Programmatically producing certificate in .pfx format in .NET

[Guest]

Hello!
First of all I want to beg Your pardon if I’m posting this question into
wrong newsgroup. And now the question itself :
Presently if I need to provide user with certificate (generated by my own CA
server) in PKCS #12 / Personal Information Exchange (.pfx) format I need to:
1. Go to http://my_ca_server/certsrv/default.aspx
2. Prepare certificate request providing name, e-mail, type of certificate,
mark keys as exportable, export keys to file, etc. supply password for the
..pvk file
3. Submit certificate request.
4. Open CA administration console, expand „Pending certificatesâ€, right
click corresponding certificate, „Issue†it.
5. Now again I have to go to http://my_ca_server/certsrv/default.aspx, check
pending certificate request status
6. Download .cer file
7. Find .pvk file on the desktop (strange, to put it mildly) of the CA server
8. Finally by sequentially running command lines „cert2spc mycert.cer
mycert.spc†and „pvkimprt -pfx mycert.spc mycert.pvk†I receive „mycert.pfxâ€
I longed for so much.

Is it possible to automate this process by writing a WEB app. in .NET (VB,
C#), which could be installed on any server (not necessarily CA) , and enable
me to:
1. Open a web page
2. Enter user’s name, e-mail, address
3. Press a button
4. Get username.pfx for download

I would be very grateful for quick response, because solving this issue is
quite urgent.
Best regards,
Vladimir Davidov

 

[Eugene Mayevski]

Hello!
You wrote on Tue, 14 Jun 2005 01:43:03 -0700:

VD> Is it possible to automate this process by writing a WEB app. in .NET
VD> (VB, C#), which could be installed on any server (not necessarily CA) ,

Yes, you can use PKIBlackbox (freeware, http://www.eldos.com/sbb/desc-pki.php)
for this.

With best regards,
Eugene Mayevski

 

[Guest]

OK, may be I have not made myself absolutely clear. I’m not searching for
some kind of third party components/classes. What I want is to find out how I
can do it myself using API, .NET classes whatever could help me.

 

[Lau Lei Cheong]

Should you want to use API to do so, go and check out the "crypt32.dll".

ordinal hint RVA name

1016 0 00038A8F CertAddCRLContextToStore
1017 1 00038162 CertAddCRLLinkToStore
1018 2 00038A8F CertAddCTLContextToStore
1019 3 00038162 CertAddCTLLinkToStore
1020 4 00038A8F CertAddCertificateContextToStore
1021 5 00038162 CertAddCertificateLinkToStore
1022 6 0002128A CertAddEncodedCRLToStore
1023 7 00038BBE CertAddEncodedCTLToStore
1024 8 00038A1A CertAddEncodedCertificateToStore
1025 9 00039E8D CertAddEncodedCertificateToSystemStoreA
1026 A 00039ED7 CertAddEncodedCertificateToSystemStoreW
1027 B 0003A86E CertAddEnhancedKeyUsageIdentifier
1028 C 00010635 CertAddSerializedElementToStore
1029 D 0000EB37 CertAddStoreToCollection
1030 E 0003B244 CertAlgIdToOID
1031 F 0000C19E CertCloseStore
1032 10 00012E1A CertCompareCertificate
1033 11 00013661 CertCompareCertificateName
1034 12 00012D95 CertCompareIntegerBlob
1035 13 0001985F CertComparePublicKeyInfo
1036 14 00010387 CertControlStore
1037 15 00038B97 CertCreateCRLContext
1038 16 00038C0C CertCreateCTLContext
1039 17 00037843 CertCreateCTLEntryFromCertificateContextProperties
1040 18 0002077C CertCreateCertificateChainEngine
1041 19 00038A68 CertCreateCertificateContext
1042 1A 00038479 CertCreateContext
1043 1B 0003C88D CertCreateSelfSignCertificate
1044 1C 00038140 CertDeleteCRLFromStore
1045 1D 00038140 CertDeleteCTLFromStore
1046 1E 00038140 CertDeleteCertificateFromStore
1047 1F 0000C256 CertDuplicateCRLContext
1048 20 0000C256 CertDuplicateCTLContext
1049 21 00079F23 CertDuplicateCertificateChain
1050 22 0000C256 CertDuplicateCertificateContext
1051 23 0001042C CertDuplicateStore
1052 24 00036FF3 CertEnumCRLContextProperties
1053 25 00020C28 CertEnumCRLsInStore
1054 26 00036FF3 CertEnumCTLContextProperties
1055 27 0001774C CertEnumCTLsInStore
1056 28 00036FF3 CertEnumCertificateContextProperties
1057 29 0001FC1F CertEnumCertificatesInStore
1058 2A 0003EB35 CertEnumPhysicalStore
1059 2B 00036D09 CertEnumSubjectInSortedCTL
1060 2C 0003E4CD CertEnumSystemStore
1061 2D 00008336 CertEnumSystemStoreLocation
1062 2E 0001C10D CertFindAttribute
1063 2F 0001794F CertFindCRLInStore
1064 30 000381B4 CertFindCTLInStore
1065 31 00017EF0 CertFindCertificateInCRL
1066 32 00014F78 CertFindCertificateInStore
1067 33 000405C0 CertFindChainInStore
1068 34 0000E93E CertFindExtension
1069 35 0003B272 CertFindRDNAttr
1070 36 00037397 CertFindSubjectInCTL
1071 37 00036C0E CertFindSubjectInSortedCTL
1072 38 0001085A CertFreeCRLContext
1073 39 0001085A CertFreeCTLContext
1074 3A 0001931E CertFreeCertificateChain
1075 3B 0007A016 CertFreeCertificateChainEngine
1076 3C 0001085A CertFreeCertificateContext
1077 3D 00010B45 CertGetCRLContextProperty
1078 3E 00038AEB CertGetCRLFromStore
1079 3F 00010B45 CertGetCTLContextProperty
1080 40 00011243 CertGetCertificateChain
1081 41 00010B45 CertGetCertificateContextProperty
1082 42 0001B7C8 CertGetEnhancedKeyUsage
1083 43 00006BA4 CertGetIntendedKeyUsage
1084 44 00039896 CertGetIssuerCertificateFromStore
1085 45 000428D1 CertGetNameStringA
1086 46 00042609 CertGetNameStringW
1087 47 0003C735 CertGetPublicKeyLength
1088 48 0003726E CertGetStoreProperty
1089 49 0001A039 CertGetSubjectCertificateFromStore
1090 4A 0003A52B CertGetValidUsages
1091 4B 0003ACEC CertIsRDNAttrsInCertificateName
1092 4C 00017EB2 CertIsValidCRLForCertificate
1093 4D 0004198E CertNameToStrA
1094 4E 000418FD CertNameToStrW
1095 4F 00011443 CertOIDToAlgId
1096 50 0001087F CertOpenStore
1097 51 00039E0A CertOpenSystemStoreA
1098 52 00039E49 CertOpenSystemStoreW
1099 53 00042932 CertRDNValueToStrA
1100 54 00040842 CertRDNValueToStrW
1101 55 0003DEF6 CertRegisterPhysicalStore
1102 56 0003DE5F CertRegisterSystemStore
1103 57 0003A96D CertRemoveEnhancedKeyUsageIdentifier
1104 58 00020DF4 CertRemoveStoreFromCollection
1105 59 0007A042 CertResyncCertificateChainEngine
1106 5A 0003893E CertSaveStore
1107 5B 000228DF CertSerializeCRLStoreElement
1108 5C 000228DF CertSerializeCTLStoreElement
1109 5D 000228DF CertSerializeCertificateStoreElement
1110 5E 0001362B CertSetCRLContextProperty
1111 5F 0001362B CertSetCTLContextProperty
1112 60 00039C41 CertSetCertificateContextPropertiesFromCTLEntry
1113 61 0001362B CertSetCertificateContextProperty
1114 62 0003A35B CertSetEnhancedKeyUsage
1115 63 00037237 CertSetStoreProperty
1116 64 000421FD CertStrToNameA
1117 65 00041CAF CertStrToNameW
1118 66 0003E1DD CertUnregisterPhysicalStore
1119 67 0003E0C9 CertUnregisterSystemStore
1120 68 0003B1E4 CertVerifyCRLRevocation
1121 69 0003B132 CertVerifyCRLTimeValidity
1122 6A 00042C13 CertVerifyCTLUsage
1123 6B 00019A4C CertVerifyCertificateChainPolicy
1124 6C 00015EE2 CertVerifyRevocation
1125 6D 00039948 CertVerifySubjectCertificateContext
1126 6E 00016507 CertVerifyTimeValidity
1127 6F 0003B1A1 CertVerifyValidityNesting
1012 70 0007A134 ChainWlxLogoffEvent
1013 71 00031CC4 CloseCertPerformanceData
1014 72 0007ED4A CollectCertPerformanceData
1128 73 00031D4F CreateFileU
1129 74 00039A1E CryptAcquireCertificatePrivateKey
1130 75 000323FD CryptAcquireContextU
1131 76 000334E9 CryptBinaryToStringA
1132 77 00033807 CryptBinaryToStringW
1133 78 00043927 CryptCloseAsyncHandle
1134 79 0004372E CryptCreateAsyncHandle
1135 7A 0003BF1E CryptCreateKeyIdentifierFromCSP
1136 7B 00045368 CryptDecodeMessage
1137 7C 00012A8E CryptDecodeObject
1138 7D 0001027E CryptDecodeObjectEx
1139 7E 0004526F CryptDecryptAndVerifyMessageSignature
1140 7F 0004523C CryptDecryptMessage
1141 80 000453A7 CryptEncodeObject
1142 81 0001A0F1 CryptEncodeObjectEx
1143 82 000442AB CryptEncryptMessage
1144 83 000395AD CryptEnumKeyIdentifierProperties
1145 84 0000AA75 CryptEnumOIDFunction
1146 85 0004CE7E CryptEnumOIDInfo
1147 86 00032801 CryptEnumProvidersU
1148 87 0006F2F9 CryptExportPKCS8
1149 88 0003BEF7 CryptExportPublicKeyInfo
1150 89 0003BE82 CryptExportPublicKeyInfoEx
1151 8A 0003C502 CryptFindCertificateKeyProvInfo
1152 8B 0004C458 CryptFindLocalizedName
1153 8C 0000F5FF CryptFindOIDInfo
1154 8D 0004D1D7 CryptFormatObject
1155 8E 00009D71 CryptFreeOIDFunctionAddress
1156 8F 000438E2 CryptGetAsyncParam
1157 90 000179EF CryptGetDefaultOIDDllList
1158 91 00017C3D CryptGetDefaultOIDFunctionAddress
1159 92 00039277 CryptGetKeyIdentifierProperty
1160 93 000439B0 CryptGetMessageCertificates
1161 94 00043946 CryptGetMessageSignerCount
1162 95 00009BD8 CryptGetOIDFunctionAddress
1163 96 0004B8A9 CryptGetOIDFunctionValue
1164 97 0001053D CryptHashCertificate
1165 98 000439E0 CryptHashMessage
1166 99 0003B390 CryptHashPublicKeyInfo
1167 9A 00019AC2 CryptHashToBeSigned
1168 9B 0006F0B6 CryptImportPKCS8
1169 9C 00010988 CryptImportPublicKeyInfo
1170 9D 000109AC CryptImportPublicKeyInfoEx
1171 9E 00007A0D CryptInitOIDFunctionSet
1172 9F 0003BFC3 CryptInstallDefaultContext
1173 A0 00007ABF CryptInstallOIDFunctionAddress
1174 A1 0006DC6E CryptLoadSip
1175 A2 00022424 CryptMemAlloc
1176 A3 000245B1 CryptMemFree
1177 A4 00055CD2 CryptMemRealloc
1178 A5 000612CB CryptMsgCalculateEncodedLength
1179 A6 000188BA CryptMsgClose
1180 A7 0001C4BA CryptMsgControl
1181 A8 000682BC CryptMsgCountersign
1182 A9 00010FC2 CryptMsgCountersignEncoded
1183 AA 00063263 CryptMsgDuplicate
1184 AB 00068690 CryptMsgEncodeAndSignCTL
1185 AC 000685E0 CryptMsgGetAndVerifySigner
1186 AD 0001AFAA CryptMsgGetParam
1187 AE 0001DE13 CryptMsgOpenToDecode
1188 AF 000681FD CryptMsgOpenToEncode
1189 B0 0000528D CryptMsgSignCTL
1190 B1 0001D86B CryptMsgUpdate
1191 B2 000649E3 CryptMsgVerifyCountersignatureEncoded
1192 B3 0001DF37 CryptMsgVerifyCountersignatureEncodedEx
1193 B4 00023EBA CryptProtectData
1194 B5 00020FF0 CryptQueryObject
1195 B6 0004BB47 CryptRegisterDefaultOIDFunction
1196 B7 0004B944 CryptRegisterOIDFunction
1197 B8 0004BF23 CryptRegisterOIDInfo
1198 B9 0006DD9E CryptSIPAddProvider
1199 BA 0006E07E CryptSIPCreateIndirectData
1200 BB 0001A8E4 CryptSIPGetSignedDataMsg
1201 BC 0001EB0E CryptSIPLoad
1202 BD 0006DF63 CryptSIPPutSignedDataMsg
1203 BE 0006DC7E CryptSIPRemoveProvider
1204 BF 0006DFF8 CryptSIPRemoveSignedDataMsg
1205 C0 00009E70 CryptSIPRetrieveSubjectGuid
1206 C1 0006E10D CryptSIPRetrieveSubjectGuidForCatalogFile
1207 C2 0001EBB4 CryptSIPVerifyIndirectData
1208 C3 000438C3 CryptSetAsyncParam
1209 C4 00039309 CryptSetKeyIdentifierProperty
1210 C5 0004B802 CryptSetOIDFunctionValue
1211 C6 000325F1 CryptSetProviderU
1212 C7 0003B04C CryptSignAndEncodeCertificate
1213 C8 00044D60 CryptSignAndEncryptMessage
1214 C9 0003AE82 CryptSignCertificate
1215 CA 000324A1 CryptSignHashU
1216 CB 00044CD1 CryptSignMessage
1217 CC 00044390 CryptSignMessageWithKey
1218 CD 000339F3 CryptStringToBinaryA
1219 CE 00033AE5 CryptStringToBinaryW
1220 CF 0003C127 CryptUninstallDefaultContext
1221 D0 000240A1 CryptUnprotectData
1222 D1 0004BCB9 CryptUnregisterDefaultOIDFunction
1223 D2 0004B9D2 CryptUnregisterOIDFunction
1224 D3 0004BFD8 CryptUnregisterOIDInfo
1225 D4 0003C6FF CryptVerifyCertificateSignature
1226 D5 00016FB4 CryptVerifyCertificateSignatureEx
1227 D6 00044361 CryptVerifyDetachedMessageHash
1228 D7 00045206 CryptVerifyDetachedMessageSignature
1229 D8 00044334 CryptVerifyMessageHash
1230 D9 000451D2 CryptVerifyMessageSignature
1231 DA 0004454F CryptVerifyMessageSignatureWithKey
1232 DB 0003253D CryptVerifySignatureU

Search MSDN or so to find how to use the interested functions.

 

[Jon Skeet [C# MVP]]

OK, may be I have not made myself absolutely clear. I?m not searching for
some kind of third party components/classes. What I want is to find out how I
can do it myself using API, .NET classes whatever could help me.

Why would you want to do it manually when there are components which
others have written to do the hard work for you? It's still an API,
just not one provided by Microsoft.

 

[Guest]

The thing is that I do not want to depend/rely on some piece of software I
cannot modify, especially when I do not know how it works inside. I simply
cannot afford it in the system I’m developing right now. So please let us
finish “you should(-not) use 3rd party software†discussion and turn to “you
should do this and this to accomplish your goal†advices.

 

[Guest]

Thank You very much for pointing the direction to dig in, I’ll try to look
there.

 

[Eugene Mayevski]

Hello!
You wrote on Wed, 15 Jun 2005 00:10:55 -0700:

VD> now. So please let us finish “you should(-not) use 3rd party softwareâ€
VD> discussion and turn to “you should do this and this to accomplish your
VD> goal†advices.

I believe with this approach you won't get much from others ...

With best regards,
Eugene Mayevski

 

[Guest]

I beg Your pardon if I’ve insulted someone, I am only asking for an advice,
how to implement functionality described above all by myself without using
3rd party software, I am not interested in any “black-boxâ€
classes/components. What is so bad about this approach?

 

[Jon Skeet [C# MVP]]

The thing is that I do not want to depend/rely on some piece of software I
cannot modify, especially when I do not know how it works inside.

Can you modify .NET? Can you modify Windows? If not, what makes those
pieces of software any different to this component?

I simply cannot afford it in the system I?m developing right now. So
please let us finish ?you should(-not) use 3rd party software?
discussion and turn to ?you should do this and this to accomplish
your goal? advices.

Okay, then you'll have to rewrite what someone else has already done as
a 3rd party component. Except that you're unlikely to have as long to
test it (if it's only part of your application) as they will have
already spent on it.

If you really want to use the plain windows API though, I believe
someone else posted the list of API functions to look up.

If you want "you should do this and this to accomplish your goal" then
my advice is "you should use code which has already been written and
tested to accomplish your goal of generating certificates".

 

[Guest]

OK, so as far as I understand the only answer in this thread, which can more
or less satisfy my needs is that of Lau Lei Cheong. I really do not feel like
arguing about the differences between operating systems/frameworks and
software, which uses functions they provide. About accomplishing my goal – I
would like to remind You, that my question contained phrases like: “without
using 3rd party software†and “I’m not searching for some kind of third party
components/classes†I really thought that these sufficiently clear outlined
my needs. This comes not from desire to save money or whatever similar, but
rather from terms of contract between our company and our clients, which
forces us not to use any 3rd party developments.

Now I would like to ask a question to Eugene. As I can see by Your e-mail
address You are working in Eldos - the company, which has developed the
PKIBlackbox You offered me to use. Probably You are even one of it’s
developers. And who else, if not You, could give me the right advice on where
I should search for the information concerning my question. Of course If You
do not feel, that this will harm Your company interests somehow.

Best regards,
Vladimir Davidov

 

[Jon Skeet [C# MVP]]

OK, so as far as I understand the only answer in this thread, which can more
or less satisfy my needs is that of Lau Lei Cheong. I really do not feel like
arguing about the differences between operating systems/frameworks and
software, which uses functions they provide. About accomplishing my goal ? I
would like to remind You, that my question contained phrases like: ?without
using 3rd party software? and ?I?m not searching for some kind of third party
components/classes?

It wasn't in your original question, which I would have thought would
contain your most important goals.

I really thought that these sufficiently clear outlined
my needs. This comes not from desire to save money or whatever similar, but
rather from terms of contract between our company and our clients, which
forces us not to use any 3rd party developments.

If you'd mentioned that before, that would have been helpful. (I would
suggest trying to persuade them that 3rd party software is often useful
though. You're likely to end up re-inventing the wheel on any number of
issues.

<snip>

 

[Guest]

OK, so as far as I understand the only answer in this thread, which can more
or less satisfy my needs is that of Lau Lei Cheong. I really do not feel like
arguing about the differences between operating systems/frameworks and
software, which uses functions they provide. About accomplishing my goal – I
would like to remind You, that my question contained phrases like: “without
using 3rd party software†and “I’m not searching for some kind of third party
components/classes†I really thought that these sufficiently clear outlined
my needs. This comes not from desire to save money or whatever similar, but
rather from terms of contract between our company and our clients, which
forces us not to use any 3rd party developments.

Now I would like to ask a question to Eugene. As I can see by Your e-mail
address You are working in Eldos - the company, which has developed the
PKIBlackbox You offered me to use. Probably You are even one of it’s
developers. And who else, if not You, could give me the right advice on where
I should search for the information concerning my question. Of course If You
do not feel, that this will harm Your company interests somehow.

There is never too much information.

Best regards,
Vladimir Davidov

 

[Eugene Mayevski]

Hello!
You wrote on Thu, 16 Jun 2005 08:43:04 -0700:

VD> right advice on where I should search for the information concerning my
VD> question. Of course If You do not feel, that this will harm Your
VD> company interests somehow.

The answer depends on the goals. If you need to complete some task, you
choose a tool. If you learn how to do things, you choose technologies. What
you are going for is PKI (X.509). So you can either start with reading the
books related to PKI (RSA Security's book "RSA official guide to
cryptography" is the one I like), then read the standards related to X.509,
PKCS#7 and many more. .NET stuff related to PKI is very limited and
CryptoAPI is somehow complex to deal with (not saying that you will need go
the p/invoke way to perform anything). Also, they offer much less than the
scope of tasks that you listed. This is why thirdparty solution is
preferred. There are several open-source (hmm) .NET libraries which also do
some PKI stuff, but I really didn't ever looked at them.

With best regards,
Eugene Mayevski

 

[Guest]

OK, thank You Jon and thank You Eugene, Your answers confirmed my suspicions
about the way I will have to go. I’m sorry if I’ve misled You by my original
post, I will definitely try to persuade our clients to agree to use
PKIBlackBox, but unfortunately I do not think, that they will fall for it and
I will have to reinvent the wheel, as Jon sad.

Best regards
Vladimir Davidov

 

[Guest]

Hi.

Did you get anywhere with this?

I have some code which does not work (C++ managed dll). According to the
documentation I should be able to simply call:

pCertContext = CertCreateSelfSignCertificate(NULL, pIssuerName, 0, NULL,
NULL, NULL, NULL, &certExt );

And it will do everything in the code below automatically. However if I do
that I get a Permission Denied error (0x5). If I use the code below I get no
cert context and no error!

I wondered if you ever got it working.



bAquired = CryptAcquireContext(&hCSP, pszName, MS_ENHANCED_PROV,
PROV_RSA_FULL, 0 ) == TRUE;
if( !bAquired )
{
bAquired = CryptAcquireContext(&hCSP, pszName, MS_ENHANCED_PROV,
PROV_RSA_FULL, CRYPT_NEWKEYSET) == TRUE;
}
if( bAquired )
{
HCRYPTKEY hSignKey;
if( !CryptGetUserKey( hCSP, AT_SIGNATURE, &hSignKey) )
{
CryptGenKey(hCSP, AT_SIGNATURE, 0, &hSignKey );
}

pCertContext = CertCreateSelfSignCertificate(hCSP, pIssuerName, 0, NULL,
NULL, NULL, NULL, &certExt );
DWORD dwError = GetLastError();
CryptReleaseContext(hCSP, 0);
}