Discuss this help topic in SecureBlackbox Forum

Create self-signed certificate

Self-signed certificates are signed with an embedded key, they are not certified by any higher-level CA. There is no cryptographic way to verify the integrity and genuineness of self-signed certificates, anyone can generate a keypair, create a certificate from it, and put any information they choose into it. To ensure security you always have to establish trust to such certificates by means, external to the whole PKI ecosystem. For example, you can confirm the hash of the public key contained in a self-signed certificate with the certificate holder by phone. Trusting self-signed certificates blindly is extremely dangerous!

In real world, there are two common uses for self-signed certificates. The first case covers all root certification authorities (CAs). These root certificates are shipped with Windows and other operating systems, and could be found in the Trusted Root Certification Authorities system stores. Trust for such certificates is confirmed by the OS or web browser vendors, which (hopefully) take appropriate actions to confirm their genuineness with the CAs.

The second use of the self-signed certificates covers fairly small environments where the certificates are primarily used as public key containers, not as the elements of the PKI trust tree. These certificates are trusted explicitly, their trust is established by the verifiers individually by, e.g., checking certificate hashes. Pretty similar to PGP keys.

Follow these steps to create a self-signed certificate:

  1. Create a TElX509CertificateEx object (SBX509Ex namespace): TElX509CertificateEx cert = new TElX509CertificateEx();
  2. Set up the identity and validity properties and, optionally, configure the extensions. Note, that if you generate a certificate that you wish to use as a CA, you must include certain extensions (key usage and basic constraints) to comply with X.509 specification.
    
    // subject (certificate holder)
    cert.SubjectRDN.Add(SBConstants.Unit.SB_CERT_OID_COUNTRY, StrToUTF8("US"), SBASN1Tree.Unit.SB_ASN1_PRINTABLESTRING);
    cert.SubjectRDN.Add(SBConstants.Unit.SB_CERT_OID_ORGANIZATION, StrToUTF8("Skynet"), SBASN1Tree.Unit.SB_ASN1_PRINTABLESTRING);
    cert.SubjectRDN.Add(SBConstants.Unit.SB_CERT_OID_COMMON_NAME, StrToUTF8("John Johnson"), SBASN1Tree.Unit.SB_ASN1_UTF8STRING);
    
    // issuer (must exactly match subject for self-signed certificates)
    cert.IssuerRDN.Assign(cert.SubjectRDN);
    
    // validity period
    cert.ValidFrom = DateTime.UtcNow;
    cert.ValidTo = DateTime.UtcNow.AddYears(2);
    
    // extensions
    			
  3. Call Generate(), passing the signature algorithm for the certificate signature and the length of private key in double words (32 bit each): cert.Generate(SBConstants.Unit.SB_CERT_ALGORITHM_SHA256_RSA_ENCRYPTION, 64); // 64 words x 32 bits = 2048 bits Upon execution of the above command, a brand new keypair and a certificate are generated which may be used for cryptographic operations.
  4. Save the certificate and its private key to streams or files. Run cert.SaveToFile("cert.cer", "", TSBCertFileFormat.cfDER);
    cert.SaveKeyToFile("certkey.pem", "password", TSBX509KeyFileFormat.kffPEM);
    to save the key separately, or cert.SaveToFile("cert.pfx", "password", TSBCertFileFormat.cfPFX); to save the key together with the certificate.

Certificate-related How To articles

Discuss this help topic in SecureBlackbox Forum