Discuss this help topic in SecureBlackbox Forum

Create certificate signed by CA

This article explains how to generate a brand new certificate signed with a CA certificate available locally. The following articles explain how to generate other types of certificates:

  • To generate a self-signed or a root CA certificate, please follow this article.
  • How to generate a certificate from a certificate request by sending it to an external CA is explained here.
  • If you are a CA, read how to generate a certificate from a third-party request here

To generate a new certificate signed with a different certificate (which is called the CA certificate, as it 'authorizes' the new one by signing it), you will need access to the CA certificate's private key. Note, that you can't sign new certificates with the CA certificate unless you have access to the private key. The key can be stored in any form, in a file or on a hardware token.

The generation procedure is very similar to the one used to generate a self-signed certificate:

  1. Create a TElX509CertificateEx object (SBX509Ex namespace): TElX509CertificateEx cert = new TElX509CertificateEx();
  2. Set up the identity and validity properties and, optionally, configure the extensions. Note, that if you generate a certificate that you wish itself to act as a CA, you must include certain extensions (key usage and basic constraints) to comply with X.509 specification.
    
    // subject (certificate holder)
    cert.SubjectRDN.Add(SBConstants.Unit.SB_CERT_OID_COUNTRY, StrToUTF8("US"), SBASN1Tree.Unit.SB_ASN1_PRINTABLESTRING);
    cert.SubjectRDN.Add(SBConstants.Unit.SB_CERT_OID_ORGANIZATION, StrToUTF8("Skynet"), SBASN1Tree.Unit.SB_ASN1_PRINTABLESTRING);
    cert.SubjectRDN.Add(SBConstants.Unit.SB_CERT_OID_COMMON_NAME, StrToUTF8("John Johnson"), SBASN1Tree.Unit.SB_ASN1_UTF8STRING);
    
    // do not set the issuer fields (IssuerRDN); they will be copied from the CA certificate
    
    // validity period
    cert.ValidFrom = DateTime.UtcNow;
    cert.ValidTo = DateTime.UtcNow.AddYears(2);
    
    // extensions
    			
  3. Load your CA certificate into a TElX509Certificate object: TElX509Certificate cacert = new TElX509Certificate();
    cacert.LoadFromFileAuto("cacert.pfx", "password");
  4. Call Generate(), passing the CA certificate object, the signature algorithm, and the desired length of the private key in double words (32 bit each): cert.Generate(cacert, SBConstants.Unit.SB_CERT_ALGORITHM_SHA256_RSA_ENCRYPTION, 64); // 64 words x 32 bits = 2048 bits Note, that the signature algorithm you pass should be compatible with the algorithm of the key contained in the CA certificate. For example, you can't pass a DSA-based signature algorithm if cacert carries an RSA key. Upon successful execution of the above command, a brand new keypair and a certificate have been generated, and can be used for cryptographic operations.
  5. Save the certificate and its private key to streams or files. Run cert.SaveToFile("cert.cer", "", TSBCertFileFormat.cfDER);
    cert.SaveKeyToFile("certkey.pem", "password", TSBX509KeyFileFormat.kffPEM);
    to save the key separately, or cert.SaveToFile("cert.pfx", "password", TSBCertFileFormat.cfPFX); to save the key together with the certificate.

Certificate-related How To articles

Discuss this help topic in SecureBlackbox Forum