NPKICreateServerCertificate
Creates a server key pair as well as the corresponding X.509 certificate (formerly NWPKICreateServerCertificate).
#include "npki.h" NWRCODE NPKICreateServerCertificate( const NPKIContext context, const unicode *keyGenServerDN, const unicode *signServerDN, const unicode *certificateName, const nuint32 keyType, const nuint32 keySize, const unicode *subjectDN, const nuint32 signatureAlgorithm, const nuint32 dateFlags, const nuint32 validFrom, const nuint32 validTo, const nuint32 publicKeyFlags, const nuint32 privateKeyFlags, const NPKI_Extension *keyUsage, const NPKI_Extension *basicConstraints, const NPKI_ExtAltNames *altNames, const NPKI_Extension *NovellAttr, const NPKI_ASN1_Extensions *extensions, void *reserved1, void *reserved2);
NOTE:There currently is one Optional Private Key Flag (PRIVATE_KEY _EXTRACTABLE). To use this optional flag, it must be OR'ed with the value PRIVATE_KEY to enable extraction of the server's private key into PKCS #12 file (PKCS #12 is the standard format for extracting and importing keys). This flag must be used to enable backup of the server's private key.
When using the PRIVATE_KEY_EXTRACTABLE flag and including the Novell Security Attributes extension, it's necessary to bitwise-OR the extractable option (that is, NOVELL_EXTENSION_EXTRACTABLE_KEY) along with the appropriate Novell attribute to the flags field in the Novell Security Attributes extension (see Mutually Exclusive Flags).
Returns 0 if successful, or an eDirectory, NICI, or PKI error code if not successful.
When calling NPKICreateServerCertificate, three different modes can be used: single server mode, dual server mode, or external mode. Depending on the mode selected, different NCPs™ are sent and different results occur.
The single server mode is used to create a server certificate when the signing server is the same as the key generation server. In this case, signServerDN should be set to NULL, and publicKeyFlags should consist of the define PUBLIC_KEY_SINGLE_SERVER combined with any optional public key flags desired.
After calling NPKICreateServerCertificate successfully, the newly generated server certificate and its corresponding certificate chain are stored in eDirectory. The newly generated server certificate is returned and can be accessed by calling NPKICertInfo.
NOTE:Single server mode is possible only when the key generation server also hosts a CA.
The dual server mode is used to generate a server certificate when the signing server is not the same as the key generation server. In this case publicKeyFlags should consist of the define PUBLIC_KEY_TWO_SERVER combined with any optional public key flags desired. The newly generated server certificate is returned and can be accessed by calling NPKICertInfo.
After calling NPKICreateServerCertificate successfully, it is necessary to store the newly generated certificate and its corresponding certificate chain.
You can retrieve the certificate chain by calling NPKIGetCACertificates with the flags field set to PKI_OBJECT_KEY_CERT combined with PKI_SELF_SIGNED_CERT.
After the successful call to NPKIGetCACertificates, you should call NPKICertificateList to add the certificates one at a time with the flags field set to PKI_ADD. Once all the certificates in the chain have been added, make the call again with the flags field set to PKI_SORT. You must call NPKIStoreServerCertificatesFromCertificateList to actually store the certificates into the object.
The external server mode is used to generate a server certificate when an external CA signs the certificate. In this case, signServerDN is set to NULL and publicKeyFlags consists of the define PUBLIC_KEY_EXTERNAL_CA combined with any other public key flags desired. A PKCS #10 Public Key Signing Request (CSR) is generated and can be accessed by calling NPKICSRInfo.
The external server mode is used to generate a server Certificate Signing Request (CSR) to facilitate an external CA signing (or creating) the server certificate. For the external server mode, set signServerDN to NULL and publicKeyFlags to the define PUBLIC_KEY_EXTERNAL_CA combined with any optional public key flags desired. A PKCS #10 CSR is generated and accessed by calling NPKIStoreServerCertificates.
The CSR should be sent to the external CA. The external CA will send a new X.509 server certificate in response. The new X.509 server certificate signed (created) by the external CA, as well as the external CA’s certificate chain, should be added by making calls to NPKICertificateList with the flags field set to PKI_ADD. Once all the certificates in the chain have been added, make the call again with the flags field set to PKI_SORT. You must call NPKIStoreServerCertificatesFromCertificateList to actually store the certificates into the object. This method of storing certificates will handle PKCS #7 files that contain multiple certificates
To have the ability to backup the server private key, the optional private key flag (PRIVATE_KEY_EXTRACTABLE) must be used. For a sample implementation of this task, see CreateServerCertificate.. For a sample implementation of how to back up the server certificate, see BackupServerCertificate.