x.509 Generate

You must sign in to post in the forums.
5/1/2017 10:56:36 AM
chenchen300
Gravatar
Total Posts 9
View Posts

x.509 Generate

Hi

I would like to create almost 10000 certificates and sign PDF with those.

I would like to be able to "Self Signed" with those certificates. No office CA required here (it's just PDF signing).

Right now we are doing it with "BouncyCastle" and I would like to make it here (using the Key Pairs generate).

What it the best way to do that?

Thanks

5/2/2017 10:06:24 AM
Admin
Gravatar
Total Posts 30
View Posts

Re: x.509 Generate

If you are using bouncycastle to generate self-signed certificate using local keys in a PKCS#12 (or similar), the approach using the HSM is similar.

You have to call the HSM using NCryptoki (or JCryptoki if you are working in Java) to sign the HASH and add the signature in the X509 certificate that you are creating by bouncycastle

 

5/2/2017 5:14:36 PM
chenchen300
Gravatar
Total Posts 9
View Posts

Re: x.509 Generate

Hi

I do want to it using the NCryptoki. I was using the Bouncy Castle before i found NCryptoki.

My question is , how can i create X509 certificate (without CA) with NCryptoki?

5/2/2017 5:30:53 PM
Admin
Gravatar
Total Posts 30
View Posts

Re: x.509 Generate

You can use NCryptoki to sign the hash that must be added in in the X.509 certificate but you cannot create an X.509 certificate by NCryptoki.

You should mix bouncycastle + NCryptoki to accomplish your task. 

You should NCryptoki to get the signed hash and, then, use bouncycastle to pack the signature in the x509 certificate.

this is a possible procedure:

Step 1:generate a PKCS#10 certificate request:

http://wiki.ncryptoki.com/How-to-generate-a-PKCS-10-certification-request-in-C.ashx

 

Step 2: Create a X509 Certificate by signing it with a temporary CA's key by coding something like that (I didn't test this code):

    /**
     * Generate an X509 certificate with Bouncy Castle.
     */
    X509Certificate generateX509Certificate(CertificationRequest pkcs10) {

        // yesterday
        Date validityBeginDate = new Date(System.currentTimeMillis() - 24 * 60 * 60 * 1000);
        // in 2 years
        Date validityEndDate = new Date(System.currentTimeMillis() + 2 * 365 * 24 * 60 * 60 * 1000);

        // GENERATE THE CA's PUBLIC/PRIVATE RSA KEY PAIR
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", "BC");
        keyPairGenerator.initialize(1024, new SecureRandom());

        java.security.KeyPair keyPair = keyPairGenerator.generateKeyPair();

        // GENERATE THE X509 CERTIFICATE
        X509V1CertificateGenerator certGen = new X509V1CertificateGenerator();
        X500Principal dnName = new X500Principal("CN=John Doe");

        certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
        certGen.setSubjectDN(dnName);
        certGen.setIssuerDN(dnName); // use the same
        certGen.setNotBefore(validityBeginDate);
        certGen.setNotAfter(validityEndDate);
        certGen.setPublicKey(pkcs10.getPublicKey());
        certGen.setSignatureAlgorithm("SHA256WithRSAEncryption");

        X509Certificate cert = certGen.generate(keyPair.getPrivate(), "BC");

        return cert

    }

 

 
5/3/2017 10:49:01 AM
chenchen300
Gravatar
Total Posts 9
View Posts

Re: x.509 Generate

thanks.

 

Why do i need to sign the hash that must be added in in the X.509 certificate?

in your example, i can see that the pair generation is made by the Bouncy. Can't i use yours instead?

You must sign in to post in the forums.