NPKICreateUserCertificate
Generates a key pair with its corresponding X.509 certificate (formerly NWPKICreateUserCertificate).
#include "npki.h"
NWRCODE NPKICreateUserCertificate(
const NPKIContext context,
const unicode *keyGenServerDN,
const unicode *signServerDN,
const unicode *userDN,
const unicode *nickName,
const nuint32 keyType,
const nuint32 keySize,
const unicode *subjectDN,
const nuint32 signatureAlgorithm,
const nuint32 dateFlags,
const nuint32 validFrom,
const nuint32 validTo,
const nuint32 publicKeyFlags,
const nuint32 privateKeyFlags,
const NPKI_Extension *keyUsage,
const NPKI_Extension *basicConstraints,
const NPKI_ExtAltNames *altNames,
const NPKI_Extension *NovellAttr,
const NPKI_ASN1_Extensions *extensions,
void *reserved1,
void *reserved2);
This parameter should be NULL if the subject name (in the user certificate) is to be the user’s typed FDN. If a name other than the eDirectory username is desired, this parameter must contain the typed FDN (and publicKeyFlags must include the flag PKI_CUSTOM_SUBJECT_NAME).
You can call NPKIGetServerInfo to determine the greatest validity period available on the server.
NOTE:There currently is one Optional Private Key Flag (PRIVATE_KEY _EXTRACTABLE). To use this optional flag, it must be bitwise-OR'ed with the value PRIVATE_KEY to enable extraction of a user's private key into a PKCS #12 file (PKCS #12 is the standard format to import keys into a browser).
When using the PRIVATE_KEY_EXTRACTABLE flag and including the Section 4.5, Novell Security Attributes Extension, it's necessary to bitwise-OR the extractable option (that is, NOVELL_EXTENSION_EXTRACTABLE_KEY) along with the appropriate Novell attribute (see NOVELL_EXTENSION_USER_DEFAULT in Mutually Exclusive Flags).
Returns 0 if successful, or an eDirectory, NICI, or PKI error code if not successful.
The key pair is stored securely in eDirectory as an attribute in the user’s object. The private key is cryptographically wrapped using Novell International Cryptographic Infrastructure (NICI) to protect the key.
When calling NPKICreateUserCertificate, three different modes can be used: single server mode, dual server mode, or external mode (external mode is not supported in this release). Depending on the mode selected, different NCPs are sent and different results occur.
Single server mode is used to generate a user certificate when the signing server is the same as the key generation server. In this case, signServerDN is set to NULL, and publicKeyFlags consists of the define PUBLIC_KEY_SINGLE_SERVER combined with any optional public key flags desired. The newly generated user certificate is returned and can be accessed calling NPKIUserCertInfo.
NOTE:Single server mode is possible only when the key generation server also hosts a CA.
The dual server mode is used to generate a user certificate when the signing server is not the same as the key generation server. In this case publicKeyFlags consists of the define PUBLIC_KEY_TWO_SERVER combined with any optional public key flags desired. The newly generated user certificate is returned and can be accessed calling NPKIUserCertInfo.
If the error PKI_E_ADD_CERTIFICATE is returned when using dual server mode; although the certificate was created, it could not be stored in eDirectory because of replication delays. If this error occurs, you should call NPKIStoreUserCertificate successfully. (The userDN, nickName, and signServerDN parameters should be the same as in NPKICreateUserCertificate, the flags parameter should be set to PKI_INTERNAL_KEY_PAIR, and all other parameters should be either NULL or 0.)
NOTE:The external server mode is not supported in this release.
The signServerDN must host a CA in the current tree. You can call NPKIFindKeyGenServersForUser and NPKIGetServerInfo to determine which servers meet the requirements to act as a CA for a specified user.
After a successful call to NPKICreateUserCertificate, the certificate and its length can be obtained by calling NPKIUserCertInfo using 0 in the index parameter.