbxCertificateManagerPasswordNeededEvent)(System::TObject* Sender, TsbxCertificateManagerPasswordNeededEventParams *e);
__property TsbxCertificateManagerPasswordNeededEvent OnPasswordNeeded = { read=FOnPasswordNeeded, write=FOnPasswordNeeded };

Remarks

The component fires this event when a password is needed to decrypt a certificate or a private key.

In the handler of this event, assign the password to the Password parameter, or set Cancel to true to abort the operation.

Config Settings (CertificateManager Component)

The component accepts one or more of the following configuration settings. Configuration settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the component, access to these internal properties is provided through the Config method.

CertificateManager Config Settings

Base Config Settings

Trappable Errors (CertificateManager Component)

CertificateManager Errors

	1048577   Invalid parameter value (SB_ERROR_INVALID_PARAMETER)
	1048578   Component is configured incorrectly (SB_ERROR_INVALID_SETUP)
	1048579   Operation cannot be executed in the current state (SB_ERROR_INVALID_STATE)
	1048580   Attempt to set an invalid value to a property (SB_ERROR_INVALID_VALUE)
	1048581   Certificate does not have its private key loaded (SB_ERROR_NO_PRIVATE_KEY)
	1048581   Cancelled by the user (SB_ERROR_CANCELLED_BY_USER)