1
Download user manual
Transcript
Obtaining Certificates using SCEP 159 /* Create the CMP session */ int cryptSession = crypt.CreateSession( cryptUser /* CRYPT_UNUSED */, crypt.SESSION_CMP ); /* Add the server name/address and request type */ crypt.SetAttributeString( cryptSession, crypt.SESSINFO_SERVER, server ); crypt.SetAttribute( cryptSession, crypt.SESSINFO_CMP_REQUESTTYPE, crypt.REQUESTTYPE_CERTIFICATE ); /* Add the username and password or private signing key. Since this is a certification request, we add the private key */ crypt.SetAttribute( cryptSession, crypt.SESSINFO_PRIVATEKEY, privateKey ); /* Add the certificate of the CA who is to issue the certificate or revocation and the request itself */ crypt.SetAttribute( cryptSession, crypt.SESSINFO_CACERTIFICATE, cryptCACert ); crypt.SetAttribute( cryptSession, crypt.SESSINFO_REQUEST, cryptCmpRequest ); /* Activate the session */ crypt.SetAttribute( cryptSession, crypt.SESSINFO_ACTIVE, 1 ); Submitting a request for a certificate revocation works in an identical manner, with authentication being performed using a user name and password as it is for an initialisation request or a private key as it is for a certification request. If the session is successfully activated the CMP object will contain the response from the CA, typically a newly-issued certificate. Revocation requests return no data except the status code resulting from the activation of the session. If you’re requesting a certificate you can read it from the session as a CRYPT_SESSINFO_RESPONSE attribute: CRYPT_CERTIFICATE cryptCertificate; int status; /* Activate the session */ status = cryptSetAttribute( cryptSession, CRYPT_SESSINFO_ACTIVE, TRUE ); if( cryptStatusError( status ) ) /* Couldn't obtain certificate from CA */; /* Get the returned certificate */ cryptGetAttribute( cryptSession, CRYPT_SESSINFO_RESPONSE, &cryptCertificate ); Once you’ve obtained the certificate, you should save it with the private key it’s associated with as described in “Certificates and Keys” on page 147. Because CMP is a complex protocol with a large number of variations and options, it can fail for a variety of reasons. The error-handling techniques described in “Secure Sessions” on page 101 may be useful in determining the exact nature of the problem. Obtaining Certificates using SCEP Obtaining a certificate using the Simple Certificate Enrolment Protocol (SCEP) works much like it does for CMP. The general process involved in an SCEP session is a two-step one of which the first step is creating a certification request and the second step is submitting it to a CA for processing. The result of the processing (typically a signed certificate) is returned at the end of the session. SCEP makes use of session objects as described in “Secure Sessions” on page 101, the following description assumes that you’re familiar with the operation and use of cryptlib session objects: create a PKCS #10 request; fill in the request details;
