/// <summary> /// Create a new Subordinate CA certificate request using the setup parameters from a CAConfig object /// </summary> /// <remarks>Only System cryptography supported</remarks> /// <param name="Config">CAConfig object</param> /// <returns>PKCS#10 certificate request</returns> public static Pkcs10CertificationRequest CreateSubCA(CAConfig Config) { if (Config.profile != CA_Profile.SubCA) { throw new ArgumentException("Invalid profile specified", Config.profile.ToString()); } if (!Config.FIPS140) { throw new InvalidParameterException("Only FIPS mode supported"); } // Serial number BigInteger serialNumber = new BigInteger(1, BitConverter.GetBytes(DateTime.Now.Ticks)); // Key material CspParameters cspParam = SysKeyManager.Create(Config.pkSize, Config.pkAlgo, Config.name); // PKCS#10 Request Pkcs10CertificationRequestDelaySigned p10 = new Pkcs10CertificationRequestDelaySigned( Config.sigAlgo, Config.DN, SysKeyManager.getPublicKey(cspParam, Config.pkAlgo), null); // Signature byte[] buffer = p10.GetDataToSign(); byte[] signature = SysSigner.Sign(buffer, cspParam, Config.sigAlgo); p10.SignRequest(signature); if (!p10.Verify()) { throw new SignatureException("Cannot validate POP signature"); } // Create the CA Config file createPendingCAConfig(Config, serialNumber, p10, ""); return(p10); }
/// <summary> /// Create a new Subordinate CA using the setup parameters from a CAConfig object /// The Issuing CA must be available to create and sign a certificate /// </summary> /// <param name="Config">CAConfig object</param> /// <param name="IssuingCA">Object reference for issuing CA</param> /// <returns>Full pathname of CA config file</returns> public static string CreateSubCA(CAConfig Config, ICA IssuingCA) { if (Config.profile != CA_Profile.SubCA) { throw new ArgumentException("Invalid profile specified", Config.profile.ToString()); } // Serial number BigInteger serialNumber = new BigInteger(1, BitConverter.GetBytes(DateTime.Now.Ticks)); // Key material Pkcs10CertificationRequest p10; if (Config.FIPS140) { privateKeyCapi = SysKeyManager.Create(Config.pkSize, Config.pkAlgo, Config.name); // PKCS#10 Request p10 = new Pkcs10CertificationRequestDelaySigned( Config.sigAlgo, Config.DN, SysKeyManager.getPublicKey(privateKeyCapi, Config.pkAlgo), null); // Signature byte[] buffer = ((Pkcs10CertificationRequestDelaySigned)p10).GetDataToSign(); byte[] signature = SysSigner.Sign(buffer, privateKeyCapi, Config.sigAlgo); ((Pkcs10CertificationRequestDelaySigned)p10).SignRequest(signature); } else { keyPair = BcKeyManager.Create(Config.pkSize, Config.pkAlgo); // Create a system CspParameters entry for use by XmlSigner privateKeyCapi = SysKeyManager.LoadCsp(keyPair.Private); // PKCS#10 Request p10 = new Pkcs10CertificationRequest( Config.sigAlgo, Config.DN, keyPair.Public, null, keyPair.Private); } // Test the signature if (!p10.Verify()) { throw new SignatureException("Cannot validate POP signature"); } // Request cert from issuing CA X509Certificate cert = IssuingCA.IssueCertificate(p10, new Profile.Profile(Config.profileFile)); string configFile; if (Config.FIPS140) { // Create the CA Config file configFile = createFinalCAConfig(Config, serialNumber, cert, null); LogEvent.WriteEvent(eventLog, LogEvent.EventType.CreateCA, "Subordinate CA (FIPS) Created: " + configFile); } else { // Store key material in a PKCS#12 file MemoryStream stream = BcKeyManager.SaveP12(keyPair.Private, cert, Config.password, Config.name); string caKey = Convert.ToBase64String(stream.ToArray()); // Create the CA Config file configFile = createFinalCAConfig(Config, serialNumber, null, caKey); LogEvent.WriteEvent(eventLog, LogEvent.EventType.CreateCA, "Root CA (BC) Created: " + configFile); } // Create CA database Database.CreateDB(Config, cert, privateKeyCapi); return(configFile); }