We help IT Professionals succeed at work.

Extension field not appearing  on a X 509 cert

jansrus
jansrus asked
on
Hi
I am using   C# , Xenroll.dll and certpdef.dll to generate a cert request from a microsoft cert server. I am able to make a sucesful request , but the extension field  that I set using "cenroll2.addExtensionToRequest(XECR_PKCS10_V2_0 ,"1.1.7.1","test"); " does not seem to appear on the cert.
My question is how to set up extension fields on a X 509 certificate using XEnroll.dll ?  .. Please help..

Following is the code..


                                               const int CR_IN_BASE64 = 0x1;
                  const int CR_IN_PKCS10 = 0x100;
                  Const XECR_PKCS10_V2_0 = 1;
      
                  CEnroll2 cenroll2 = null;
                  CCertRequest requestCert = null;
                  string DN = string.Empty;
                  string request = string.Empty;
                  DN = "CN=cntestdotnet,OU=outestdotnet,O=otestdotnet,L=ltestcity,S=CA,C=US" ;
                  cenroll2 = new CEnroll2Class();
                  
                  cenroll2.addExtensionToRequest(XECR_PKCS10_V2_0 ,"1.1.7.1","test");
                  cenroll2.GenKeyFlags = 384<<16;      //384 bit RSA encryption
                  request = cenroll2.createRequest(1,DN,"1.3.6.1.4.1.311.2.1.21");
                  
                  requestCert = new CCertRequestClass();
                  returnstaus= requestCert.Submit(CR_IN_BASE64 | CR_IN_PKCS10,request,"","Server\\CA")
Comment
Watch Question

Commented:
line :
cenroll2.addExtensionToRequest(XECR_PKCS10_V2_0 ,"1.1.7.1","test");

this method can't succeed since it has been implemented only in CEnroll4 classes and over
 CEnroll4 cenroll2 = null;
should solve your problem
the method is in the class CEnroll4

hope this helps

Author

Commented:
Thanks MIster N for your comments. Looks like I dont have CEnroll4 class on my machine. I am running on XP Pro and I believe I installed the latest platform SDK.. Do you know where I can get the CEnroll4 class..
I do have the ICenroll4 interface though.. I tried like the following

                        ICEnroll4 cenroll = new CEnrollClass();
But did not work.

Commented:
  ICEnroll4 cenroll = new CEnroll();

information about the ICEnroll4
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/icenroll4.asp

Commented:
BTW    

CEnroll() is the class/object
and ICEnroll, ICEnroll2, ICEnroll3, ICEnroll4 are its interfaces.

Author

Commented:
I am using c# in VStudio 2003 and it looks like ICEnroll, ICEnroll2, ICEnroll3, ICEnroll4 and CEnroll are all interfaces and CEnroll2Class and CEnrollClass are the only class implementaions . In short I cannot  do
ICEnroll4 cenroll = new CEnroll()
 .. but  can do
ICEnroll4 cenroll = new CEnrollClass()  ..But does not work.

Commented:
try :
ICEnroll4 cenroll = new ICEnroll4();

Commented:
or this one perhaps :
XENROLLLib.ICEnroll4 certEnroll = new XENROLLLib.CEnroll();

see here for classes details
http://network.programming-in.net/articles/art14-2.asp?Interop=XENROLLLib

Author

Commented:
Mister N thanks for all your suggestions.. I cannot do any of the above as you cannot create the instance of an Interface.

I was in touch with the Microsoft tech support and here is what the support person  said.

"From my preliminary research it looks like addextensiontorequest will only add extensions to CMC requests, rather than pkcs10. It seems this is by design from a doc bug I saw, but we will verify this.
I was able to repro the problem with pkcs10 requests. And I was also able to add an extension to a CMC request."

He is yet to get back to me on a complete solution.
 

Author

Commented:
Ignore the above comments pls.
If you are using a  default windows policy module all the oids of all the  extension fields need to be set on the  registry path..
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<YOUr CA Server>\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy
and the key is EnableRequestExtensionList.

If you are using your custom policy module need to explicitly set the extensions as the following VB code

Private Const PROPTYPE_BINARY As Long = &H3
Private Const EXTENSION_CRITICAL_FLAG As Long = &H1

 CertServer.SetContext context
    'set up before eneumerating
    CertServer.EnumerateExtensionsSetup 0
    'atart iterating through the extensions
    strExt = CertServer.EnumerateExtensions()
    Do
        If (strExt = "") Then
            Exit Do
        End If
     
            'read extn as binary and set extn  as binary. But make sure to encode it appropriately from the client which formats the request
            CertServer.SetCertificateExtension strExt, PROPTYPE_BINARY, EXTENSION_CRITICAL_FLAG, CertServer.GetCertificateExtension(strExt, PROPTYPE_BINARY)
             strExt = CertServer.EnumerateExtensions()
    Loop   'loop until all the extensiions are examined
    CertServer.EnumerateExtensionsClose


Commented:
well, i'm a bit confused...

did you solve the problem? how can i help you know
with your previous post?

Author

Commented:
Yes the problem is solved. The last one that I posted is the solution.

Commented:
okay!
well done then!
Commented:
PAQed with points refunded (500)

modulo
Community Support Moderator