CertificateManager Component

Properties   Methods   Events   Config Settings   Errors  

The CertificateManager component supports importing, exporting, and generating X.509 certificates.

Syntax

TsbxCertificateManager

Remarks

Usage of this component includes importing and exporting certificates and keys in various formats, as well as certificate generation.

Loading certificates

In vast majority of SecureBlackbox-powered projects, this component is used to import certificates from files or memory objects for further use in other components, like PDFSigner.

To load a certificate from a file, use the ImportFromFile method. This method supports all existing certificate formats, including PFX, PEM, DER, and P7B. Note that keys contained in PFX and PEM certificates are often encrypted with a password, so you will likely need to provide one for the certificate to be loaded correctly. You can either provide the password via the method's parameter, or provide it on-demand by subscribing to the PasswordNeeded event.

Alternatively, you can use ImportCert to load a certificate from a different type of media, such as a database.

If your certificate and its private key are stored in separate files or buffers - which is often the case where PEM or DER format is used - please load the certificate with the ImportFromFile method first, and then add the key to it with a separate call to the ImportKeyFromFile method. You can mix and match the certificate and key formats in this case; CertificateManager will handle this automatically.

Note that CertificateManager can only keep one certificate at a time. If your PFX or PEM file contains more than one certificate, use CertificateStorage component to load it instead.

Generating certificates

You can use CertificateManager to generate your own certificates. To generate a certificate, please follow the below steps:

• set all the needed certificate properties - for example, its subject, serial number, and validity period - via the Certificate property.
• load the CA certificate to a different CertificateManager object, and assign it to the CACertificate property. Note that the CA certificate should have an associated private key. Alternatively, the CA certificate can be loaded using a CertificateStorage object, which allows to import it from a hardware device or a system store.

  Note: you do not need to load and set the CA certificate if generating a self-signed certificate.

• Call Generate to generate a new keypair and wrap it into a certificate.
• Save the certificate using ExportToFile or ExportCert methods.

  Note: take care to choose a format that supports storing private keys. If you do not save the new private key at this stage, you won't be able to recover it later.

  Note: you can save the private key separately using the ExportKey method.

Note: you can use the GetSampleCert shortcut to generate a simple certificate for test or debug purposes.

Generating certificate requests

Apart from certificates, CertificateManager can generate certificate requests (PKCS10). The procedure is the same as when generating certificates. The only difference is that you need to use CertificateRequest object to set up the certificate request parameters, and GenerateCSR method to generate the request. You can then save the resulting request to a file using the ExportCSR method.

Property List

---

The following is the full list of the properties of the component with short descriptions. Click on the links for further details.

Method List

---

The following is the full list of the methods of the component with short descriptions. Click on the links for further details.

Event List

---

The following is the full list of the events fired by the component with short descriptions. Click on the links for further details.

Config Settings

---

The following is a list of config settings for the component with short descriptions. Click on the links for further details.

CACertificate Property (CertificateManager Component)

A container for the CA certificate.

Syntax

property CACertificate: TsbxCertificate read get_CACertificate write set_CACertificate;

Remarks

Use this property to supply the CA certificate when needed.

You need to assign a valid CA certificate when generating a new certificate (including renewals), and when validating existing certificates. In the former case the assigned CA certificate should include the private key.

This property is not available at design time.

Please refer to the Certificate type for a complete list of fields.

Certificate Property (CertificateManager Component)

A container for the certificate object.

Syntax

property Certificate: TsbxCertificate read get_Certificate write set_Certificate;

Remarks

Use this property to set or access the properties of the certificate object on which the action is to be performed.

This property is not available at design time.

Please refer to the Certificate type for a complete list of fields.

CertificateRequest Property (CertificateManager Component)

A container for the certificate request object.

Syntax

property CertificateRequest: TsbxCertificateRequest read get_CertificateRequest write set_CertificateRequest;

Remarks

Use this property to set or access the properties of the certificate object on which the action is to be performed.

This property is not available at design time.

Please refer to the CertificateRequest type for a complete list of fields.

ExternalCrypto Property (CertificateManager Component)

Provides access to external signing and DC parameters.

Syntax

property ExternalCrypto: TsbxExternalCrypto read get_ExternalCrypto;

Remarks

Use this property to tune-up remote cryptography settings. SecureBlackbox supports two independent types of external cryptography: synchronous (based on the ExternalSign event) and asynchronous (based on the DC protocol and the DCAuth signing component).

This property is read-only.

Please refer to the ExternalCrypto type for a complete list of fields.

FIPSMode Property (CertificateManager Component)

Reserved.

Syntax

property FIPSMode: Boolean read get_FIPSMode write set_FIPSMode;

Default Value

false

Remarks

This property is reserved for future use.

Config Method (CertificateManager Component)

Sets or retrieves a configuration setting.

Syntax

function Config(ConfigurationString: String): String;

Remarks

Config is a generic method available in every component. It is used to set and retrieve configuration settings for the component.

These settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the component, access to these internal properties is provided through the Config method.

To set a configuration setting named PROPERTY, you must call Config("PROPERTY=VALUE"), where VALUE is the value of the setting expressed as a string. For boolean values, use the strings "True", "False", "0", "1", "Yes", or "No" (case does not matter).

To read (query) the value of a configuration setting, you must call Config("PROPERTY"). The value will be returned as a string.

DoAction Method (CertificateManager Component)

Performs an additional action.

Syntax

function DoAction(ActionID: String; ActionParams: String): String;

Remarks

DoAction is a generic method available in every component. It is used to perform an additional action introduced after the product major release. The list of actions is not fixed, and may be flexibly extended over time.

The unique identifier (case insensitive) of the action is provided in the ActionID parameter.

ActionParams contains the value of a single parameter, or a list of multiple parameters for the action in the form of PARAM1=VALUE1;PARAM2=VALUE2;....

Download Method (CertificateManager Component)

Downloads a certificate from a remote location.

Syntax

procedure Download(URL: String);

Remarks

URL specifies the remote location where the certificate should be downloaded from.

ExportCert Method (CertificateManager Component)

Exports the certificate in the chosen format.

Syntax

function ExportCert(Password: String; Format: Integer; ExportKey: Boolean): TBytes;

Remarks

Use this method to save the certificate in one of the formats defined below.

ExportKey specifies whether to export the private key together with the certificate. Pass the encryption password via the Password parameter if needed.

Note that not all formats support encryption, and some (like PEM) only support partial encryption (key only). Keep this in mind when considering which format to choose for storing your certificates.

ExportCSR Method (CertificateManager Component)

Exports a Certificate Signing Request (CSR).

Syntax

function ExportCSR(Format: Integer): TBytes;

Remarks

Use this method to save a certification request according to PKCS#10 specification.

Supported certificate request format values:

ExportKey Method (CertificateManager Component)

Exports the certificate's private key.

Syntax

function ExportKey(Password: String; Format: Integer): TBytes;

Remarks

Use this method to save the certificate private key in one of the formats given below. Pass the encryption password via the Password parameter.

Supported certificate key format values:

ExportKeyToFile Method (CertificateManager Component)

Exports the private key to a file in the chosen format.

Syntax

procedure ExportKeyToFile(KeyFile: String; Password: String; Format: Integer);

Remarks

Use this method to save the certificate key in one of the formats given below. Pass the encryption password via the Password parameter.

Supported certificate key format values:

ExportKeyToStream Method (CertificateManager Component)

Saves the private key to a stream.

Syntax

procedure ExportKeyToStream(KeyStream: TStream; Password: String; Format: Integer);

Remarks

Use this method to export the private key to a stream in one of the formats given below. Pass the encryption password via the Password parameter.

Supported certificate key format values:

ExportToFile Method (CertificateManager Component)

Exports the certificate to a file.

Syntax

procedure ExportToFile(CertFile: String; Password: String; Format: Integer; ExportKey: Boolean);

Remarks

Use this method to save the certificate to a file in one of the formats given below. Pass the encryption password via the Password parameter. Set ExportKey to true to save the private key together with the certificate.

Note that not all formats support encryption, and some (like PEM) only support partial encryption (key only). Keep this in mind when considering which format to choose for storing your certificates.

ExportToStream Method (CertificateManager Component)

Exports the certificate to a stream.

Syntax

procedure ExportToStream(CertStream: TStream; Password: String; Format: Integer; ExportKey: Boolean);

Remarks

Use this method to save the certificate to a stream in one of the formats given below. Pass the encryption password via the Password parameter. Set ExportKey to true to save the private key together with the certificate.

Note that not all formats support encryption, and some (like PEM) only support partial encryption (key only). Keep this in mind when considering which format to choose for storing your certificates.

Generate Method (CertificateManager Component)

Generates a new certificate.

Syntax

procedure Generate(KeyBits: Integer);

Remarks

Call this method to generate a new certificate based on the information provided via Certificate, CACertificate, and CertificateRequest parameters as given below:

If neither CACertificate nor CertificateRequest are set, a self-signed certificate will be generated based on the information set up in Certificate object.

If CACertificate is provided but CertificateRequest is not, a certificate signed by the CA certificate will be generated based on the information configured in the Certificate object.

If both CACertificate and CertificateRequest are set, a certificate based on the certificate request and signed by the CA certificate will be generated. The private key contained in the certificate request will be used.

KeyBits specifies the number of bits in the key to be generated. Note that this property is ignored in the case of request-based generation.

GenerateAsyncBegin Method (CertificateManager Component)

Initiates asynchronous (DC) certificate generation.

Syntax

function GenerateAsyncBegin(KeyBits: Integer): String;

Remarks

Call this method to initiate an asynchronous certificate generation process. Pass the obtained async state to the DC server for signing. To finalize the generation, pass the async state received from the DC server to GenerateAsyncEnd.

AsyncState is a message of the distributed cryptography (DC) protocol. The DC protocol is based on the exchange of async states between a DC client (an application that wants to sign a PDF, XML, or Office document) and a DC server (an application that controls access to the private key). An async state can carry one or more signing requests, comprised of document hashes, or one or more signatures produced over those hashes.

In a typical scenario you get a client-side async state from the SignAsyncBegin method. This state contains document hashes to be signed on the DC server side. You then send the async state to the DC server (often represented by the DCAuth component), which processes it and produces a matching signature state. The async state produced by the server is then passed to the SignAsyncEnd method.

GenerateAsyncEnd Method (CertificateManager Component)

Completes asynchronous certificate generation.

Syntax

procedure GenerateAsyncEnd(AsyncReply: String);

Remarks

Call this method to finalize the asynchronous generation process and pass the async state received from DC server via AsyncReply parameter.

AsyncState is a message of the distributed cryptography (DC) protocol. The DC protocol is based on the exchange of async states between a DC client (an application that wants to sign a PDF, XML, or Office document) and a DC server (an application that controls access to the private key). An async state can carry one or more signing requests, comprised of document hashes, or one or more signatures produced over those hashes.

In a typical scenario you get a client-side async state from the SignAsyncBegin method. This state contains document hashes to be signed on the DC server side. You then send the async state to the DC server (often represented by the DCAuth component), which processes it and produces a matching signature state. The async state produced by the server is then passed to the SignAsyncEnd method.

GenerateCSR Method (CertificateManager Component)

Creates a new certificate signing request (CSR).

Syntax

procedure GenerateCSR(KeyBits: Integer);

Remarks

Call this method to generate a new certificate request with the specified parameters. The newly generated CSR is saved in CertificateRequest property. Use ExportCSR and ExportKey to serialize the generated objects.

GenerateExternal Method (CertificateManager Component)

Generates a new certificate or request with an external signing device.

Syntax

procedure GenerateExternal(CSR: Boolean; KeyBytes: TBytes; KeyPassword: String);

Remarks

Call this method to generate a new certificate based on the information provided via Certificate, CACertificate, and CertificateRequest parameters as given below:

If CACertificate is provided but CertificateRequest is not, a certificate signed by the CA certificate will be generated based on the information configured in the Certificate object.

If both CACertificate and CertificateRequest are set, a certificate based on the certificate request and signed by the CA certificate will be generated. The private key contained in the certificate request will be used.

If neither CACertificate nor CertificateRequest are set, an exception will be thrown: only CA-issued certificates can be generated remotely.

KeyBits specifies the number of bits in the key to be generated. Note that this property is ignored in the case of request-based generation.

GetExtensionData Method (CertificateManager Component)

Returns extension data.

Syntax

function GetExtensionData(OID: String): TBytes;

Remarks

Use this method to retrieve extension data in ASN.1 encoded format. Use GetExtensionState to check the availability of the extension and establish its critical attribute.

GetExtensionState Method (CertificateManager Component)

Returns certificate extension state.

Syntax

function GetExtensionState(OID: String): Integer;

Remarks

Use this method to find out whether the extension is included in the certificate/CRL and check its critical attribute.

GetSampleCert Method (CertificateManager Component)

Generates a sample certificate for the specified purpose.

Syntax

procedure GetSampleCert(Purpose: String; Subject: String);

Remarks

This method generates a sample self-signed certificate for the specified purpose. Use it as a quick method to get a working certificate to evaluate or test a piece of functionality that relies on certificates. The certificate will use pre-defined settings for most of its fields; use Generate method to generate bespoke real-world certificates. Purpose specifies the intended use of certificate:

• "generic": a generic certificate with no specific purpose
• "tls": a TLS server certificate
• "tls-client": a client-side TLS certificate
• "email": a secure e-mail (S/MIME) certificate

Subject specifies the common name to include in the certificate (e.g. "*.domain.com")

ImportCert Method (CertificateManager Component)

Imports a certificate.

Syntax

procedure ImportCert(CertBytes: TBytes; Password: String);

Remarks

Use this method to load a certificate from a byte array. Provide the password via the Password parameter. The Password parameter is optional. If it is omitted and it is later discovered that the key is password-encrypted, the PasswordNeeded event will be fired to request it. This method supports certificates in DER, PEM, PFX, and SPC formats.

ImportFromFile Method (CertificateManager Component)

Loads a certificate from a file.

Syntax

procedure ImportFromFile(Path: String; Password: String);

Remarks

This method can load certificates saved in one of the following formats: DER, PEM, PFX, SPC.

Use the Path parameter to provide a path to the certificate, and Password to specify the password. The Password parameter is optional. If it is omitted and it is later discovered that the certificate is password-encrypted, the PasswordNeeded event will be fired to request it.

ImportFromObject Method (CertificateManager Component)

Imports a certificate from a platform object.

Syntax

procedure ImportFromObject(SrcObj: Int64);

Remarks

Use this method to import a certificate from a native platform object, such as X509Certificate2. Depending on the platform, the ObjHandle parameter can be one of the following:

• .NET: X509Certificate2
• Java: X509Certificate
• Windows-based platforms: PCCERT_CONTEXT

ImportFromStream Method (CertificateManager Component)

Loads a certificate from a stream.

Syntax

procedure ImportFromStream(CertStream: TStream; Password: String);

Remarks

This method can load certificates saved in one of the following formats: DER, PEM, PFX, SPC.

Use the CertStream parameter to provide a stream containing the certificate data, and Password to specify the password. The Password parameter is optional. If it is omitted and it is later discovered that the certificate is password-encrypted, the PasswordNeeded event will be fired to request it.

ImportKey Method (CertificateManager Component)

Imports a private key.

Syntax

procedure ImportKey(Key: TBytes; Password: String);

Remarks

Use this method to load a private key from a byte array. Provide the encryption password via the Password parameter. The Password parameter is optional. If it is omitted and it is later discovered that the key is password-encrypted, the PasswordNeeded event will be fired to request it. If there is an initialized certificate or certificate request object inside the manager, the loaded key gets associated with that object. This method supports keys in DER, PEM, PKCS#8, and PVK formats.

ImportKeyFromFile Method (CertificateManager Component)

Imports a private key from a file.

Syntax

procedure ImportKeyFromFile(Path: String; Password: String);

Remarks

Use this method to load a private key from a file. Provide the encryption password via the Password parameter. The Password parameter is optional. If it is omitted and it is later discovered that the key is password-encrypted, the PasswordNeeded event will be fired to request it. If there is an initialized certificate or certificate request object inside the manager, the loaded key gets associated with that object. This method supports keys in DER, PEM, PKCS#8, and PVK formats.

ImportKeyFromStream Method (CertificateManager Component)

Imports a private key from a stream.

Syntax

procedure ImportKeyFromStream(CertStream: TStream; Password: String);

Remarks

Use this method to load a private key from a stream. Provide the encryption password via the Password parameter. The Password parameter is optional. If it is omitted and it is later discovered that the key is password-encrypted, the PasswordNeeded event will be fired to request it. If there is an initialized certificate or certificate request object inside the manager, the loaded key gets associated with that object. This method supports keys in DER, PEM, PKCS#8, and PVK formats.

ListExtensions Method (CertificateManager Component)

List extensions currently available in the certificate or CRL.

Syntax

function ListExtensions(): String;

Remarks

Use this method to list the extensions included in the certificate or CRL. The method returns a list of OIDs separated by newline characters.

SetExtensionData Method (CertificateManager Component)

Sets extension data.

Syntax

procedure SetExtensionData(OID: String; Value: TBytes);

Remarks

Use this method to set extension data in encoded ASN.1 format. Use SetExtensionState to enable the extension or change its critical attribute.

SetExtensionState Method (CertificateManager Component)

Sets certificate extension state.

Syntax

procedure SetExtensionState(OID: String; State: Integer);

Remarks

Use this method to enable or disable the extension and set its critical attribute.

Update Method (CertificateManager Component)

Renews the certificate.

Syntax

procedure Update();

Remarks

This method renews a certificate by updating its validity period and re-signing the updated version.

Note that this operation expects both Certificate and CACertificate properties to be set.

Validate Method (CertificateManager Component)

Validates the certificate.

Syntax

function Validate(): Integer;

Remarks

Use this method to validate the certificate contained in Certificate. If the certificate being validated is not self-signed, please provide the CA certificate via CACertificate property.

Error Event (CertificateManager Component)

Information about errors during certificate loading, saving or validation.

Syntax

type TErrorEvent = procedure (
  Sender: TObject;
  ErrorCode: Integer;
  const Description: String
) of Object;

property OnError: TErrorEvent read FOnError write FOnError;

Remarks

Reports exceptional conditions during certificate loading, exporting, or validation.

ErrorCode contains an error code and Description contains a textual description of the error.

ExternalSign Event (CertificateManager Component)

Handles remote or external signing initiated by the SignExternal method or other source.

Syntax

type TExternalSignEvent = procedure (
  Sender: TObject;
  const OperationId: String;
  const HashAlgorithm: String;
  const Pars: String;
  const Data: String;
  var SignedData: String
) of Object;

property OnExternalSign: TExternalSignEvent read FOnExternalSign write FOnExternalSign;

Remarks

Assign a handler to this event if you need to delegate a low-level signing operation to an external, remote, or custom signing engine. Depending on the settings, the handler will receive a hashed or unhashed value to be signed.

The event handler must pass the value of Data to the signer, obtain the signature, and pass it back to the component via the SignedData parameter.

OperationId provides a comment about the operation and its origin. It depends on the exact component being used, and may be empty. HashAlgorithm specifies the hash algorithm being used for the operation, and Pars contains algorithm-dependent parameters.

The component uses base16 (hex) encoding for the Data, SignedData, and Pars parameters. If your signing engine uses a different input and output encoding, you may need to decode and/or encode the data before and/or after the signing.

A sample MD5 hash encoded in base16: a0dee2a0382afbb09120ffa7ccd8a152 - lower case base16 A0DEE2A0382AFBB09120FFA7CCD8A152 - upper case base16

A sample event handler that uses the .NET RSACryptoServiceProvider class may look like the following: signer.OnExternalSign += (s, e) => { var cert = new X509Certificate2("cert.pfx", "", X509KeyStorageFlags.Exportable); var key = (RSACryptoServiceProvider)cert.PrivateKey; var dataToSign = e.Data.FromBase16String(); var signedData = key.SignHash(dataToSign, "2.16.840.1.101.3.4.2.1"); e.SignedData = signedData.ToBase16String(); };

Notification Event (CertificateManager Component)

This event notifies the application about an underlying control flow event.

Syntax

type TNotificationEvent = procedure (
  Sender: TObject;
  const EventID: String;
  const EventParam: String
) of Object;

property OnNotification: TNotificationEvent read FOnNotification write FOnNotification;

Remarks

The component fires this event to let the application know about some event, occurrence, or milestone in the component. For example, it may fire to report completion of the document processing. The list of events being reported is not fixed, and may be flexibly extended over time.

The unique identifier of the event is provided in the EventID parameter. EventParam contains any parameters accompanying the occurrence. Depending on the type of the component, the exact action it is performing, or the document being processed, one or both may be omitted.

PasswordNeeded Event (CertificateManager Component)

This event is fired when a decryption password is needed.

Syntax

type TPasswordNeededEvent = procedure (
  Sender: TObject;
  var Password: String;
  var Cancel: Boolean
) of Object;

property OnPasswordNeeded: TPasswordNeededEvent read FOnPasswordNeeded write FOnPasswordNeeded;

Remarks

The component fires this event when a password is needed to decrypt a certificate or a private key.

In the handler of this event, assign the password to the Password parameter, or set Cancel to true to abort the operation.

Certificate Type

Provides details of an individual X.509 certificate.

Remarks

This type provides access to X.509 certificate details.

Fields

Constructors

>

constructor Create();

Creates a new object with default field values.

CertificateRequest Type

Provides access to details of an individual certificate request (CSR).

Remarks

This type represents a certificate request as defined in PKCS#10.

Fields

Constructors

>

constructor Create();

Creates a new object with default field values.

ExternalCrypto Type

Specifies the parameters of external cryptographic calls.

Remarks

External cryptocalls are used in a Distributed Cryptography (DC) subsystem, which allows the delegation of security operations to the remote agent. For instance, it can be used to compute the signature value on the server, while retaining the client's private key locally.

Fields

Constructors

>

constructor Create();

Creates a new ExternalCrypto object with default field values.

Config Settings (CertificateManager Component)

The component accepts one or more of the following configuration settings. Configuration settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the component, access to these internal properties is provided through the Config method.

CertificateManager Config Settings

Base Config Settings

Trappable Errors (CertificateManager Component)

CertificateManager Errors

	1048577   Invalid parameter value (SB_ERROR_INVALID_PARAMETER)
	1048578   Component is configured incorrectly (SB_ERROR_INVALID_SETUP)
	1048579   Operation cannot be executed in the current state (SB_ERROR_INVALID_STATE)
	1048580   Attempt to set an invalid value to a property (SB_ERROR_INVALID_VALUE)
	1048581   Certificate does not have its private key loaded (SB_ERROR_NO_PRIVATE_KEY)
	1048581   Cancelled by the user (SB_ERROR_CANCELLED_BY_USER)