NPKICreateUserCertificate
Generates a key pair with its corresponding X.509 certificate
(formerly NWPKICreateUserCertificate).
Syntax
#include "npki.h"
NWRCODE NPKICreateUserCertificate(
const NPKIContext context,
const unicode *keyGenServerDN,
const unicode *signServerDN,
const unicode *userDN,
const unicode *nickName,
const nuint32 keyType,
const nuint32 keySize,
const unicode *subjectDN,
const nuint32 signatureAlgorithm,
const nuint32 dateFlags,
const nuint32 validFrom,
const nuint32 validTo,
const nuint32 publicKeyFlags,
const nuint32 privateKeyFlags,
const NPKI_Extension *keyUsage,
const NPKI_Extension *basicConstraints,
const NPKI_ExtAltNames *altNames,
const NPKI_Extension *NovellAttr,
const NPKI_ASN1_Extensions *extensions,
void *reserved1,
void *reserved2);
Parameters
- context
- (IN) Specifies the NPKI context for the request.
- keyGenServerDN
- (IN) Specifies the eDirectory FDN of the server
used to generate the user’s key pair.
- signServerDN
- (IN) Specifies the eDirectory FDN of the server
that hosts the certificate authority that generates the X.509 certificate.
- userDN
- (IN) Specifies the FDN of the user object for which
a certificate will be generated. This must be a valid eDirectory
user object in the current tree.
- nickName
- (IN) Specifies the certificate nickname. This name
must be unique for the specified user.
- keyType
- (IN) Specifies the type of key that you want to
be generated. Call NPKIGetServerInfo to
get the supported key generation algorithms. For this release, the
only supported key type is PKI_RSA_ALGORITHM (see Key Generation Algorithms Defines).
- keySize
- (IN) Specifies the requested size of the key to
be generated. If the key size requested cannot be generated, an
error is returned by the server and no key is generated. Calling NPKIGetServerInfo, then NPKIGetAlgorithmInfo obtains the supported key
sizes supported on the server. The intersection of the key sizes
and algorithms supported by the keyGenServerDN and
the signServerDN are the valid key sizes
and algorithms.
- subjectDN
- (IN) Specifies the subjectDN. This
is the name to be encoded in the subject field in the X.509 certificate.
The subject field identifies the entity associated with the public/private
key pair. (For more information, see RFC
2459*, Section 4.1.2.6.)
This parameter should be NULL if the subject name (in the
user certificate) is to be the user’s typed FDN. If a name
other than the eDirectory username is desired, this parameter must contain
the typed FDN (and publicKeyFlags must include
the flag PKI_CUSTOM_SUBJECT_NAME).
- signatureAlgorithm
- (IN) Specifies the signature algorithm to use to
sign the certificate. To get the supported algorithms, call NPKIGetServerInfo. For this release, signatureAlgorithm must
be set to one of the following:
- PKI_SIGN_WITH_RSA_AND_MD2
- PKI_SIGN_WITH_RSA_AND_MD5
- PKI_SIGN_WITH_RSA_AND_SHA1
- dateFlags
- (IN) Specifies whether dates have either a two-digit
or four-digit year. For this release, set this to DEFAULT_YEAR_ENCODING.
- validFrom
- (IN) Specifies the beginning of the period of validity,
represented as the number of seconds since 00:00:00 UTC Jan 1, 1970,
or 0xFFFFFFFF to represent the current time on the server.
- validTo
- (IN) Specifies the end of the period of validity,
represented as the number of seconds since 00:00:00 UTC Jan 1, 1970,
or 0xFFFFFFFF to represent the greatest validity period available on
the server.
You can call NPKIGetServerInfo to
determine the greatest validity period available on the server.
- publicKeyFlags
- (IN) Specifies the public key options to use when
creating the key pair. Use one of the following flags, together
with any optional public key flags:
- PUBLIC_KEY_SINGLE_SERVER—Used
when the signing server is the same as the key generation server.
This is possible only when the key generation server also hosts
a CA.
- PUBLIC_KEY_TWO_SERVER—Used
when the signing server is not the same as the key generation server.
- privateKeyFlags
- (IN) Specifies the private key options to use when
creating the key pair. For this release use the define PRIVATE_KEY
together with any optional private key flags.
NOTE:There currently is one Optional Private Key Flag (PRIVATE_KEY _EXTRACTABLE).
To use this optional flag, it must be bitwise-OR'ed with the value PRIVATE_KEY
to enable extraction of a user's private key into a PKCS #12
file (PKCS #12 is the standard format to import keys into
a browser).
When using the PRIVATE_KEY_EXTRACTABLE flag
and including the Section 4.5, Novell Security Attributes
Extension, it's necessary to bitwise-OR
the extractable option (that is, NOVELL_EXTENSION_EXTRACTABLE_KEY)
along with the appropriate Novell attribute (see NOVELL_EXTENSION_USER_DEFAULT
in Mutually Exclusive Flags).
- keyUsage
- (IN) Specifies the X.509 key usage extension. For
more information, see Section 4.16, X.509 Extensions and Section 4.4, Key Usage Extension. The key usage extension is
not included in the certificate if NULL is passed in this parameter.
- basicConstraints
- (IN) Specifies the X.509 basic constraints extension.
For more information, see Section 4.16, X.509 Extensions and Section 4.1, Basic Constraints
Extension. The basic constraints extension
is not included in the certificate if this parameter is NULL.
- altNames
- (IN) Specifies the X.509 subject alternative name
extension. For more information, see Section 4.16, X.509 Extensions and Section 5.3, Subject Alternative
Names Extension. The subject alternative names
extension is not included in the certificate if this parameter is
NULL.
- NovellAttr
- (IN) Specifies the Novell Security Attributes extension.
For more information, see Section 4.16, X.509 Extensions and the Section 4.5, Novell Security Attributes
Extension. If this parameter is NULL,
the default Novell Security Attributes for a user certificate is
included in the certificate.
- extensions
- (IN) Specifies any generic ASN.1 encoded extensions
to add to the certificate. For more information, see the Section 4.16, X.509 Extensions.
- reserved1
- Reserved for future use.
- reserved2
- Reserved for future use.
Return Values
Returns 0 if successful, or an eDirectory, NICI, or PKI error
code if not successful.
PKI NCP Calls
- 0x2222 93 03 Create Key Pair
- 0x2222 93 04 Sign Certificate
Remarks
The key pair is stored securely in eDirectory as an attribute
in the user’s object. The private key is cryptographically
wrapped using Novell International Cryptographic Infrastructure
(NICI) to protect the key.
When calling NPKICreateUserCertificate,
three different modes can be used: single server mode, dual
server mode, or external mode (external
mode is not supported in this release). Depending on the mode selected,
different NCPs are sent and different results occur.
Single server mode is used to generate
a user certificate when the signing server is the same as the key
generation server. In this case, signServerDN is
set to NULL, and publicKeyFlags consists of the
define PUBLIC_KEY_SINGLE_SERVER combined
with any optional public key flags desired. The newly generated
user certificate is returned and can be accessed calling NPKIUserCertInfo.
NOTE:Single server mode is possible only when
the key generation server also hosts a CA.
The dual server mode is used to generate
a user certificate when the signing server is not the same as the
key generation server. In this case publicKeyFlags consists
of the define PUBLIC_KEY_TWO_SERVER combined
with any optional public key flags desired. The newly generated
user certificate is returned and can be accessed calling NPKIUserCertInfo.
If the error PKI_E_ADD_CERTIFICATE
is returned when using dual server mode; although
the certificate was created, it could not be stored in eDirectory
because of replication delays. If this error occurs, you should
call NPKIStoreUserCertificate successfully.
(The userDN, nickName, and signServerDN parameters
should be the same as in NPKICreateUserCertificate, the flags parameter
should be set to PKI_INTERNAL_KEY_PAIR, and
all other parameters should be either NULL or 0.)
NOTE:The external server mode is not supported
in this release.
The signServerDN must host a CA in the current
tree. You can call NPKIFindKeyGenServersForUser and NPKIGetServerInfo to determine which servers
meet the requirements to act as a CA for a specified user.
After a successful call to NPKICreateUserCertificate, the
certificate and its length can be obtained by calling NPKIUserCertInfo
using 0 in the index parameter.