Use the code to apply for a CA certificate-cnblog

In a recent project, the establishment of the PKI system has not been completed before, so it was confused at the beginning. I slowly found out some results and shared them with you. I hope you can correct the incorrect information.

At present, the PKI system has become the key point of information security in an enterprise and is the pillar of information security. My project is based on Microsoft technology. The CA Certificate Server is a self-built certificate component of Windows 2003 Server.

I will not talk too much nonsense about how to apply for and export certificates after the CA is set up.

1. differentiate between enterprise CAS and independent cas
The goal of an Enterprise CA is different from that of an independent ca. The Enterprise CA is mainly used in a domain-based LAN and is suitable for building various enterprise-level Ca platforms. The independent CA is mainly used by specialized ca issuing agencies, authoritative. The two different types of CAS determine that their installation and usage are different. During installation, the system will allow you to select an Enterprise CA or an independent ca.
Enterprise CA installs some Certificate Templates by default to facilitate CA Management. Independent Ca does not have a template. Enterprise CA can apply for various types of certificates, such as domain authentication, client authentication, Web Server Authentication, smart card login, wireless authentication, and so on. The number of independent CAS is relatively small.

So how do you determine whether you have installed an Enterprise CA or an independent Ca (if the server is not installed ):
1. Whether a template exists
2. If you are prompted to enter your company, department, region, province, and country information when applying for a certificate through web

An independent CA can be converted into an enterprise ca. Microsoft has an article on how to operate Windows Server 2003 PKI

Ii. Three methods for applying for digital certificates (mainly for Enterprise CA)
1. apply through web
After the CA is installed, the system automatically creates a virtual directory named certsrv under the default site of IIS. This virtual directory is easy to apply for a certificate.
There are many ASP and inc files under this directory. The code in this directory shows how the system creates a certificate application through the CA component programming interface, you can see which components are used and the methods.
This is critical because it is too inefficient to apply for a certificate through the Web. We need to apply for a certificate through our own program.

2. apply through command line
Cazi has multiple very useful certificate tools, with certreg.exe and certutil.exe. These two tools have powerful functions and rich parameters. You can view the help in command line mode.

You can use certreg.exe to add a digital certificate application using the command line. In this way, you need to create an INF file and then generate a req file using this INF file. The inf file defines the application information.
You can use certreq-New-? In command line mode to create an INF file -? Check the [newrequest] department for some help information.

Use the following command to generate
REQ file certreq-New <File Name>. inf <File Name>. req

Run the following command to submit the req application file and export the CER Certificate file:
Certreq-submit <File Name>. req <File Name>. Cer

For the certutil.exe tool, we can use it to query a lot of information about ca.
Use the certutil-view requestid to query the Certificate Information
Certutil-view can query information of all certificates without Parameters
Tip: Because the certificate information is too much, it cannot be fully viewed in DOS mode. Therefore, it is very suitable to view the certificate information by using the DOS output redirection to output all the certificate information to a text file. For example
Certutil-View> C:/view.txt

3. apply through the program to call the Object Model
It is the most useful function to generate a certificate by calling the object model through a program, because many times we have to provide a very friendly interface for users to apply for a certificate, rather than the certsrv virtual directory in IIS. You can also generate certificates in batches and save the certificates to the smart card. The object model mainly uses COM objects and does not know whether the objects in the. NET Framework can generate certificates. The following is some code for reference.

Reference the COM Object certclientlib and xenrolllib

Constant Definition
Const int at_keyexchange = 1;
Const int crypt_exportable = 1;
Const int cr_in_encodeany = 0xff;
Const int cr_in_formatany = 0;
Const int xecr_cmc = 3;

Public String createclientcertificate (string a_sname, string a_semail, string a_scompany, string a_sdepartment, string a_scity, string a_sstate, string a_scountry, string a_sca)
{
Certclientlib. icertrequest certrequest = new certclientlib. ccertrequestclass ();
Xenrolllib. icenroll4 certenroll = new xenrolllib. cenroll2class ();
Try
{
String requeststr;
Int disposition, ID;
String dnname = ("cn =" + a_sname) + ", O =" + a_scompany) + ", ou =" + a_sdepartment) + ", L = "+ a_scity) +", S = "+ a_sstate) +", c = "+ a_scountry) +", E = "+ a_semail;

Certenroll. providername = "Microsoft enhanced cryptographic provider V1.0 ";
Certenroll. keyspec = at_keyexchange;
Certenroll. genkeyflags = crypt_exportable;
Certenroll. addcerttypetorequest ("user"); // certificate template information
Requeststr = certenroll. createrequest (xecr_cmc, dnname, "1.3.6.1.5.5.7.3.2 ");
Disposition = certrequest. Submit (cr_in_encodeany | cr_in_formatany, requeststr, "", a_sca );

Id = certrequest. getrequestid ();

Return ID. tostring ();

}

Catch (exception E)
{
Return "";
}
}

The code used to apply for a digital certificate in the standalone ca mode is not the following: certenroll. addcerttypetorequest ("user"); others are the same.

/// <Summary>
/// Export a digital certificate
/// </Summary>
/// <Param name = "_ requestid"> </param>
Public void exportcertification (string _ username, string _ requestid)
{
Certclientlib. icertrequest2 certrequest = new certclientlib. ccertrequestclass ();

Xenrolllib. icenroll4 certenroll = new xenrolllib. cenroll2class ();
Int disposition;
String errtext = "";

Disposition = certrequest. getissuedcertificate (caserver, Int. parse (_ requestid ),"");

If (Disposition = cr_disp_issued)
{
String Cert;
String scert;

Try
{
CERT = certrequest. getfullresponseproperty (fr_prop_fullresponse, 0, proptype_binary, cr_out_base64) as string;

Scert = certenroll. getcertfromresponse (CERT );

Certenroll. createfilepfx ("password", certificationfilename); // create a pfx file (including the key)

}
Catch (exception ex)
{
Return;
}
}

}

4. Different Responses of Enterprise CA and independent CA to setting applicant information
After applying for a certificate, the user's registration information is not displayed by default in the certificate issued by the Enterprise CA Management Unit, because the column shown mainly contains the name of the applicant, the validity period of the certificate and the issuer information, including the country, company, province, and city. The requester name of the certificate we apply for automatically through the program is the same. For example, the requester name of all the certificates I apply for on the CA server is domain name/administrator, therefore, it is very difficult to identify who a certificate is (you can use certutil-view requestid, but it is very troublesome ). After a while, I found that the information we entered during the application is actually in the applicant information section. By default, these columns are not displayed. Therefore, we can display those columns in the Add/delete columns in the "View" menu and adjust the display order. We can put the applied public names in front of them, in this way, we can distinguish who applied for the certificate.