NPKICreateServerCertificate

Creates a server key pair as well as the corresponding X.509 certificate (formerly NWPKICreateServerCertificate).

Syntax

    #include "npki.h"
    
    NWRCODE NPKICreateServerCertificate(
       const NPKIContext              context,
       const unicode                 *keyGenServerDN, 
       const unicode                 *signServerDN, 
       const unicode                 *certificateName,
       const nuint32                  keyType,
       const nuint32                  keySize,
       const unicode                 *subjectDN,
       const nuint32                  signatureAlgorithm,
       const nuint32                  dateFlags,
       const nuint32                  validFrom,
       const nuint32                  validTo,
       const nuint32                  publicKeyFlags,
       const nuint32                  privateKeyFlags,
       const NPKI_Extension          *keyUsage,
       const NPKI_Extension          *basicConstraints,
       const NPKI_ExtAltNames        *altNames,
       const NPKI_Extension          *NovellAttr,
       const NPKI_ASN1_Extensions    *extensions,
       void                          *reserved1,
       void                          *reserved2);

Parameters

context
(IN) Specifies the NPKI context for the request.
keyGenServerDN
(IN) Points to the eDirectory FDN of the server for which to generate the X.509 certificate.
signServerDN
(IN) Specifies the eDirectory FDN of the server that hosts the CA that will be used to generate the X.509 certificate.
certificateName
(IN) Specifies the certificate name to be used to identify the key pair and corresponding certificate.
keyType
(IN) Specifies the type of key that is to be generated. For this release, the only supported key type is RSA or a value of PKI_RSA_ALGORITHM (see Key Generation Algorithms Defines).
keySize
(IN) Specifies the requested size of the key to be generated. If the key size requested could not be generated, the server returns an error and no key is generated. Calling NPKIGetServerInfo with flags set to PKI_SERVER_INFO, then NPKIGetAlgorithmInfo obtains the supported key sizes on the server. The intersection of the key sizes and algorithms supported by the keyGenServerDN and the signServerDN are the valid key sizes and algorithms.
subjectDN
(IN) Specifies the subjectDN. This is the name to be encoded in the subject name field in the X.509 certificate. The subject field identifies the entity associated with the public/private key pair. (For more information, see RFC 2459*, Section 4.1.2.6.)
signatureAlgorithm
(IN) Specifies the signature algorithm to use to sign the certificates. You can call NPKIGetServerInfo to determine which signature algorithms are supported.
dateFlags
(IN) Specifies whether dates have a two-digit or four-digit year. For this release, set this to DEFAULT_YEAR_ENCODING.
validFrom
(IN) Specifies the beginning of the period of validity, represented as the number of seconds since 00:00:00 UTC Jan 1, 1970, or 0xFFFFFFFF to represent the current time on the server.
validTo
(IN) Specifies the end of the period of validity, represented as the number of seconds since 00:00:00 UTC Jan 1, 1970, or 0xFFFFFFFF to represent the greatest validity period available on the server. You can call NPKIGetServerInfo to determine the greatest validity period supported by the server.
publicKeyFlags
(IN) Specifies the public key options to use when creating the key pair. Use one of the following flags, together with any optional public key flags:
  • PUBLIC_KEY_SINGLE_SERVER—Used when the signing server is the same as the key generation server. This is only possible when the key generation server also hosts a CA.
  • PUBLIC_KEY_TWO_SERVER—Used when the signing server is not the same as the key generation server.
  • PUBLIC_KEY_EXTERNAL_CA—Used when an external CA will sign the certificate.
privateKeyFlags
(IN) Specifies the private key options to use when creating the key pair. For this release use the define PRIVATE_KEY together with any optional private key flags.

NOTE:There currently is one Optional Private Key Flag (PRIVATE_KEY _EXTRACTABLE). To use this optional flag, it must be OR'ed with the value PRIVATE_KEY to enable extraction of the server's private key into PKCS #12 file (PKCS #12 is the standard format for extracting and importing keys). This flag must be used to enable backup of the server's private key.

When using the PRIVATE_KEY_EXTRACTABLE flag and including the Novell Security Attributes extension, it's necessary to bitwise-OR the extractable option (that is, NOVELL_EXTENSION_EXTRACTABLE_KEY) along with the appropriate Novell attribute to the flags field in the Novell Security Attributes extension (see Mutually Exclusive Flags).

keyUsage
(IN) Specifies the X.509 key usage extension. For more information, see the Section 4.16, X.509 Extensions and the Section 4.4, Key Usage Extension. The key usage extension is not included in the certificate if this parameter is NULL.
basicConstraints
(IN) Specifies the X.509 basic constraints extension. For more information, see the Section 4.16, X.509 Extensions and the Section 4.1, Basic Constraints Extension. The basic constraints extension is not included in the certificate if this parameter is NULL.
altNames
(IN) Specifies the X.509 subject alternative name extension. For more information, see Section 4.16, X.509 Extensions and Section 5.3, Subject Alternative Names Extension. The subject alternative names extension is not included in the certificate if this parameter is NULL.
NovellAttr
(IN) Specifies the Novell Security Attributes extension. For more information, see Section 4.16, X.509 Extensions and Section 4.5, Novell Security Attributes Extension. If this parameter is NULL, the default Novell Security Attributes extension for a server certificate is included in the certificate.
extensions
(IN) Specifies any generic ASN.1 encoded extensions to add to the certificate. See Section 4.16, X.509 Extensions.
reserved1
Reserved for future use.
reserved2
Reserved for future use.

Return Values

Returns 0 if successful, or an eDirectory, NICI, or PKI error code if not successful.

PKI NCP Calls

Remarks

When calling NPKICreateServerCertificate, three different modes can be used: single server mode, dual server mode, or external mode. Depending on the mode selected, different NCPs™ are sent and different results occur.

The single server mode is used to create a server certificate when the signing server is the same as the key generation server. In this case, signServerDN should be set to NULL, and publicKeyFlags should consist of the define PUBLIC_KEY_SINGLE_SERVER combined with any optional public key flags desired.

After calling NPKICreateServerCertificate successfully, the newly generated server certificate and its corresponding certificate chain are stored in eDirectory. The newly generated server certificate is returned and can be accessed by calling NPKICertInfo.

NOTE:Single server mode is possible only when the key generation server also hosts a CA.

The dual server mode is used to generate a server certificate when the signing server is not the same as the key generation server. In this case publicKeyFlags should consist of the define PUBLIC_KEY_TWO_SERVER combined with any optional public key flags desired. The newly generated server certificate is returned and can be accessed by calling NPKICertInfo.

After calling NPKICreateServerCertificate successfully, it is necessary to store the newly generated certificate and its corresponding certificate chain.

You can retrieve the certificate chain by calling NPKIGetCACertificates with the flags field set to PKI_OBJECT_KEY_CERT combined with PKI_SELF_SIGNED_CERT.

After the successful call to NPKIGetCACertificates, you should call NPKICertificateList to add the certificates one at a time with the flags field set to PKI_ADD. Once all the certificates in the chain have been added, make the call again with the flags field set to PKI_SORT. You must call NPKIStoreServerCertificatesFromCertificateList to actually store the certificates into the object.

The external server mode is used to generate a server certificate when an external CA signs the certificate. In this case, signServerDN is set to NULL and publicKeyFlags consists of the define PUBLIC_KEY_EXTERNAL_CA combined with any other public key flags desired. A PKCS #10 Public Key Signing Request (CSR) is generated and can be accessed by calling NPKICSRInfo.

The external server mode is used to generate a server Certificate Signing Request (CSR) to facilitate an external CA signing (or creating) the server certificate. For the external server mode, set signServerDN to NULL and publicKeyFlags to the define PUBLIC_KEY_EXTERNAL_CA combined with any optional public key flags desired. A PKCS #10 CSR is generated and accessed by calling NPKIStoreServerCertificates.

The CSR should be sent to the external CA. The external CA will send a new X.509 server certificate in response. The new X.509 server certificate signed (created) by the external CA, as well as the external CA’s certificate chain, should be added by making calls to NPKICertificateList with the flags field set to PKI_ADD. Once all the certificates in the chain have been added, make the call again with the flags field set to PKI_SORT. You must call NPKIStoreServerCertificatesFromCertificateList to actually store the certificates into the object. This method of storing certificates will handle PKCS #7 files that contain multiple certificates

To have the ability to backup the server private key, the optional private key flag (PRIVATE_KEY_EXTRACTABLE) must be used. For a sample implementation of this task, see CreateServerCertificate.. For a sample implementation of how to back up the server certificate, see BackupServerCertificate.

See Also