Create a signed certificate with crypt32.dll

Question

I want to create certificates programmatically in C#.net which are signed by a CA. I was able to create a self signed certificate with CertCreateSelfSignCertificate as described here: http://msdn.microsoft.com/en-us/library/aa376039(VS.85).aspx Self Signed Certificate in Windows without makecert?

I was looking through the MSDN documentation and I can't seem to find a function to generate a certificate and sign it from a request. Most functions seem to be for manipulating the certificate store. Am I barking up the wrong dll here?

Answer 1

I tried the unmanaged approach as well without success. In contrast to that, creating certificates with BouncyCastle is a breeze:

var keygen = new RsaKeyPairGenerator();
keygen.Init(new KeyGenerationParameters(new SecureRandom(), 2048));

var keys = keygen.GenerateKeyPair();

var certGen = new X509V3CertificateGenerator();
var dnName = new X509Name("CN=Test CA");

certGen.SetSerialNumber(BigInteger.ValueOf(1));
certGen.SetIssuerDN(dnName);
certGen.SetNotBefore(DateTime.Today);
certGen.SetNotAfter(DateTime.Today.AddYears(10));
certGen.SetSubjectDN(dnName);
certGen.SetPublicKey(keys.Public);
certGen.SetSignatureAlgorithm("SHA1WITHRSA");

var cert = certGen.Generate(keys.Private);

This is a self-signed CA certificate, but creating a signed certificate is the same. Just change the issuer and the signing private key. You can also export certificates to DER (.cer) and PKCS12 (.p12) as well.

Answer 2

I found the answer to this. I loaded up makecert.exe in a debugger and found it was using this call to create a signed certificate: CryptSignAndEncodeCertificate http://msdn.microsoft.com/en-us/library/aa380277(VS.85).aspx

Answer 3

My tendency would be to try this with capicom.dll, first. It's basically a wrapper for cryptoapi.