Discuss this help topic in SecureBlackbox Forum
Create certificate signed by CA
This article explains how to generate a brand new certificate signed with a CA certificate available locally. The following articles explain how to generate other types of certificates:
To generate a new certificate signed with a different certificate (which is called the CA certificate, as it 'authorizes' the new one by signing it), you will need access to the CA certificate's private key. Note, that you can't sign new certificates with the CA certificate unless you have access to the private key. The key can be stored in any form, in a file or on a hardware token.
The generation procedure is very similar to the one used to generate a self-signed certificate:
TElX509CertificateEx cert = new TElX509CertificateEx();
// subject (certificate holder)
cert.SubjectRDN.Add(SBConstants.Unit.SB_CERT_OID_COUNTRY, StrToUTF8("US"), SBASN1Tree.Unit.SB_ASN1_PRINTABLESTRING);
cert.SubjectRDN.Add(SBConstants.Unit.SB_CERT_OID_ORGANIZATION, StrToUTF8("Skynet"), SBASN1Tree.Unit.SB_ASN1_PRINTABLESTRING);
cert.SubjectRDN.Add(SBConstants.Unit.SB_CERT_OID_COMMON_NAME, StrToUTF8("John Johnson"), SBASN1Tree.Unit.SB_ASN1_UTF8STRING);
// do not set the issuer fields (IssuerRDN); they will be copied from the CA certificate
// validity period
cert.ValidFrom = DateTime.UtcNow;
cert.ValidTo = DateTime.UtcNow.AddYears(2);
// extensions
TElX509Certificate cacert = new TElX509Certificate();
cacert.LoadFromFileAuto("cacert.pfx", "password");
cert.Generate(cacert, SBConstants.Unit.SB_CERT_ALGORITHM_SHA256_RSA_ENCRYPTION, 64); // 64 words x 32 bits = 2048 bits
Note, that the signature algorithm you pass should be compatible with the algorithm of the key contained in the CA certificate.
For example, you can't pass a DSA-based signature algorithm if cacert carries an RSA key.
Upon successful execution of the above command, a brand new keypair and a certificate have been generated, and can be used for cryptographic operations.
cert.SaveToFile("cert.cer", "", TSBCertFileFormat.cfDER);
cert.SaveKeyToFile("certkey.pem", "password", TSBX509KeyFileFormat.kffPEM);
to save the key separately, or
cert.SaveToFile("cert.pfx", "password", TSBCertFileFormat.cfPFX);
to save the key together with the certificate.