Certificate management

cryptlib implements full X.509 certificate support, including all X.509 version 3 extensions as well as extensions defined in the IETF PKIX certificate profile. cryptlib also supports additional certificate types and extensions including SET certificates, Microsoft AuthentiCode and Netscape and Microsoft server-gated crypto certificates, S/MIME and SSL client and server certificates, and various vendor-specific extensions such as Netscape certificate types and the Thawte secure extranet.
In addition to certificate handling, cryptlib allows the generation of PKCS #10 certification requests with CMMF extensions suitable for submission to certification authorities (CA's) in order to obtain a certificate. Since cryptlib is itself capable of processing certification requests into certificates, it is also possible to use cryptlib to provide full CA services.
cryptlib also supports the creating and handling of the certificate chains required for S/MIME, SSL, and other applications, and the creation of certificate revocation lists (CRL's) with the capability to check certificates against existing or new CRL's either automatically or under programmer control. cryptlib can import and export certification requests, certificates, and CRL's in straight binary format, as PKCS #7 certificate chains, and as Netscape certificate sequences, with or without base64 armouring. This covers the majority of certificate and certificate transport formats used by a wide variety of software such as web browsers and servers.
In addition cryptlib supports all X.509v3, IETF, S/MIME, and SET certificate extensions and a many vendor-specific extensions including ones covering public and private key usage, certificate policies, path and name constraints, policy constraints and mappings, and alternative names and other identifiers. This comprehensive coverage makes cryptlib a single solution for almost all certificate processing requirements.
The certificate types which are supported include:

  • Basic X.509 version 1 certificates
  • Extended X.509 version 3 certificates
  • Certificates conformant to the IETF PKIX profile
  • SSL server and client certificates
  • S/MIME email certificates
  • SET certificiates
  • AuthentiCode code signing certificates
  • IPSEC server, client, end-user, and tunneling certificates
  • Server-gated crypto certificates
  • Timestamping certificates
To handle certificate trust and revocation issues, cryptlib includes a certificate trust manager which can be used to automatically manage CA trust settings, for example a CA can be designated as a trusted issuer which will allow cryptlib to automatically evaluate trust along certificate chains. Similarly, cryptlib can automatically check certificates against CRL's published by CA's, removing from the user the need to perform complex manual checking.

Key database interface

cryptlib utilizes commercial-strength RDBMS's to store keys in the internationally standardised X.509 format. The key database integrates seamlessly into existing databases and can be managed using existing tools. For example a key database stored on an MS SQL Server might be managed using Visual Basic or MS Access; a key database stored on an Oracle server might be managed through SQL*Plus. cryptlib currently supports database such as dBase, mSQL, MySQL, Microsoft Access, Microsoft SQL Server, Oracle, Paradox, Postgres, Raima Velocis, and Solid, and many more.
cryptlib can also store and retrieve certificates from LDAP directories, with optional SSL protection of the connection to the directory, as well as providing HTTP access to keys stored on the web.

Sample code which illustrates retrieving the public key for "John Doe" from a key database and the corresponding private key from a smart card is:

  /* Get the public key certificate for a given user from a key database */
  cryptKeysetOpen( &cryptKeyset, CRYPT_KEYSET_ODBC, "Public Keys", CRYPT_KEYSET_READONLY );
  cryptGetPublicKey( cryptKeyset, &cryptCertificate, CRYPT_KEYID_NAME, "John Doe" );
  cryptKeysetClose( cryptKeyset );

  /* Get the private key for a given user from a smart card */
  cryptKeysetOpen( &cryptKeyset, CRYPT_KEYSET_SMARTCARD, "Gemplus", CRYPT_KEYSET_READONLY );
  cryptGetPrivateKey( cryptKeyset, &cryptPrivateKey, "John Doe", "Password" );
  cryptKeysetClose( cryptKeyset );

The key loaded into cryptCertificate and cryptPrivateKey can then be pushed into an envelope for use with the cryptlib programming interface, or used with cryptlibs certificate management functions.


cryptlib Information / Peter Gutmann / pgut001@cs.auckland.ac.nz
Information last updated 2 February 1999