Hi,
I'm creating an Internet Explorer solution which is capable of generating X509 PKCS10 enrollment requests. My solution makes use of the WebEnabled VBScript functions of the CertEnroll API.
I've managed to get the newer Cryptography API: Next Generation (CNG) Microsoft Key Storage Provider (KSP) to generate enrollment requests containing RSA and ECDSA Keys of various sizes. I've tried to modify the same method to use DSA keys in the enrollment requests, but I have been unsuccessful in getting this to function as expected.
According to the MSDN CNG documentation, the KSP should be able to generate DSA keys of sizes 512 to 1024 in 64-bit increments: https://msdn.microsoft.com/en-us/library/windows/desktop/bb931355(v=vs.85).asp
I have managed to generate DSA keys, but I have been unable to use/access them in the Legacy CertEnroll API. I know that my implementation does indeed create DSA keys for two reasons. Firstly, the key-generation pop-up window appears asking the end-user if they wish to use a password to protect the key-pair being generated. Secondly, the Windows Event Viewer contains entries in the 'Windows Logs > Security' section which confirm DSA keys were generated. The log entries in the event viewer are the same for RSA, ECDSA, and DSA. However, attempting to generate a certificate enrollment request with DSA keys results in an empty enrollment request. In fact, any attempt I make to access DSA keys results in null/blank/empty results.
My code is based on the sample CertEnroll API code which accomplishes a similar task using Legacy CSPs. I've included a sample excerpt of my code below:
Dim algObjectIdDim X509PrivateKeyDim X509CertificateRequestPkcs10Dim X500DistinguishedNameDim X509Enrollment'initialize variables to be blank objects for now.Set X509PrivateKey = Enroll.CreateObject("X509Enrollment.CX509PrivateKey")Set algObjectId = Enroll.CreateObject("X509Enrollment.CObjectId")Set X509CertificateRequestPkcs10 = Enroll.CreateObject("X509Enrollment.CX509CertificateRequestPkcs10")Set X500DistinguishedName = Enroll.CreateObject("X509Enrollment.CX500DistinguishedName")Set X509Enrollment = Enroll.CreateObject("X509Enrollment.CX509Enrollment")'Initialize the algObjectID variable based on Algorithm NameCall algObjectId.InitializeFromAlgorithmName(0,0,0,"DSA")'Initialize the Provider name, Algorithm, and Length X509PrivateKey.ProviderName="Microsoft Software Key Storage Provider" X509PrivateKey.Algorithm = algObjectId X509PrivateKey.Length =512'Encode the cn (defined elsewhere in code) as an X509DistinguishedName object.Call X500DistinguishedName.Encode(cn,XCN_CERT_NAME_STR_NONE)'Initialize the Certificate Request from private key. Set the DN of the cert request.Call X509CertificateRequestPkcs10.initializeFromPrivateKey(ContextUser,X509PrivateKey,"") X509CertificateRequestPkcs10.Subject = X500DistinguishedName'Initialize an X509 Enrollment Request from the X509CertificateRequestPkcs10.Call X509Enrollment.InitializeFromRequest(X509CertificateRequestPkcs10)'Create the request: This is where the keys get generated. pkcs10req = X509Enrollment.CreateRequest(CRYPT_STRING_BASE64)'The pkcs10req variable is empty only when DSA keys are used for the algorithm
I'm looking for any help/advice I can get to resolve my issue. I've been stuck on this issue for way too long.