Decrypt my World

Cryptography, Security, Debugging and more!

How to add Issuer Alternative Name to your certificate request (C#)

How to add Issuer Alternative Name to your certificate request (C#)

  • Comments 2

Hi all,

 

A customer of mine wanted to set Issuer Alternative Name (XCN_OID_ISSUER_ALT_NAME2 - "2.5.29.18") extension to his certificate requests in C# in the same way we did this, and he didn't know how:

How to add Subject Alternative Name to your certificate requests (C#)

How to add Alternative Directory Name to your certificate request (C#)

 

All I knew was that we should use this generic interface as we don't have a custom object in CertEnroll like we do for Subject Alternative Name or Alternative Directory Name:

IX509Extension interface
"
To create the version 3 extensions for which Microsoft does not provide a custom object, you can use the IX509Extension interface.
...
you can use the IX509Extension interface to define private extensions that contain information that is unique to a specific community.
 
Extensions are added to the Attributes structure of a PKCS #10 request and to the TaggedAttributes structure of a CMC request. To add extensions to either request format, you must first add them to an IX509Extensions collection and use the collection to initialize an IX509AttributeExtensions object. For more information, see the PKCS #10 Extensions and the CMC Extensions topics.
"

This sounded a bit complicated, specially as I couldn't find any samples on how to use this the way my customer needed.

Fortunatelly I was able to set Issuer Alternative Name in an easy way. Basically the idea is based on the fact that Issuer Alternative Name is encoded the same way than Subject Alternative Name, so we used the same classes and methods we used for the Subject Alternative Name (see the post above), but then changed the OID that identifies the extension to convert it to an Issuer Alternative Name extension. This is the code that worked for us:

 CObjectId objOID = new CObjectIdClass(); 
CAlternativeName objAlternativeName = new CAlternativeName();
CAlternativeNames objAlternativeNames = new CAlternativeNames();
CX509ExtensionAlternativeNames objExtensionAlternativeNames = new CX509ExtensionAlternativeNames();
CX509Extension objExtension = new CX509Extension();
string rawData = null;

// Create the Issuer Alternative Name as if it were a Subject Alternative Name
objAlternativeName.InitializeFromString(AlternativeNameType.XCN_CERT_ALT_NAME_DNS_NAME, "My DNS Name");
objAlternativeNames.Add(objAlternativeName);
objExtensionAlternativeNames.InitializeEncode(objAlternativeNames);

// Change the OID of the Subject Alternative Name extension to convert it to an Issuer Alternative Name extension
rawData = objExtensionAlternativeNames.get_RawData(EncodingType.XCN_CRYPT_STRING_BINARY);
objOID.InitializeFromValue("2.5.29.18"); // XCN_OID_ISSUER_ALT_NAME2
objExtension.Initialize(objOID, EncodingType.XCN_CRYPT_STRING_BINARY, rawData);

// Add the extension to the request
objPkcs10.X509Extensions.Add(objExtension);

 

I hope this helps.

Regards,

 

Alex (Alejandro Campos Magencio)

  • How to add custom properties to certificate request?

  • Hello Alex

    I am trying to repeat this for use-case where the enrollment is done via IE 8.

    Please could you post a method that enables adding SAN so that I have something like:

    Other Name:

        Principal Name=tom@ad.domain.com

    Many thanks

Page 1 of 1 (2 items)
Leave a Comment
  • Please add 3 and 7 and type the answer here:
  • Post
Translate This Page