CertCreateSelfSignCertificate

This really isn't runtime related so it's probably not the right forum for this question.

However, here's the basic idea (at least how I've used it, signing with SHA1-RSA):

First, create the key container by calling CryptAcquireContext. You specify a key container name, a CSP name (optional), a provider type (such as PROV_RSA_FULL), and some flags (I use CRYPT_NEWKEYSET to create a new key container and CRYPT_SILENT to suppress UI). This gives you an HCRYPTPROV.

Then, create a blob representing the distinguished name of the cert. Look at the CertStrToName documentation for what to do. The distinguished name should conform to the X.500 standard, but could be as simple as "CN=<name>". Probably use X509_ASN_ENCODING as the encoding type and CERT_OID_NAME_STR as the string type.

Then, call CertCreateSelfSignCertificate, passing it the HCRYPTPROV as the first param, the blob as the second, any appropriate flags as the third (I don't use any), a CRYPT_KEY_PROV_INFO (not required if you use RSA) as the fourth, a CRYPTO_ALGORITHM_IDENTIFIER (not required if you want the SHA1-RSA algorithm) as the fifth, a SYSTEMTIME struct for the sixth and seventh, representing the cert's start and end dates, and a CERT_EXTENSIONS (I don't use) as the final param.

And don't forget to call CryptReleaseContext when you're done with the CSP :-)

I hope that helps a bit, at least for my simple case.

Brian

BrianStern-MSFT at 2007-10-3 >

Hello, Brian!

Besides creating selfsigned certificate, i have to make length of private key to be a tunability. I have not find it in the MSDN. Maybe you know how to do this, using CertCreateSelfSingCertificate. Thank you.

Mike

MikhailKurskiy at 2007-10-3 >

I was just about to aks Nicks question...

I always end up with a protected memory access exception when calling CertCreateSelfSignCertificate. Might be my limited experience with pInvoke but anyway, any help is welcome.

Thanks

Sven

SvenBeneke at 2007-10-3 >