Discuss this help topic in SecureBlackbox Forum
Generate the certificate
This how-to requires knowledge of X.509 certificate basics ("Certificate basics")
As described in the above article, the certificate is usually issued (created and signed) by some Certificate Authority (CA).
To check that the certificate is valid it is necessary to have a certificate of the Certificate Authority.
CA is a well-known organization that has its own certificate and this certificate is usually known to application when the application is created.
Alternatively there can be external storage of certificates, such as Windows Certificate Storage with ROOT store where certificates of well-known CAs are stored.
There also exist so-called self-signed certificates.
Self-signed certificates are not issued by Certificate Authority, but signed by the person for whom the certificate is created.
To check integrity of the self-signed certificate it is not necessary to have any other certificate.
Root CA certificates, which form the beginning of the certificate chain, are self-signed.
Generation of the certificate with SecureBlackbox is done in several steps.
To generate the certificate synchronously:
- Create an instance of X.509 certificate class.
- Set the properties of X.509 object. You need to set the following properties:
- ValidFrom
- ValidTo
- One of Subject* properties - define the person or organization to which the certificate is issued.
- Extensions (at least Key Usage extension).
Extensions are described in the corresponding how-to article.
- If you need to create a self-signed certificate, set Issuer* properties of TElX509CertificateEx.
- Call TElX509CertificateEx.Generate() method.
When creating self-signed certificate, Algorithm to use can be one of the following:
SB_CERT_ALGORITHM_MD2_RSA_ENCRYPTION
SB_CERT_ALGORITHM_MD5_RSA_ENCRYPTION
SB_CERT_ALGORITHM_SHA1_RSA_ENCRYPTION
SB_CERT_ALGORITHM_ID_DSA_SHA1
When creating a certificate using CA, Algorithm can be one of the following:
SB_CERT_ALGORITHM_ID_RSA_ENCRYPTION
SB_CERT_ALGORITHM_ID_DSA
SB_CERT_ALGORITHM_DH_PUBLIC
SB_CERT_ALGORITHM_UNKNOWN
When creating a certificate based on Certificate Request (CSR),
call Generate() method of the CA certificate, passing the CSR and the destination ("child") certificate as parameters.
To generate the certificate asynchronously:
- Create an instance of X.509 certificate class.
- Set the properties of X.509 object. You need to set the following properties:
- ValidFrom
- ValidTo
- Subject* properties - define the person or organization to which the certificate is issued.
- Extensions (at least Key Usage extension. Extensions are described in the corresponding how-to article.
- If you need to create a self-signed certificate, set Issuer property.
- Call TElX509CertificateEx.BeginGenerate() method.
When creating self-signed certificate, Algorithm to use can be one of the following:
SB_CERT_ALGORITHM_MD2_RSA_ENCRYPTION
SB_CERT_ALGORITHM_MD5_RSA_ENCRYPTION
SB_CERT_ALGORITHM_SHA1_RSA_ENCRYPTION
SB_CERT_ALGORITHM_ID_DSA_SHA1
When creating a certificate using CA, Algorithm can be one of the following:
SB_CERT_ALGORITHM_ID_RSA_ENCRYPTION
SB_CERT_ALGORITHM_ID_DSA
SB_CERT_ALGORITHM_DH_PUBLIC
SB_CERT_ALGORITHM_UNKNOWN
- Call TElX509CertificateEx.AsyncOperationFinished() method to find out, when the generation process is over.
- Call TElX509CertificateEx.EndGenerate() method.
After generation you can place certificate to some certificate storage (TElCustomCertStorage) or save it to file.
Saving of the certificate and private key is described in the corresponding how-to article.
Certificate-related How To articles
Discuss this help topic in SecureBlackbox Forum