CODEWITHSUNDEEP
c#asp.netrsacertenroll
Rodrigo Zaratin
Rodrigo Zaratin

Reputation: 11

C# asp.net CERTENROLLLib PKCS10 creation

I'm trying to create a keypair running the above code sample. I'm running this inside a activex. I have no problem to run this local, but when I install it on my server, it's not working properly, it only works if I run my IE as administrator.

System.UnauthorizedAccessException: CertEnroll::CX509PrivateKey::Create: Access Denied. 0x80070005 (WIN32: 5) em CERTENROLLLib.IX509PrivateKey.Create()

Any tips on how to run this without adm permission? Or there's any other way to create a key pair, send to CA and write the cert to a smartcard?

I'm following this code: https://blogs.msdn.microsoft.com/alejacma/2008/09/05/how-to-create-a-certificate-request-with-certenroll-and-net-c/

public String CreateBase64KeyPair(string CN)    
{
    string msg = string.Empty;

    try
    {
        CX509CertificateRequestPkcs10 objPkcs10 = (CX509CertificateRequestPkcs10)Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX509CertificateRequestPkcs10"));
        IX509PrivateKey objPrivateKey = (IX509PrivateKey)Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX509PrivateKey"));
        CCspInformation objCSP = (CCspInformation)Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CCspInformation"));
        CCspInformations objCSPs = (CCspInformations)Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CCspInformations"));
        CX500DistinguishedName objDN = (CX500DistinguishedName)Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX500DistinguishedName"));
        CX509Enrollment objEnroll = (CX509Enrollment)Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX509Enrollment"));
        CObjectIds objObjectIds = (CObjectIds)Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CObjectIds"));
        CObjectId objObjectId = (CObjectId)Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CObjectId"));
        CX509ExtensionKeyUsage objExtensionKeyUsage = (CX509ExtensionKeyUsage)Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX509ExtensionKeyUsage"));
        CX509ExtensionEnhancedKeyUsage objX509ExtensionEnhancedKeyUsage = (CX509ExtensionEnhancedKeyUsage)Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX509ExtensionEnhancedKeyUsage"));

        //  Initialize the csp object using the desired Cryptograhic Service Provider (CSP)
        objCSP.InitializeFromName(YPSIDCSP_NAME);

        objCSP.GetDefaultSecurityDescriptor(true);
        //  Add this CSP object to the CSP collection object
        objCSPs.Add(objCSP);

        //Provide key container name, key length and key spec to the private key object
        objPrivateKey.Length = 1024; //KEY_LEN_MY_DEFAULT
        objPrivateKey.ProviderType = X509ProviderType.XCN_PROV_RSA_FULL; //XEnroll.ProviderType=1
        objPrivateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; //XEnroll.KeySpec=AT_KEYEXCHANGE
        objPrivateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES;
        objPrivateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG;
        objPrivateKey.MachineContext = false;

        //  Provide the CSP collection object (in this case containing only 1 CSP object) to the private key object
        objPrivateKey.CspInformations = objCSPs;
        //  Create the actual key pair
        objPrivateKey.Create();

        //  Initialize the PKCS#10 certificate request object based on the private key.
        //  Using the context, indicate that this is a user certificate request and don’t provide a template name
        objPkcs10.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextUser, objPrivateKey, string.Empty);

        // Key Usage Extension
        objExtensionKeyUsage.InitializeEncode(
            CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE |
            CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE |
            CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE |
            CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE
        );

        objPkcs10.X509Extensions.Add((CX509Extension)objExtensionKeyUsage);

        // Enhanced Key Usage Extension
        objObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.2"); // OID for Client Authentication usage
        objObjectIds.Add(objObjectId);

        objX509ExtensionEnhancedKeyUsage.InitializeEncode(objObjectIds);

        objPkcs10.X509Extensions.Add((CX509Extension)objX509ExtensionEnhancedKeyUsage);

        //  Encode the name in using the Distinguished Name object
        objDN.Encode("CN=" + CN.Trim(), X500NameFlags.XCN_CERT_NAME_STR_NONE);

        //  Assing the subject name by using the Distinguished Name object initialized above
        objPkcs10.Subject = objDN;

        // Create enrollment request
        objEnroll.InitializeFromRequest(objPkcs10);

        return objEnroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64);
    }
    catch (Exception ex)
    {
        return ex.ToString();
    }
}

Upvotes: 1

Views: 1321

Answers (0)

Related Questions