Decrypt my World : CertEnroll

CertEnroll::CX509Enrollment::p_CreateRequest returns error 0x8009000b

alejacma — Thu, 28 May 2009 13:36:00 GMT

Hi all,

One of the issues we may find when trying the code in my post How to create a certificate request that uses key archival with CertEnroll (JavaScript) is the following error when creating the request:

CertEnroll::CX509Enrollment::p_CreateRequest: Key not valid for use in specified state. 0x8009000b (-2146893813)

If the issue happens on Vista RTM but not on Vista SP1/Server 2008 or later, then this may be the issue:

When CertEnroll creates the request, it needs to export the private key of the certificate we are requesting to encode it so we can send it to the CA for key archival. This operation will fail if the key doesn't have at least one of these flags: CRYPT_EXPORTABLE or CRYPT_ARCHIVABLE. These are flags that CertEnroll should pass to CryptGenKey API when generating the key under the hood.

Those flags are calculated from ExportPolicy field of the X509Enrollment.CX509PrivateKey object. If we specify XCN_NCRYPT_ALLOW_EXPORT_FLAG or XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG, we get the key created with CRYPT_EXPORTABLE flag, and if we specify XCN_NCRYPT_ALLOW_ARCHIVING_FLAG or XCN_NCRYPT_ALLOW_PLAINTEXT_ARCHIVING_FLAG, we get the key created with CRYPT_ARCHIVABLE flag.

On Vista SP1/2008 Server and later, XCN_NCRYPT_ALLOW_ARCHIVING_FLAG is being set by default. This won't happen on Vista RTM, so setting ExportPolicy to XCN_NCRYPT_ALLOW_ARCHIVING_FLAG (0x4) should make things work there. Or even better, update to Vista SP2, and you forget about this and many other issues ;-)

I hope this helps.

Regards,

Alex (Alejandro Campos Magencio)

CertEnroll::CX509Enrollment::p_CreateRequest returns error 0x80092012

alejacma — Thu, 28 May 2009 13:10:00 GMT

Hi all,

CertEnroll::CX509Enrollment::p_CreateRequest: The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614)

This error will happen if the CRL of the certificate passed to the KeyArchivalCertificate property of the CMC request can't be accessed. One reason for instance may be that the certificate is just missing a CRL distribution point.

We can check if we can properly download the CRL of a certificate with the following command:

certutil -url certificate.cer

A URL Retrieval Tool will appear for that certificate. We can select "CRLs (from CDP)" in the "Retrieve" section and press the "Retrieve" button. This tool will check if we can access the CRL or not.

Note: check this post if you need to clear the CRL cache: CRL gets cached after we do an Online verification with X509Chain.

I hope this helps.

Regards,

Alex (Alejandro Campos Magencio)

CertEnroll::CX509Enrollment::p_CreateRequest returns error 0x800b0112

alejacma — Thu, 28 May 2009 12:44:00 GMT

Hi all,

CertEnroll::CX509Enrollment::p_CreateRequest: A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478)

This issue can occur if the CA certificate is not in client's Enterprise NTAuth store. The local NTAuth store can be manually populated using the utility certutil.exe:

Certutil -enterprise -addstore NTAuth CaCertificate.cer

More info here:

How to import third-party certification authority (CA) certificates into the Enterprise NTAuth store

I hope this helps.

Regards,

Alex (Alejandro Campos Magencio)

CertEnroll::CX509Enrollment::p_CreateRequest returns error 0x80070057

alejacma — Thu, 28 May 2009 12:22:00 GMT

Hi all,

CertEnroll::CX509Enrollment::p_CreateRequest: The parameter is incorrect. 0x80070057 (WIN32: 87)

In my case I was getting this error because I was not using the right certificate as KeyArchivalCertificate property of the CMC request. When I first tried the code I set that property to the Key Recovery Agent Certificate that I had configured in my CA, and I got the error. No, that is not the certificate we have to use. We have to set that property to the Exchange Certificate of the CA itself.

Additionally, the Subject Name of the certificate has to match Issuer Name + "-Xchg". For example, if cert issuer is "MyCAServer", the expected subject name is "MyCAServer-Xchg". The subject name of our Key Recovery Agent Certificate won't match that, but the Exchange cert of our CA will.

We can export the Exchange Certificate of a MS CA with the following command:

certutil -cainfo xchg > xchg.cer

And then we can use the Base64 text of that .cer file in our code.

I hope this helps.

Regards,

Alex (Alejandro Campos Magencio)

CertEnroll::CX509Enrollment::p_InstallResponse returns error 0x80095002

alejacma — Thu, 28 May 2009 11:46:00 GMT

Hi all,

One of the issues we may find when trying the code in my post How to create a certificate request that uses key archival with CertEnroll (JavaScript) is the following:

Imagine we could finally create a request successfully. We sent it to the CA and then we tried to install its response (the .cer or the .p7b files that we got from the CA) with i.e. the code in How to create a certificate request with CertEnroll (ASP). But we got the following error:

CertEnroll::CX509Enrollment::p_InstallResponse: The key archival hash attribute was not found in the response. 0x80095002 (-2146873342)

We assume that the code we used to create the request works fine, because the CA accepts the request, it enrolls the certificate and give us the response, and we can see the key is archived in the CA. So the issue may have to do with the response of the CA that we try to install. What's going on then?

Well, the issue in my case was that I was getting the response with the Certificate Services web pages of my Microsoft CA, and those pages can only return as a response the issued raw certificate (.cer file) or a pkcs7 package including it (.p7b file). But neither of them contains the Full Response of the CA. This is required for key archival because the full response is a pkcs7 signed by the CA with CMC content. The CMC content contains an attribute that the client uses to verify the CA received the correct encrypted private key in the request (prevents man-in-the-middle key stealing attacks).

Summing up, .cer or .p7b files won't suffice for key archival enrollment.

So I used certreq.exe tool to send the request to my CA and get the full response from it:

certreq -submit -attrib "CertificateTemplate:ArchiveUser" keyarchival.req keyarchival.cer keyarchival.p7b keyarchival.rsp

Note: ArchiveUser is the certificate template where I enabled key archival on my CA.

Then I took keyarchival.rsp and passed it to my sample and it worked just fine. I could install the response successfully.

More info on certreq.exe here: Appendix A: Certificate Request Structure and here: Appendix 3: Certreq.exe Syntax.

I hope this helps.

Regards,

Alex (Alejandro Campos Magencio)

How to create a certificate request that uses key archival with CertEnroll (JavaScript)

alejacma — Wed, 27 May 2009 18:42:00 GMT

Hi all,

If you want to request certificates to a CA and make use of Key Archival feature, first you need to prepare the environment to enable this feature on your CA: Certificate Services example implementation: Key archival and recovery or Implementing Key Archival Walkthrough will be of assistance here.

After that you could use a code like the following sample to make the request with CertEnroll (based on How to create a certificate request with CertEnroll (JavaScript) sample):

<html>
<head>
    <title>Certificate Request test</title>
</head>
<body> 
  <object id="objCertEnrollClassFactory" classid="clsid:884e2049-217d-11da-b2a4-000e7bbb2b09"></object>    
  <script language="javascript">

    function CreateRequest() 
    {
      document.write("<br>Create Request...");                      

      try {
        // Variables
        var objCSP = objCertEnrollClassFactory.CreateObject("X509Enrollment.CCspInformation");
        var objCSPs = objCertEnrollClassFactory.CreateObject("X509Enrollment.CCspInformations");
        var objPrivateKey = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509PrivateKey");
        var objRequest = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509CertificateRequestPkcs10");
        var objCmcRequest = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509CertificateRequestCmc");
        var objObjectIds = objCertEnrollClassFactory.CreateObject("X509Enrollment.CObjectIds");
        var objObjectId = objCertEnrollClassFactory.CreateObject("X509Enrollment.CObjectId");
        var objX509ExtensionEnhancedKeyUsage = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509ExtensionEnhancedKeyUsage");
        var objExtensionTemplate = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509ExtensionTemplateName");
        var objDn = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX500DistinguishedName");
        var objEnroll = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509Enrollment");

        //  Initialize the csp object using the desired Cryptograhic Service Provider (CSP)
        objCSP.InitializeFromName("Microsoft Enhanced Cryptographic Provider v1.0");

        //  Add this CSP object to the CSP collection object
        objCSPs.Add(objCSP);

        //  Provide key container name, key length and key spec to the private key object
        //objPrivateKey.ContainerName = "AlejaCMa";
        objPrivateKey.Length = 1024;
        objPrivateKey.KeySpec = 1; // AT_KEYEXCHANGE = 1
        //objPrivateKey.ExportPolicy = 0; // XCN_NCRYPT_ALLOW_EXPORT_NONE = 0

        //  Provide the CSP collection object (in this case containing only 1 CSP object)
        //  to the private key object
        objPrivateKey.CspInformations = objCSPs;

        // Initialize P10 based on private key
        objRequest.InitializeFromPrivateKey(1, objPrivateKey, ""); // context user = 1

        // 1.3.6.1.5.5.7.3.2 Oid - Extension
        objObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.2");
        objObjectIds.Add(objObjectId);
        objX509ExtensionEnhancedKeyUsage.InitializeEncode(objObjectIds);
        objRequest.X509Extensions.Add(objX509ExtensionEnhancedKeyUsage);

        // 1.3.6.1.5.5.7.3.3 Oid - Extension
        //objExtensionTemplate.InitializeEncode("1.3.6.1.5.5.7.3.3");
        //objRequest.X509Extensions.Add(objExtensionTemplate);

        // DN related stuff
        objDn.Encode("CN=alejacma", 0); // XCN_CERT_NAME_STR_NONE = 0
        objRequest.Subject = objDn;

        // Enroll
        objCmcRequest.InitializeFromInnerRequest(objRequest);
        objCmcRequest.KeyArchivalCertificate = 
      "MIIFxDCCBKygAwIBAgIKG2cmPwAAAAAADDANBgkqhkiG9w0BAQUFADBJMRMwEQYK" +
...
      "9Hwz0oPmQfi3VEXw16eBHf6EpmyOC8nBFeYPv9FKfuVHB9W3JNh+ZA=="
      
        objEnroll.InitializeFromRequest(objCmcRequest);
        var pkcs10 = objEnroll.CreateRequest(3); // XCN_CRYPT_STRING_BASE64REQUESTHEADER = 3

        document.write("<br>" + pkcs10);
        document.write("<br>The end!");
      }
      catch (ex) {
        document.write("<br>" + ex.description);
        return false;
      }

      return true;
    }       

    CreateRequest();

  </script>
    
</body>
</html>

Note that if we don't set the right certificate to the KeyArchivalCertificate property, we will get the following issue: CertEnroll::CX509Enrollment::p_CreateRequest returns error 0x80070057.

Other issues we may get when creating the request:

- CertEnroll::CX509Enrollment::p_CreateRequest returns error 0x800b0112

- CertEnroll::CX509Enrollment::p_CreateRequest returns error 0x80092012

- CertEnroll::CX509Enrollment::p_CreateRequest returns error 0x8009000b

If we want to install the response from the CA, we may use the same code that we used here: How to create a certificate request with CertEnroll (ASP) or here: How to create a certificate request with CertEnroll (JavaScript). But instead of using the .cer or the .p7b file containing the response, we have to use an .rsp file. What is an .rsp file? What happens if I don't use it? Please, check this post for details: CertEnroll::CX509Enrollment::p_InstallResponse returns error 0x80095002.

I hope this helps.

Regards,

Alex (Alejandro Campos Magencio)

How to create a certificate request with CertEnroll (ASP)

alejacma — Fri, 20 Feb 2009 15:05:00 GMT

Hi all,

The other day I posted a Javascript sample which shows how to use CertEnroll COM component to create a certificate request and install the response from the CA (Certificate Authority): How to create a certificate request with CertEnroll (JavaScript).

The installation part of that sample assumed that we got a Base64 text with the response from the CA. But what if we i.e. send the request to a server, the server gets a .p7b or .cer binary file with the response from the CA, and we want to install the response on the client who requested the cert on the first place?

The following ASP sample shows how to install on the client the .p7b/.cer binary file that the server got with the response from the CA:

<%
  ' Convert binary to Base64
  '
  Function BinaryToBase64(binary)
      ' Create temporary node with Base64 data type  
      Set oXmlDom = CreateObject("microsoft.xmldom")
      Set oElement = oXmlDom.createElement("tmp")
      oElement.dataType = "bin.base64"
      ' Set bytes, get encoded String 
      oElement.nodeTypedValue = binary
      BinaryToBase64 = oElement.text
  End Function 

  ' Read file into buffer
  '
  Function ReadBinaryFile(FileName)
      Const adTypeBinary = 1
      'Create Stream object
      Dim BinaryStream
      Set BinaryStream = CreateObject("ADODB.Stream")
      'Specify stream type - we want To get binary data.
      BinaryStream.Type = adTypeBinary
      'Open the stream
      BinaryStream.Open
      'Load the file data from disk To stream object
      BinaryStream.LoadFromFile FileName
      'Open the stream And get binary data from the object
      ReadBinaryFile = BinaryStream.Read
  End Function 

  ' Read binary file as Base64
  '
  FileName = "C:\temp\certnew.p7b"
  'FileName = "C:\temp\certnew.cer"
  sPKCS7 = BinaryToBase64(ReadBinaryFile(FileName))
  
  ' Be careful with line feeds in Base64 string
  '
  strings = split(sPKCS7, chr(10))
  sPKCS7 = """"
  for i = 0 to ubound(strings) - 1
    sPKCS7 = sPKCS7 + strings(i) + """ + """
  next
  sPKCS7 = sPKCS7 + strings(i) + """"

%>

<html>
<head>
    <title>Certificate Request test</title>
</head>
<body> 
    <object id="objCertEnrollClassFactory" classid="clsid:884e2049-217d-11da-b2a4-000e7bbb2b09"></object>    
    <script language="javascript">
        
      function InstallCert() 
      {        
        document.write("<br>Installing certificate...");                      

        try {
          // Variables
          var objEnroll = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509Enrollment")

          objEnroll.Initialize(1); // ContextUser
          objEnroll.InstallResponse(4, <%=sPKCS7%>, 1, ""); // AllowUntrustedRoot = 4, XCN_CRYPT_STRING_BASE64 = 1
        }
        catch (ex) {
          document.write("<br>" + ex.description);
          return false;
        }

        document.write("<br>Done!");                      

        return true;
      }

      InstallCert();
    
    </script>
    
    
</body>
</html>

I hope this helps.

Regards,

Alex (Alejandro Campos Magencio)

How to create a certificate request with CertEnroll (JavaScript)

alejacma — Wed, 28 Jan 2009 14:08:00 GMT

Hi all,

The following Javascript sample shows how to use CertEnroll COM component to create a certificate request:

<html>
<head>
    <title>Certificate Request test</title>
</head>
<body> 
  <object id="objCertEnrollClassFactory" classid="clsid:884e2049-217d-11da-b2a4-000e7bbb2b09"></object>    
  <script language="javascript">

    function CreateRequest() 
    {
      document.write("<br>Create Request...");                      

      try {
        // Variables
        var objCSP = objCertEnrollClassFactory.CreateObject("X509Enrollment.CCspInformation");
        var objCSPs = objCertEnrollClassFactory.CreateObject("X509Enrollment.CCspInformations");
        var objPrivateKey = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509PrivateKey");
        var objRequest = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509CertificateRequestPkcs10")
        var objObjectIds = objCertEnrollClassFactory.CreateObject("X509Enrollment.CObjectIds");
        var objObjectId = objCertEnrollClassFactory.CreateObject("X509Enrollment.CObjectId");
        var objX509ExtensionEnhancedKeyUsage = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509ExtensionEnhancedKeyUsage");
        var objExtensionTemplate = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509ExtensionTemplateName")
        var objDn = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX500DistinguishedName")
        var objEnroll = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509Enrollment")

        //  Initialize the csp object using the desired Cryptograhic Service Provider (CSP)
        objCSP.InitializeFromName("Microsoft Enhanced Cryptographic Provider v1.0");

        //  Add this CSP object to the CSP collection object
        objCSPs.Add(objCSP);

        //  Provide key container name, key length and key spec to the private key object
        //objPrivateKey.ContainerName = "AlejaCMa";
        objPrivateKey.Length = 1024;
        objPrivateKey.KeySpec = 1; // AT_KEYEXCHANGE = 1

        //  Provide the CSP collection object (in this case containing only 1 CSP object)
        //  to the private key object
        objPrivateKey.CspInformations = objCSPs;

        // Initialize P10 based on private key
        objRequest.InitializeFromPrivateKey(1, objPrivateKey, ""); // context user = 1

        // 1.3.6.1.5.5.7.3.2 Oid - Extension
        objObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.2");
        objObjectIds.Add(objObjectId);
        objX509ExtensionEnhancedKeyUsage.InitializeEncode(objObjectIds);
        objRequest.X509Extensions.Add(objX509ExtensionEnhancedKeyUsage);

        // 1.3.6.1.5.5.7.3.3 Oid - Extension
        //objExtensionTemplate.InitializeEncode("1.3.6.1.5.5.7.3.3");
        //objRequest.X509Extensions.Add(objExtensionTemplate);

        // DN related stuff
        objDn.Encode("CN=alejacma", 0); // XCN_CERT_NAME_STR_NONE = 0
        objRequest.Subject = objDn;

        // Enroll
        objEnroll.InitializeFromRequest(objRequest);
        var pkcs10 = objEnroll.CreateRequest(3); // XCN_CRYPT_STRING_BASE64REQUESTHEADER = 3

        document.write("<br>" + pkcs10);
        document.write("<br>The end!");
      }
      catch (ex) {
        document.write("<br>" + ex.description);
        return false;
      }

      return true;
    }       

    CreateRequest();

  </script>
    
</body>
</html>

And the following Javascript sample shows how to install the response from the CA (Certificate Authority):

<html>
<head>
    <title>Certificate Request test</title>
</head>
<body> 
  <object id="objCertEnrollClassFactory" classid="clsid:884e2049-217d-11da-b2a4-000e7bbb2b09"></object>    
  <script language="javascript">

  function InstallCert() 
  {        
    document.write("<br>Installing certificate...");                      

    try {
    // Variables
    var objEnroll = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509Enrollment")
    var sPKCS7 = "-----BEGIN CERTIFICATE-----" +
    "MIIKFQYJKoZIhvcNAQcCoIIKBjCCCgICAQExADALBgkqhkiG9w0BBwGgggnqMIIF" +
    "QjCCBCqgAwIBAgIKYbzdPwAAAAAAVzANBgkqhkiG9w0BAQUFADBJMRMwEQYKCZIm" +
...
    "h25CSWewZhpgbZkKPATLzidc0EjrWLl74RU32HEqkl2+R7yAdBQjMQA=" +
    "-----END CERTIFICATE-----"

    objEnroll.Initialize(1); // ContextUser
    objEnroll.InstallResponse(0, sPKCS7, 6, ""); // AllowNone = 0, XCN_CRYPT_STRING_BASE64_ANY = 6
    }
    catch (ex) {
      document.write("<br>" + ex.description);
      return false;
    }

    return true;
  }

  InstallCert(); 
     
  </script>

</body>
</html>

Note: this code must be run in the same machine where we made the request.

Note: these samples just create the request and install the response from the CA. If we need to send the request to the CA and get its response programmatically, the following C# sample may help with the objects and methods we can use to achieve this: How to create a certificate request with CertEnroll and .NET (C#).

I hope this helps.

Regards,

Alex (Alejandro Campos Magencio)

How to create a certificate request with CertEnroll and .NET (C#)

alejacma — Fri, 05 Sep 2008 15:18:00 GMT

Hi all,

The following C# sample shows how to use CertEnroll COM component to create a certificate request, send the request to the CA, get the response from the CA, and install the new certificate in the machine:

(Note that this sample is a WinForms app with 3 buttons -createRequestButton, sendRequestButton, acceptPKCS7Button- and 2 textboxes -requestText & responseText-)

using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Text;
using System.Windows.Forms;

//  Add the CertEnroll namespace
using CERTENROLLLib;
using CERTCLIENTLib;

namespace CATest
{
    public partial class Form1 : Form
    {
        private const int CC_DEFAULTCONFIG = 0;
        private const int CC_UIPICKCONFIG = 0x1;
        private const int CR_IN_BASE64 = 0x1;
        private const int CR_IN_FORMATANY = 0;
        private const int CR_IN_PKCS10 = 0x100;
        private const int CR_DISP_ISSUED = 0x3;
        private const int CR_DISP_UNDER_SUBMISSION = 0x5;
        private const int CR_OUT_BASE64 = 0x1;
        private const int CR_OUT_CHAIN = 0x100;

        public Form1()
        {
            InitializeComponent();
        }

        // Create request
        private void createRequestButton_Click(object sender, EventArgs e)
        {
            //  Create all the objects that will be required
            CX509CertificateRequestPkcs10 objPkcs10 = new CX509CertificateRequestPkcs10Class();
            CX509PrivateKey objPrivateKey = new CX509PrivateKeyClass();
            CCspInformation objCSP = new CCspInformationClass();
            CCspInformations objCSPs = new CCspInformationsClass();
            CX500DistinguishedName objDN = new CX500DistinguishedNameClass();
            CX509Enrollment objEnroll = new CX509EnrollmentClass();
            CObjectIds objObjectIds = new CObjectIdsClass();
            CObjectId objObjectId = new CObjectIdClass();
            CX509ExtensionKeyUsage objExtensionKeyUsage = new CX509ExtensionKeyUsageClass(); 
            CX509ExtensionEnhancedKeyUsage objX509ExtensionEnhancedKeyUsage = new CX509ExtensionEnhancedKeyUsageClass();
            string strRequest;

            try
            {
                requestText.Text = "";

                //  Initialize the csp object using the desired Cryptograhic Service Provider (CSP)
                objCSP.InitializeFromName(
                    "Microsoft Enhanced Cryptographic Provider v1.0"
                );

                //  Add this CSP object to the CSP collection object
                objCSPs.Add(
                    objCSP
                );

                //  Provide key container name, key length and key spec to the private key object
                //objPrivateKey.ContainerName = "AlejaCMa";
                objPrivateKey.Length = 1024;
                objPrivateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE;
                objPrivateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES; 
                objPrivateKey.MachineContext = false;

                //  Provide the CSP collection object (in this case containing only 1 CSP object)
                //  to the private key object
                objPrivateKey.CspInformations = objCSPs;

                //  Create the actual key pair
                objPrivateKey.Create();

                //  Initialize the PKCS#10 certificate request object based on the private key.
                //  Using the context, indicate that this is a user certificate request and don't
                //  provide a template name
                objPkcs10.InitializeFromPrivateKey(
                    X509CertificateEnrollmentContext.ContextUser, 
                    objPrivateKey, 
                    ""
                );

                // Key Usage Extension 
                objExtensionKeyUsage.InitializeEncode(
                    X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE | 
                    X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE | 
                    X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE | 
                    X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE
                );
                objPkcs10.X509Extensions.Add((CX509Extension)objExtensionKeyUsage);

                // Enhanced Key Usage Extension
                objObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.2"); // OID for Client Authentication usage
                objObjectIds.Add(objObjectId);
                objX509ExtensionEnhancedKeyUsage.InitializeEncode(objObjectIds);
                objPkcs10.X509Extensions.Add((CX509Extension)objX509ExtensionEnhancedKeyUsage);

                //  Encode the name in using the Distinguished Name object
                objDN.Encode(
                    "CN=AlejaCMa",
                    X500NameFlags.XCN_CERT_NAME_STR_NONE
                );

                //  Assing the subject name by using the Distinguished Name object initialized above
                objPkcs10.Subject = objDN;

                // Create enrollment request
                objEnroll.InitializeFromRequest(objPkcs10);
                strRequest = objEnroll.CreateRequest(
                    EncodingType.XCN_CRYPT_STRING_BASE64
                );

                requestText.Text = strRequest;

            } catch (Exception ex)
            {
                MessageBox.Show(ex.Message);
            }
        }

        // Submit request to CA and get response 
        private void sendRequestButton_Click(object sender, EventArgs e)
        {
            //  Create all the objects that will be required
            CCertConfig objCertConfig = new CCertConfigClass();
            CCertRequest objCertRequest = new CCertRequestClass();
            string strCAConfig;
            string strRequest;
            int iDisposition;
            string strDisposition;
            string strCert;

            try
            {
                strRequest = requestText.Text;

                // Get CA config from UI
                //strCAConfig = objCertConfig.GetConfig(CC_DEFAULTCONFIG);
                strCAConfig = objCertConfig.GetConfig(CC_UIPICKCONFIG);                

                // Submit the request
                iDisposition = objCertRequest.Submit(
                    CR_IN_BASE64 | CR_IN_FORMATANY,
                    strRequest,
                    null,
                    strCAConfig
                );

                // Check the submission status
                if (CR_DISP_ISSUED != iDisposition) // Not enrolled
                {
                    strDisposition = objCertRequest.GetDispositionMessage();

                    if (CR_DISP_UNDER_SUBMISSION == iDisposition) // Pending
                    {
                        MessageBox.Show("The submission is pending: " + strDisposition);
                        return;
                    }
                    else // Failed
                    {
                        MessageBox.Show("The submission failed: " + strDisposition);
                        MessageBox.Show("Last status: " + objCertRequest.GetLastStatus().ToString());
                        return;
                    }
                }

                // Get the certificate
                strCert = objCertRequest.GetCertificate(
                    CR_OUT_BASE64 | CR_OUT_CHAIN
                );

                responseText.Text = strCert;
            }
            catch (Exception ex)
            {
                MessageBox.Show(ex.Message);
            }
        }

        // Install response from CA
        private void acceptPKCS7Button_Click(object sender, EventArgs e)
        {
            //  Create all the objects that will be required
            CX509Enrollment objEnroll = new CX509EnrollmentClass();
            string strCert;
            
            try
            {
                strCert = responseText.Text;

                // Install the certificate
                objEnroll.Initialize(X509CertificateEnrollmentContext.ContextUser);
                objEnroll.InstallResponse(
                    InstallResponseRestrictionFlags.AllowUntrustedRoot,
                    strCert,
                    EncodingType.XCN_CRYPT_STRING_BASE64,
                    null
                );

                MessageBox.Show("Certificate installed!");
            }
            catch (Exception ex)
            {
                MessageBox.Show(ex.Message);
            }
        }      
    }
}

I hope this helps.

Cheers,

Alex (Alejandro Campos Magencio)