0

I'm working on an application written in C# where I basically need to act as my own certificate authority. The data flow is something like this:

  • The end user generates a public/private key pair and sends me proof of their identity and a certificate request of some kind with their public key
  • The app validates their ID
  • When the validation is complete, the app generates an X.509 certificate, based on a local, self-signed root, and sends it to the user
  • The user signs a file using the certificate, and sends the file to the app
  • The app validates the file against the signature, and stores the results in SQL Server.

My questions:

  • Do you know of a tutorial or code examples that describes how to create and use a X.509 certificate as described above, without relying on an external CA and without calling command line utilities or using COM objects? I've looked at the X509Certificate2 class, but the examples in MSDN don't show what I'm after.
  • Is it possible to use SQL Server 2008+ to do some of the certificate handling? Perhaps using CREATE CERTIFICATE FROM FILE and BACKUP CERTIFICATE?
  • If it can't be done with the standard Windows libraries, can it be done with the C# Bouncy Castle library? If so, are there some good code examples?
RickNZ
  • 18,448
  • 3
  • 51
  • 66

2 Answers2

3

The concise example of certgen with Bouncy Castle

http://netpl.blogspot.com/2012/12/how-to-create-x509certificate2.html

I've also blogged on signing and validating of xml documents

http://netpl.blogspot.com/2012/12/interoperable-xml-digital-signatures-c_4247.html

Wiktor Zychla
  • 47,367
  • 6
  • 74
  • 106
1

I think you will change you mind about using command-line utilities but assuming you don't, I don't have the answer because I haven't done it but here are a few tips.

I'm confident This can be done with bouncycastle C# library. The library is basically undocumented though. What I would do is first download an earlier version of bouncycastle Java library, for example version 1.45. The reason for downloading the earlier version is because it more closely resembles the current C# library. The Java API underwent some radical changes as of the 1.47 release. The reason for downloading the Java library at all is because most of the functionality and classes are the same for both, and the Java API contains at least Javadocs that can be perused with a web browser. I always have the Javadocs, the Java source code, and C# source code for the library at hand when coding with the C# library. I know this sounds horrible but it is not that bad. The C# source code (and the Java as well) is very readable and well written, so progress can be made.

The user's certificate request should be a PKCS10 certificate request. There is a class Org.BouncyCastle.Pkcs.Pkcs10CertificationRequest that you should use. Use the Pkcs10CertificationRequest(byte []) constructor to create an instance of this class. The superclass of this class, Org.BouncyCastle.Asn1.Pkcs.CertificationRequest, has a method GetCertificationRequestInfo that will return a CertificationRequestInfo instance. This can be used to extract the pieces of the certificate request, and then you can use Wiktor's answer to create an X509 certificate.

President James K. Polk
  • 40,516
  • 21
  • 95
  • 125
  • Thanks for the info about certificate requests. One reason I don't want to use command-line utilities is that they really aren't suitable for large-scale, high-volume back-end processing. – RickNZ Jan 05 '13 at 04:45