Website Download Support
 

Discuss this help topic in SecureBlackbox Forum

Create certificate request

Certificate requests or, alternatively, certificate signing requests (CSR) represent a common method for generating certificates without exposing private keys. Essentially, a person who wants to obtain a certificate from a CA, generates a keypair locally and includes its public key together with its identity information (common name, country, organisation etc.) in a blob called 'certificate request'. This request is then signed with the private key and sent to the CA. The CA validates the request's signature using the included public key, creates a certificate from this public key and identity information, and signs it with the CA's authorized key. This certificate is sent back to the requester. In this way the private key does not travel anywhere outside the requester's environment.

With SecureBlackbox, certificate requests are created and managed via the TElCertificateRequest class. To generate a brand new certificate request:

  1. Create a TElCertificateRequest object (SBPKCS10 namespace): TElCertificateRequest req = new TElCertificateRequest();
  2. Adjust your identity information that is supposed to go to the Subject field of the certificate (note that the CA might alter it according to its policies): 
    
req.Subject.Add(SBConstants.Unit.SB_CERT_OID_COMMON_NAME, SBStrUtils.Unit.StrToUTF8("John Johnson"), SBASN1Tree.Unit.SB_ASN1_UTF8STRING);
req.Subject.Add(SBConstants.Unit.SB_CERT_OID_COUNTRY, SBStrUtils.Unit.StrToUTF8("CA"), SBASN1Tree.Unit.SB_ASN1_PRINTABLESTRING);
req.Subject.Add(SBConstants.Unit.SB_CERT_OID_ORGANIZATION, SBStrUtils.Unit.StrToUTF8("Johnson&Co"), SBASN1Tree.Unit.SB_ASN1_UTF8STRING);
  3. Optionally, provide desired extensions configuration via the Extensions property: 
    
req.Extensions.Included = SBX509Ext.Unit.ceKeyUsage;
req.Extensions.KeyUsage.kuNonRepudiation;
    You might wish to include one or both SBPKCS10.Unit.croGenerateKeyIdentifier and SBPKCS10.Unit.croUseMSExtensionIdentifier flags to the request's Options to pre-generate the subject key identifier and the MSExtensionIdentifier extensions. These might be required by certain CAs.
  4. Call Generate() to generate the keypair and request, and sign the request with the private key: 
    
req.Generate(
SBConstants.Unit.SB_CERT_ALGORITHM_ID_RSA_ENCRYPTION, // key algorithm
2048, // bits in key
SBConstants.Unit.SB_CERT_ALGORITHM_SHA256_RSA_ENCRYPTION // signature algorithm (must include hash algorithm, e.g. SHA256)
);
    That's it, the request has been generated. Learn how to save the new request here.

To use the existing keypair (possibly, the one that you have generated separately before), take these steps before calling Generate() method:

  1. use TElCertificateRequest.SetKeyMaterial() method to specify the key material (the method will create a copy of the keypair that you provide),
  2. set TElCertificateRequest.PreserveKeyMaterial property to true to prevent Generate() method from creating new keypair.
You can use the key material, generated in memory, or you can create and re-use the key material with cryptographic hardware via PKCS#11 or the system certificate storage.

How To articles about certificate requests

Discuss this help topic in SecureBlackbox Forum

Copyright (c) 2018, /n software, inc.