What Is the Certificate Enrollment Process

What is the certificate enrollment process?

The general procedure to issue certificates in a Public Key Infrastructure is more or less the following:

  1. the client generates a key pair, private and public

  2. the client generates a CSR (Certificate Signing Request) including attributes like Common Name and the Public Key. Signs it with the private key and sends it to the server

  3. The server builds the X509 Certificate with the CSR data, signs it with the CA private key and returns the X509 to client

  4. the client stores the private key and the certificate in a KeyStore

What CA generate?

The x509 certificate

What is P12 file

A file in PKCS#12 format (.pfx or .p12) containing a key store

what is .cer file contain

The public part of the certificate (not private key) in DER or PEM format

EDITED - CSR generation on Android

Gradle dependencies

compile 'com.madgag.spongycastle:core:1.51.0.0'
compile 'com.madgag.spongycastle:pkix:1.51.0.0'

Generate KeyPair and CSR

//Generate KeyPair
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
keyGen.initialize(KEY_SIZE, new SecureRandom());
KeyPair keyPair = keyGen.generateKeyPair();

//Generate CSR in PKCS#10 format encoded in DER
PKCS10CertificationRequest csr = CsrHelper.generateCSR(keyPair, commonname);
byte  CSRder[] = csr.getEncoded();

Utilities

public class CsrHelper {

  private final static String DEFAULT_SIGNATURE_ALGORITHM = "SHA256withRSA";
  private final static String CN_PATTERN = "CN=%s, O=Aralink, OU=OrgUnit";

  private static class JCESigner implements ContentSigner {

        private static Map<String, AlgorithmIdentifier> ALGOS = new HashMap<String, AlgorithmIdentifier>();

        static {
            ALGOS.put("SHA256withRSA".toLowerCase(), new AlgorithmIdentifier(
                    new ASN1ObjectIdentifier("1.2.840.113549.1.1.11")));
            ALGOS.put("SHA1withRSA".toLowerCase(), new AlgorithmIdentifier(
                    new ASN1ObjectIdentifier("1.2.840.113549.1.1.5")));

        }

        private String mAlgo;
        private Signature signature;
        private ByteArrayOutputStream outputStream;

        public JCESigner(PrivateKey privateKey, String sigAlgo) {
            //Utils.throwIfNull(privateKey, sigAlgo);
            mAlgo = sigAlgo.toLowerCase();
            try {
                this.outputStream = new ByteArrayOutputStream();
                this.signature = Signature.getInstance(sigAlgo);
                this.signature.initSign(privateKey);
            } catch (GeneralSecurityException gse) {
                throw new IllegalArgumentException(gse.getMessage());
            }
        }

        @Override
        public AlgorithmIdentifier getAlgorithmIdentifier() {
            AlgorithmIdentifier id = ALGOS.get(mAlgo);
            if (id == null) {
                throw new IllegalArgumentException("Does not support algo: " +
                        mAlgo);
            }
            return id;
        }

        @Override
        public OutputStream getOutputStream() {
            return outputStream;
        }

        @Override
        public byte[] getSignature() {
            try {
                signature.update(outputStream.toByteArray());
                return signature.sign();
            } catch (GeneralSecurityException gse) {
                gse.printStackTrace();
                return null;
            }
        }
    }

//Create the certificate signing request (CSR) from private and public keys
public static PKCS10CertificationRequest generateCSR(KeyPair keyPair, String cn) throws IOException,
            OperatorCreationException {
        String principal = String.format(CN_PATTERN, cn);

        ContentSigner signer = new JCESigner (keyPair.getPrivate(),DEFAULT_SIGNATURE_ALGORITHM);

        PKCS10CertificationRequestBuilder csrBuilder = new JcaPKCS10CertificationRequestBuilder(
                new X500Name(principal), keyPair.getPublic());
        ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
        extensionsGenerator.addExtension(Extension.basicConstraints, true, new BasicConstraints(
                true));
        csrBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest,
                extensionsGenerator.generate());
        PKCS10CertificationRequest csr = csrBuilder.build(signer);

        return csr;
    }
}

What is diffrence between enrolling and registering a certificate in Hyperledger fabric CA

So from what i understand when you "enrol" an identity you get the certificates and private keys for it. When you "register" the identity, you are simply creating the user name and password for that identity with the CA server.

The certificates that the cryptogen tool generate are not any different to the ones generated by the Fabric CA, the cryptogen tool is there for convenience in development. It should not be used in a live / production environment. Under the hood the cryptogen tool actually spins up a fabric ca server locally.

Here is a link to the latest documentation for Fabric CA:

https://hyperledger-fabric-ca.readthedocs.io/en/latest/

Process to get developer certificate

This can take anywhere from a few days to several months, depending on how difficult it is for them to verify your company details. Normally it would be finished within a week.

challenge password in SCEP

If a certificate is compromised (the private key is stolen, etc.) the
certificate needs to be revoked as it will remain valid till the end of it's
term.

Any administrator with access to a cert can revoke the cert. If a challenge
password was specified during the certificate signing request that password
will be required before the cert can be revoked.

So, it seems the sole purpose of the challenge password is to prevent
revocation by someone without the password.

Unable to complete Windows Phone Certificate enrollment web service process

finally after one month i succeed enrolment.

We have to use windows phone developer power tool for debugging.

For my questions i am answering as below.

1) We have to use Root certificate(CA) that is valid CA certificate. We need to sign client certificate(fly from device) with server certificate and key certificate. Be careful about finger print.
2) No extra certificates need for enrolment. Above two are mandatory.

I hope above will helps to others.


Related Topics

Android: Prompt User to Save Changes When Back Button Is Pressed

Android Telegram App --> Java.Lang.Unsatisfiedlinkerror: No Implementation Found for Void

Onactivityresult() Not Called in New Nested Fragment API

Deprecated Managedquery() Issue

How to Catch a Firebase Auth Specific Exceptions

Creating Hashmap from a JSON String

How to Specify the Jdk Version in Android Studio

Android HTML.Fromhtml() with Images

How to Sort Alphabetically While Ignoring Case Sensitive

Error Building Aab - Flutter (Android) - Integrity Check Failed: Java.Security.Nosuchalgorithmexception: Algorithm Hmacpbesha256 Not Available

Passing a JavaScript Object Using Addjavascriptinterface() on Android

How to Check Wifi or 3G Network Is Available on Android Device

Issue When Using a Custom Font - "Native Typeface Cannot Be Made"

Base64 Encoder and Decoder

Why Is Accessing Textview of a Fragment Inside Activity Throwing an Error

Stream and Lazy Evaluation

Background Timer Task in Jsp/Servlet Web Application

Differencebetween Unidirectional and Bidirectional JPA and Hibernate Associations


Leave a reply



Submit