Discuss this help topic in SecureBlackbox Forum
Create self-signed certificate
Self-signed certificates are signed with an embedded key, they are not certified by any higher-level CA. There is no cryptographic way to verify the integrity and genuineness of self-signed certificates, anyone can generate a keypair, create a certificate from it, and put any information they choose into it. To ensure security you always have to establish trust to such certificates by means, external to the whole PKI ecosystem. For example, you can confirm the hash of the public key contained in a self-signed certificate with the certificate holder by phone. Trusting self-signed certificates blindly is extremely dangerous!
In real world, there are two common uses for self-signed certificates. The first case covers all root certification authorities (CAs). These root certificates are shipped with Windows and other operating systems, and could be found in the Trusted Root Certification Authorities system stores. Trust for such certificates is confirmed by the OS or web browser vendors, which (hopefully) take appropriate actions to confirm their genuineness with the CAs.
The second use of the self-signed certificates covers fairly small environments where the certificates are primarily used as public key containers, not as the elements of the PKI trust tree. These certificates are trusted explicitly, their trust is established by the verifiers individually by, e.g., checking certificate hashes. Pretty similar to PGP keys.
Follow these steps to create a self-signed certificate:
TElX509CertificateEx cert = new TElX509CertificateEx();
// subject (certificate holder)
cert.SubjectRDN.Add(SBConstants.Unit.SB_CERT_OID_COUNTRY, StrToUTF8("US"), SBASN1Tree.Unit.SB_ASN1_PRINTABLESTRING);
cert.SubjectRDN.Add(SBConstants.Unit.SB_CERT_OID_ORGANIZATION, StrToUTF8("Skynet"), SBASN1Tree.Unit.SB_ASN1_PRINTABLESTRING);
cert.SubjectRDN.Add(SBConstants.Unit.SB_CERT_OID_COMMON_NAME, StrToUTF8("John Johnson"), SBASN1Tree.Unit.SB_ASN1_UTF8STRING);
// issuer (must exactly match subject for self-signed certificates)
cert.IssuerRDN.Assign(cert.SubjectRDN);
// validity period
cert.ValidFrom = DateTime.UtcNow;
cert.ValidTo = DateTime.UtcNow.AddYears(2);
// extensions
cert.Generate(SBConstants.Unit.SB_CERT_ALGORITHM_SHA256_RSA_ENCRYPTION, 64); // 64 words x 32 bits = 2048 bits
Upon execution of the above command, a brand new keypair and a certificate are generated which may be used for cryptographic operations.
cert.SaveToFile("cert.cer", "", TSBCertFileFormat.cfDER);
cert.SaveKeyToFile("certkey.pem", "password", TSBX509KeyFileFormat.kffPEM);
to save the key separately, or
cert.SaveToFile("cert.pfx", "password", TSBCertFileFormat.cfPFX);
to save the key together with the certificate.