Reputation: 4349
Setting CX509ExtensionCertificatePolicies in CX509CertificateRequestPkcs10
I want to add a specific certificate policy extension to my CSR but I am not sure how to do it.
It looks like I have a class CX509ExtensionCertificatePolicies to handle those scenarios but the CX509CertificateRequestPkcs10 interface for this attribute is a read only.
I want to add these property to my CSR. I am adding other details as follows,
CX509CertificateRequestPkcs10 certRequest = new CX509CertificateRequestPkcs10();
certRequest.InitializeFromPublicKey(X509CertificateEnrollmentContext.ContextMachine, publicKey, "");
CX500DistinguishedName subjectName = new CX500DistinguishedName();
subjectName.Encode("CN=Test.Cert.com", X500NameFlags.XCN_CERT_NAME_STR_NONE);
certRequest.Subject = subjectName;
//CX509ExtensionCertificatePolicies CertPolicy = new CX509ExtensionCertificatePolicies();
//CertPolicy.Initialize(null, EncodingType.XCN_CRYPT_STRING_BASE64, "");
//certRequest.x = CertPolicy;
certRequest.Encode();
#######################Updating based on below response #############
I am using the following code but I don't see any impact on the issued certs.
obj.InitializeFromValue("1.3.6.1.4.1.911.108.100.1");
CX509ExtensionCertificatePolicies CertPolicy = new CX509ExtensionCertificatePolicies();
CCertificatePolicies cp = new CCertificatePolicies();
CCertificatePolicy cp1 = new CCertificatePolicy();
cp1.Initialize(obj);
cp.Add(cp1);
CertPolicy.InitializeEncode(cp);
// CertPolicy.Initialize(obj, EncodingType.XCN_CRYPT_STRING_BASE64, Convert.ToBase64String(test));
certRequest.X509Extensions.Add((CX509Extension)CertPolicy);
I still see the certs are issued with the default oids. certRequest.Encode();
Upvotes: 0
Views: 285
Answers (1)
Reputation: 13954
You need to add certificate policies extension to extension list:
CX509ExtensionCertificatePolicies CertPolicy = new CX509ExtensionCertificatePolicies();
CertPolicy.Initialize(null, EncodingType.XCN_CRYPT_STRING_BASE64, "");
// add at least one policy qualifiers of type of IPolicyQualifier
<...>
// add configured extension with policy qualifiers to CSR
certRequest.X509Extensions.Add(CertPolicy);
Keep in mind that certificate policy extension in CSRs are often ignored by CAs and you may not get issued certificate with requested policy.
Update based on OP question edits
I see that you are using Microsoft CA to sign certificates. As I already mentioned, CAs often ignore user-requested policies and Microsoft CA is no exception. The problem is that certificate policy is not an arbitrary thing. Every certificate policy is identified by OID and linked to Certificate Practices Statement (CPS) which is somewhat a legal document. PKI administrators define and legalize CPS and put a list of valid policies at CA level and CA then is limited only to these policies. I would suggest to read my two-part blog post series on this subject:
- Certificate Policies extension – all you should know (part 1)
- Certificate Policies extension – all you should know (part 2)
What you have to do in this case:
- ensure if desired certificate policy is asserted in CA certificate itself. If not, you have to re-configure your CA and renew CA certificate with new key pair.
- configure desired certificate policy in target certificate template. Go to Certificate Templates MMC snap-in, edit requested certificate template, go to Extensions tab and configure Certificate Policies extensions appropriately.
Upvotes: 1
Related Questions
- Include CA certificate in C# code
- Add Certificate ocsp Authority Information Access and policies extensions in c#
- How to provide X509KeyStorageFlags to CertificateRequest
- adding certificate policies extension in CSR
- System.Net.CertificatePolicy to ServerCertificateValidationCallback Accept all certificate policies
- X509 Certificate format
- Create and verify x509 certificates in .Net
- C# get SSL Certificate into X509Certificate with "Forbidden" error
- .NET certificates (C#)
- alter x509 extended properties / usages