c# - When requesting a certificate, how do I get a pfx blob? -
the next code used request certificate adcs instance.
how extract request, , finalized pfx blob (and password protect it) external storage?
using system; using system.collections.generic; using system.componentmodel; using system.data; using system.drawing; using system.text; using system.windows.forms; // add together certenroll namespace using certenrolllib; using certclientlib; namespace catest { public partial class form1 : form { private const int cc_defaultconfig = 0; private const int cc_uipickconfig = 0x1; private const int cr_in_base64 = 0x1; private const int cr_in_formatany = 0; private const int cr_in_pkcs10 = 0x100; private const int cr_disp_issued = 0x3; private const int cr_disp_under_submission = 0x5; private const int cr_out_base64 = 0x1; private const int cr_out_chain = 0x100; public form1() { initializecomponent(); } // create request private void createrequestbutton_click(object sender, eventargs e) { // create objects required cx509certificaterequestpkcs10 objpkcs10 = new cx509certificaterequestpkcs10class(); cx509privatekey objprivatekey = new cx509privatekeyclass(); ccspinformation objcsp = new ccspinformationclass(); ccspinformations objcsps = new ccspinformationsclass(); cx500distinguishedname objdn = new cx500distinguishednameclass(); cx509enrollment objenroll = new cx509enrollmentclass(); cobjectids objobjectids = new cobjectidsclass(); cobjectid objobjectid = new cobjectidclass(); cx509extensionkeyusage objextensionkeyusage = new cx509extensionkeyusageclass(); cx509extensionenhancedkeyusage objx509extensionenhancedkeyusage = new cx509extensionenhancedkeyusageclass(); string strrequest; seek { requesttext.text = ""; // initialize csp object using desired cryptograhic service provider (csp) objcsp.initializefromname( "microsoft enhanced cryptographic provider v1.0" ); // add together csp object csp collection object objcsps.add( objcsp ); // provide key container name, key length , key spec private key object //objprivatekey.containername = "alejacma"; objprivatekey.length = 1024; objprivatekey.keyspec = x509keyspec.xcn_at_signature; objprivatekey.keyusage = x509privatekeyusageflags.xcn_ncrypt_allow_all_usages; objprivatekey.machinecontext = false; // provide csp collection object (in case containing 1 csp object) // private key object objprivatekey.cspinformations = objcsps; // create actual key pair objprivatekey.create(); // initialize pkcs#10 certificate request object based on private key. // using context, indicate user certificate request , don't // provide template name objpkcs10.initializefromprivatekey( x509certificateenrollmentcontext.contextuser, objprivatekey, "" ); // key usage extension objextensionkeyusage.initializeencode( x509keyusageflags.xcn_cert_digital_signature_key_usage | x509keyusageflags.xcn_cert_non_repudiation_key_usage | x509keyusageflags.xcn_cert_key_encipherment_key_usage | x509keyusageflags.xcn_cert_data_encipherment_key_usage ); objpkcs10.x509extensions.add((cx509extension)objextensionkeyusage); // enhanced key usage extension objobjectid.initializefromvalue("1.3.6.1.5.5.7.3.2"); // oid client authentication usage objobjectids.add(objobjectid); objx509extensionenhancedkeyusage.initializeencode(objobjectids); objpkcs10.x509extensions.add((cx509extension)objx509extensionenhancedkeyusage); // encode name in using distinguished name object objdn.encode( "cn=alejacma", x500nameflags.xcn_cert_name_str_none ); // assing subject name using distinguished name object initialized above objpkcs10.subject = objdn; // create enrollment request objenroll.initializefromrequest(objpkcs10); strrequest = objenroll.createrequest( encodingtype.xcn_crypt_string_base64 ); requesttext.text = strrequest; } grab (exception ex) { messagebox.show(ex.message); } } // submit request ca , response private void sendrequestbutton_click(object sender, eventargs e) { // create objects required ccertconfig objcertconfig = new ccertconfigclass(); ccertrequest objcertrequest = new ccertrequestclass(); string strcaconfig; string strrequest; int idisposition; string strdisposition; string strcert; seek { strrequest = requesttext.text; // ca config ui //strcaconfig = objcertconfig.getconfig(cc_defaultconfig); strcaconfig = objcertconfig.getconfig(cc_uipickconfig); // submit request idisposition = objcertrequest.submit( cr_in_base64 | cr_in_formatany, strrequest, null, strcaconfig ); // check submission status if (cr_disp_issued != idisposition) // not enrolled { strdisposition = objcertrequest.getdispositionmessage(); if (cr_disp_under_submission == idisposition) // pending { messagebox.show("the submission pending: " + strdisposition); return; } else // failed { messagebox.show("the submission failed: " + strdisposition); messagebox.show("last status: " + objcertrequest.getlaststatus().tostring()); return; } } // certificate strcert = objcertrequest.getcertificate( cr_out_base64 | cr_out_chain ); responsetext.text = strcert; } grab (exception ex) { messagebox.show(ex.message); } } // install response ca private void acceptpkcs7button_click(object sender, eventargs e) { // create objects required cx509enrollment objenroll = new cx509enrollmentclass(); string strcert; seek { strcert = responsetext.text; // install certificate objenroll.initialize(x509certificateenrollmentcontext.contextuser); objenroll.installresponse( installresponserestrictionflags.allowuntrustedroot, strcert, encodingtype.xcn_crypt_string_base64, null ); messagebox.show("certificate installed!"); } grab (exception ex) { messagebox.show(ex.message); } } } } the problem code don't want store crypto material in windows dpapi, , in particular don't want "install" certificate, since crypto material needs securely sent , shared among multiple computers.
the particular lines of code i'm having problem include this:
// install certificate objenroll.initialize(x509certificateenrollmentcontext.contextuser); objenroll.installresponse( installresponserestrictionflags.allowuntrustedroot, strcert, encodingtype.xcn_crypt_string_base64, null ); i want save , import certificate request custom store... 1 time again not dpapi
you can phone call createpfx method on objenroll instance in acceptpkcs7button_click method:
objenroll.createpfx("s3cret!", pfxexportoptions.pfxexportchainwithroot, encodingtype.xcn_crypt_string_base64); c# certificate x509certificate dpapi certenroll
No comments:
Post a Comment