X509_MakeCertSelf

CryptoSys PKI Toolkit Manual

X509_MakeCertSelf

X509_MakeCertSelf creates a self-signed X.509 certificate.

VB6/VBA Syntax


Public Declare Function X509_MakeCertSelf Lib "diCrPKI.dll" 
    (ByVal strNewCertFile As String, ByVal strEPKFile As String, 
    ByVal nCertNum As Long, ByVal nYearsValid As Long, 
    ByVal strDistName As String, ByVal strExtensions As String, 
    ByVal KeyUsageFlags As Long, 
    ByVal strPassword As String, ByVal nOptions As Long) As Long

nRet = X509_MakeCertSelf(strNewCertFile, strEPKFile, nCertNum, nYearsValid, strDistName, strExtensions, KeyUsageFlags, strPassword, nOptions)

Parameters

strNewCertFile

[in] String with name of new certificate file to be created.

strEPKFile

[in] String with name of issuer's encrypted private key file.

nCertNum

[in] Long Serial number for new certificate.

nYearsValid

[in] Long Number of years certificate is to be valid (certificate is always valid from current date and hour).

strDistName

[in] String specifying the distinguished name as a set of attribute key=value pairs separated by semi-colons (;). See Specifying Distinguished Names for more details.

strExtensions

[in] String (optional) containing either just an RFC822-style email address to be included in a subjectAltName extension or [new in v3.3] one or more extension values in the form of attribute pairs type=value(;type=value)*. See Extensions parameter.

KeyUsageFlags

[in] Long Flags to set Key Usage extensions:

`PKI_X509_KEYUSAGE_DIGITALSIGNATURE`	to set `digitalSignature`
`PKI_X509_KEYUSAGE_NONREPUDIATION`	to set `nonRepudiation`
`PKI_X509_KEYUSAGE_KEYENCIPHERMENT`	to set `keyEncipherment`
`PKI_X509_KEYUSAGE_DATAENCIPHERMENT`	to set `dataEncipherment`
`PKI_X509_KEYUSAGE_KEYAGREEMENT`	to set `keyAgreement`
`PKI_X509_KEYUSAGE_KEYCERTSIGN`	to set `keyCertSign`
`PKI_X509_KEYUSAGE_CRLSIGN`	to set `cRLSign`
`PKI_X509_KEYUSAGE_ENCIPHERONLY`	to set `encipherOnly`
`PKI_X509_KEYUSAGE_DECIPHERONLY`	to set `decipherOnly`

Add to combine options. Specify zero to omit Key Usage extension.

strPassword

[in] String containing password for Issuer's encrypted private key file.

nOptions

[in] Long Option flags. Choose one signature algorithm from:
PKI_SIG_SHA1RSA (0) to use sha1WithRSAEncryption (default)
PKI_SIG_MD5RSA to use md5WithRSAEncryption (not recommended)
PKI_SIG_MD2RSA to use md2WithRSAEncryption (definitely not recommended)
PKI_SIG_SHA224RSA to use sha224WithRSAEncryption
PKI_SIG_SHA256RSA to use sha256WithRSAEncryption
PKI_SIG_SHA384RSA to use sha384WithRSAEncryption
PKI_SIG_SHA512RSA to use sha512WithRSAEncryption
And add any combination of these:-
PKI_X509_VERSION1 to generate a Version 1 certificate, i.e. no extensions (default = Version 3).
PKI_X509_NO_BASIC to disable the BasicConstraints extension (default = include)
PKI_X509_UTF8 to encode the DN fields as UTF8String (default = PrintableString)
PKI_X509_FORMAT_PEM to save the certificate in PEM format (default = DER-encoded binary)

C/C++ Syntax


long _stdcall X509_MakeCertSelf(const char *certfile, const char *epkfile, 
	int certnum, long yearsvalid, const char *distName, const char *extensions,
	long keyUsageFlags, const char *password, long optionFlags);

Returns (VB6/C)

Long: If successful, the return value is zero; otherwise it returns a nonzero error code.

.NET Equivalent

X509.MakeCertSelf Method

Remarks

See the remarks for X509_MakeCert. A self-signed certificate has the same Issuer and Subject distinguished name. Add the PKI_X509_UTF8 flag to encode the distinguished names in UTF-8. The BasicConstraints subject type will always be a CA for a version 3 self-signed certificate, unless explicitly excluded with the PKI_X509_NO_BASIC flag.

Example

Dim nRet As Long
Dim nKeyUsage As Long

nKeyUsage = PKI_X509_KEYUSAGE_DIGITALSIGNATURE + _
    PKI_X509_KEYUSAGE_KEYCERTSIGN + PKI_X509_KEYUSAGE_CRLSIGN
nRet = X509_MakeCertSelf("C:\Test\myca.cer", "C:\Test\myca.epk", 99, 10, _
    "CN=My CA;O=Test Org;OU=Certificate Services", _
    "", nKeyUsage, "password", 0)
If nRet <> 0 Then
    Debug.Print nRet & " " & pkiGetLastError()
Else
    Debug.Print "Success"
End If

The above example will create a new self-signed X.509 certificate with filename C:\Test\myca.cer. The serial number will be 99. It will be valid from today for 10 years. The issuer's encrypted private key is in the file C:\Test\myca.epk and has the password "password". The new certificate will be signed using the private key using the default sha1WithRSAEncryption algorithm.

The second example below shows how to specify a distinguished name using UTF-8-encoded CJK characters. The PKI_X509_UTF8 flag must be used in this case.

Dim nRet As Long
Dim nKeyUsage As Long
Dim strDN As String

' Specify DN using chinese characters in UTF-8
' CN=da wei (U+5927, U+536B)
' C=zhong guo (U+4E2D, U+56FD)
strDN = "CN=#xE5A4A7E58DAB;C=#xe4b8ade59bbd"
nKeyUsage = PKI_X509_KEYUSAGE_DIGITALSIGNATURE + PKI_X509_KEYUSAGE_KEYCERTSIGN + PKI_X509_KEYUSAGE_CRLSIGN
nRet = X509_MakeCertSelf("myca-chinadavid.cer", "myca.epk", _
    &H888, 4, strDN, "", nKeyUsage, "password", PKI_X509_UTF8)
If nRet <> 0 Then
    Debug.Print nRet & " " & pkiGetLastError()
Else
    Debug.Print "Success"
End If