Is it possible to create a X.509V3 certificate that contains Diffie-Hellman public key and sign it using DSA or ECDSA algorithm ?
I hope doing this using makecert
Thank you a lot
Asked
Active
Viewed 1,580 times
1 Answers
3
makecert supports only DSA, not ECDSA. That's because it is based on Crypto API 1.0 that doesn't support elliptic curves. Elliptic curves are supported by CNG which is the replacement of CryptoAPI.
Here is an example of makecert command lines that will enable you to have DSA certificates signed with a DSA root.
- First, we create a DSA root certificate that will sign our users DSA certificates.
makecert.exe -sp "Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider" -sy 13 -ss ROOT -sv MyDSARootKey.pvk -pe -r -n "CN=DSA Root CA" -cy authority MyDSARootCert.crt
This will put the root certificate in the ROOT store and it will create the PVK and CRT files associated with it. Notice the "-r" switch indicating a self-siged certificate.
- Then, we generate an end user certificate signed by this root :
makecert.exe -sp "Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider" -sy 13 -ss MY -sk UserKeyName -pe -n "CN=User Name" -cy end -iv MyDSARootKey.pvk -ic MyDSARootCert.crt -ip "Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider" -iy 13 MyUserCert.crt
This will put the user certificate in the MY store. The user key is generated inside the CSP whereas the root key has been put on a PVK file. If you want, you can also tell makecert to create a PVK file for the user using the switch "-sv".
I hope this will help. Cheers,
Mounir IDRASSI
IDRIX http://www.idrix.fr
Mounir IDRASSI
- 1,336
- 10
- 15