I have a self signed root certificate that I generated in C# using CERTENROLL.dll's CX509CertificateRequest Certificate functionality.
I would like to write a function that generates client certificates signed by my root using the same API. However the only CertEnroll option I can find that does not generate a self signed certificate requires a authenticated CA.
There seems to be a flag for setting a SignerCertificate but it always fails to initialize.
//Initialize cert
var cert = new CX509CertificateRequestCertificate();
//take care of signer
cert.Issuer = issuen;
CSignerCertificate sc = new CSignerCertificate();
var raw = SEScert.GetRawCertData();
var rawStr=Convert.ToBase64String(raw);
sc.Initialize(false, X509PrivateKeyVerify.VerifyNone,
EncodingType.XCN_CRYPT_STRING_BASE64, rawStr); //fails here
cert.SignerCertificate = sc;
Does anyone know how I can generate a client CX509CertificateRequest signed by my root?
Any help or advice would be greatly appreciated.
I was able to solve this.
The encoding of SEScert is a hex string not base64 also the machine context should be set to true not false the correct code looks as follows:
ISignerCertificate signerCertificate = new CSignerCertificate();
signerCertificate.Initialize(true, X509PrivateKeyVerify.VerifyNone,EncodingType.XCN_CRYPT_STRING_HEX, SEScert.GetRawCertDataString());
cert.SignerCertificate = (CSignerCertificate)signerCertificate;
Hope this helps others in the future.
来源:https://stackoverflow.com/questions/17756940/c-sharp-generate-a-non-self-signed-client-cx509certificate-request-without-a-ca