3

I have a self signed root certificate that I generated in C# using CERTENROLL.dll's CX509CertificateRequest Certificate functionality.

I would like to write a function that generates client certificates signed by my root using the same API. However the only CertEnroll option I can find that does not generate a self signed certificate requires a authenticated CA.

There seems to be a flag for setting a SignerCertificate but it always fails to initialize. 

        //Initialize cert
        var cert = new CX509CertificateRequestCertificate();
        //take care of signer
        cert.Issuer = issuen;
        CSignerCertificate sc = new CSignerCertificate();
        var raw = SEScert.GetRawCertData();
        var rawStr=Convert.ToBase64String(raw);
        sc.Initialize(false, X509PrivateKeyVerify.VerifyNone,    
                      EncodingType.XCN_CRYPT_STRING_BASE64, rawStr); //fails here
        cert.SignerCertificate = sc;

Does anyone know how I can generate a client CX509CertificateRequest signed by my root?

Any help or advice would be greatly appreciated.

Ari
  • 563
  • 2
  • 17

1 Answers1

5

I was able to solve this.

The encoding of SEScert is a hex string not base64 also the machine context should be set to true not false the correct code looks as follows: 

ISignerCertificate signerCertificate = new CSignerCertificate();
signerCertificate.Initialize(true, X509PrivateKeyVerify.VerifyNone,EncodingType.XCN_CRYPT_STRING_HEX, SEScert.GetRawCertDataString());
cert.SignerCertificate = (CSignerCertificate)signerCertificate;

Hope this helps others in the future.

Ari
  • 563
  • 2
  • 17
  • 1
    Wow, really glad someone figured it out before me. It took me ages to find this post. Thank you! – misha Aug 19 '16 at 20:38
  • 1
    I could kiss you man. I just needed to use `EncodingType.XCN_CRYPT_STRING_HEXRAW` to get this to work. – Dinei Dec 07 '16 at 19:07