private CertificateRequest DecodePkcs10(string csr)
        {
            IX509CertificateRequestPkcs10 pkcs10 = (IX509CertificateRequestPkcs10)Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX509CertificateRequestPkcs10"));

            pkcs10.InitializeDecode(csr, EncodingType.XCN_CRYPT_STRING_BASE64_ANY);
            CertificateSubject subject = BuildSubject(pkcs10.Subject);

            return(ImproveDeserializedCsrFidelity(new CertificateRequest(subject, SigningRequestProtocol.Pkcs10, false), pkcs10.PublicKey));
        }
Example #2
0
        // enroll a certificate based on given template name
        public static void EnrollCert(
            string templateName,
            string subjectName,
            string friendlyName)
        {
            // create a CX509Enrollment object
            // either from CX509EnrollmentClass or CX509Enrollment should work
            //CX509EnrollmentClass objEnroll = new CX509EnrollmentClass();
            CX509Enrollment objEnroll = new CX509Enrollment();

            // initialize the CX509Enrollment object
            objEnroll.InitializeFromTemplateName(
                X509CertificateEnrollmentContext.ContextUser,
                templateName);

            // set up the subject name
            //
            // first get the request
            IX509CertificateRequest iRequest = objEnroll.Request;

            // then get the inner PKCS10 request
            IX509CertificateRequest iInnerRequest =
                iRequest.GetInnerRequest(InnerRequestLevel.LevelInnermost);
            IX509CertificateRequestPkcs10 iRequestPkcs10 =
                iInnerRequest as IX509CertificateRequestPkcs10;

            // create CX500DistinguishedName
            CX500DistinguishedName objName = new CX500DistinguishedName();

            objName.Encode(subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);

            // set up the subject name
            iRequestPkcs10.Subject = objName;

            // set up friendly name
            objEnroll.CertificateFriendlyName = friendlyName;

            // enroll for the certificate, which should install the certficate
            // in MY store if the certificate is successfully issued by CA
            objEnroll.Enroll();
        }
        static void Main(string[] args)
        {
            string requesterName = @"DOMAIN\otherUser";
            string caName        = @"CA1.DOMAIN.LOCAL\DOMAIN-CA1-CA";
            string template      = "User";
            // signerCertificate's private key must be accessible to this process
            var signerCertificate = FindCertificateByThumbprint("3f817d138f32a9a8df2aa6e43b8aed76eb93a932");

            // create a new private key for the certificate
            CX509PrivateKey privateKey = new CX509PrivateKey();

            // http://blogs.technet.com/b/pki/archive/2009/08/05/how-to-create-a-web-server-ssl-certificate-manually.aspx
            privateKey.ProviderName   = "Microsoft Enhanced Cryptographic Provider v1.0";
            privateKey.MachineContext = false;
            privateKey.Length         = 2048;
            privateKey.KeySpec        = X509KeySpec.XCN_AT_KEYEXCHANGE;
            privateKey.ExportPolicy   = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_NONE;
            privateKey.Create();

            // PKCS 10 Request
            // we use v1 to avoid compat issues on w2k8
            IX509CertificateRequestPkcs10 req = (IX509CertificateRequestPkcs10) new CX509CertificateRequestPkcs10();

            req.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextUser, privateKey, template);

            // PKCS 7 Wrapper
            var signer = new CSignerCertificate();

            signer.Initialize(false, X509PrivateKeyVerify.VerifyAllowUI, EncodingType.XCN_CRYPT_STRING_BASE64_ANY,
                              Convert.ToBase64String(signerCertificate.GetRawCertData()));

            var wrapper = new CX509CertificateRequestPkcs7();

            wrapper.InitializeFromInnerRequest(req);
            wrapper.RequesterName     = requesterName;
            wrapper.SignerCertificate = signer;

            // get CSR
            var enroll = new CX509Enrollment();

            enroll.InitializeFromRequest(wrapper);
            var csr = enroll.CreateRequest();
            //File.WriteAllText("csr.p7b", csr);

            // submit
            const int     CR_IN_BASE64 = 1, CR_OUT_BASE64 = 1;
            const int     CR_IN_PKCS7 = 0x300;
            ICertRequest2 liveCsr     = new CCertRequest();
            var           disposition = (RequestDisposition)liveCsr.Submit(CR_IN_BASE64 | CR_IN_PKCS7, csr, null, caName);

            if (disposition == RequestDisposition.CR_DISP_ISSUED)
            {
                string resp = liveCsr.GetCertificate(CR_OUT_BASE64);
                //File.WriteAllText("resp.cer", resp);

                // install the response
                var install = new CX509Enrollment();
                install.Initialize(X509CertificateEnrollmentContext.ContextUser);

                install.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedRoot,
                                        resp, EncodingType.XCN_CRYPT_STRING_BASE64_ANY, null);
            }
            else
            {
                Console.WriteLine("disp: " + disposition.ToString());
            }
            Console.WriteLine("done");
            Console.ReadLine();
        }