C# Generate a non self signed client CX509Certificate Request without a CA using the certenroll.dll

Question

I have a self signed root certificate that I generated in C# using CERTENROLL.dll's CX509CertificateRequest Certificate functionality.

I would like to write a function that generates client certificates signed by my root using the same API. However the only CertEnroll option I can find that does not generate a self signed certificate requires a authenticated CA.

There seems to be a flag for setting a SignerCertificate but it always fails to initialize.

        //Initialize cert
        var cert = new CX509CertificateRequestCertificate();
        //take care of signer
        cert.Issuer = issuen;
        CSignerCertificate sc = new CSignerCertificate();
        var raw = SEScert.GetRawCertData();
        var rawStr=Convert.ToBase64String(raw);
        sc.Initialize(false, X509PrivateKeyVerify.VerifyNone,    
                      EncodingType.XCN_CRYPT_STRING_BASE64, rawStr); //fails here
        cert.SignerCertificate = sc;

Does anyone know how I can generate a client CX509CertificateRequest signed by my root?

Any help or advice would be greatly appreciated.

Answer 1

I was able to solve this.

The encoding of SEScert is a hex string not base64 also the machine context should be set to true not false the correct code looks as follows:

ISignerCertificate signerCertificate = new CSignerCertificate();
signerCertificate.Initialize(true, X509PrivateKeyVerify.VerifyNone,EncodingType.XCN_CRYPT_STRING_HEX, SEScert.GetRawCertDataString());
cert.SignerCertificate = (CSignerCertificate)signerCertificate; 

Hope this helps others in the future.