Generate XAdES-BES with .pem, .cer, or .pfx?
Question:
The examples refer to a type certificate or “.pfx”. My certificate is a “.pem” or “.cer” file.
Can I generate an XAdES-BES enveloped digital signature to insert in my xml file?
Which method should I use to load the certificate into memory and apply the password?
Answer:
A private key is needed to create a digital signature. The .pfx file format is a secure container for holding a certificate, the certs in the chain of authentication, and the private key that corresponds to the public key embedded within the cert. The PFX format contains the encrypted private keys and a password is needed to access. The certificate and certs in the chain, if any, are not protected (there is no need to protect an X.509 cert). A .p12 file is just another name for .pfx. (PFX is the PKCS12 format.)
A .cer file is traditionally just a single certificate (no private key) that is stored in binary (DER) representation. Having only a .cer is not sufficient to create a digital signature because you don’t have the private key. You only have the public key, which is embedded within the cert.
A .pem file is a general purpose format for containing cryptographic assets such as certificates, private keys, public keys, certificate signing requests, etc. A .pem is text file that can be opened in a text editor and examined. The various objects (certs, private keys, etc.) are in base64 encoding. It is the base64 encoded binary DER that is contained in a .pem.
If you look at a PEM in text editor, you’ll see what is contained, such as this:
Bag Attributes localKeyID: 01 00 00 00 friendlyName: le-2b09a3d2-9037-4a05-95cc-4d44518e8607 Microsoft Local Key set: Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider Key Attributes X509v3 Key Usage: 10 -----BEGIN ENCRYPTED PRIVATE KEY----- MIIFHzBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQIk8o0hYqp3JECAggA ... -----END ENCRYPTED PRIVATE KEY----- Bag Attributes 1.3.6.1.4.1.311.17.3.92: 00 08 00 00 1.3.6.1.4.1.311.17.3.20: 90 AF 6A 3A 94 5A 0B D8 90 EA 12 56 73 DF 43 B4 3A 28 DA E7 1.3.6.1.4.1.311.17.3.75: 35 00 30 00 38 00 30 00 44 00 43 00 37 00 41 00 36 00 35 00 44 00 42 00 36 00 41 00 35 00 39 00 36 00 30 00 45 00 43 00 44 00 38 00 37 00 34 00 30 00 38 00 38 00 46 00 33 00 33 00 32 00 38 00 5F 00 00 00 subject=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority -----BEGIN CERTIFICATE----- MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0BAQwFADCB ... -----END CERTIFICATE----- ...
A .pem can contain any combination of anything. For example, it might contain just a certificate. Or it might contain only a private key. Or it can contain many objects.
The private key may or may not be encrypted within the .pem. If you see “BEGIN ENCRYPTED PRIVATE KEY”, then you need a password. If you see “BEGIN PRIVATE KEY”, then it’s not encrypted and you don’t need a password.
To finally answer your question…
The .cer file is certainly not enough. If you have a .pem, check to see what it contains. You’ll need a .pem that contains both the private key and the cert (and potentially any certs in the chain of authentication). It may be that you have one .pem with the private key, another .pem with the cert.
Assuming you have a .pem containing both private key and cert(s), you could call Chilkat.Pfx.LoadPem(string pemStr, string pemPassword)
You would first load the contents of the .pem file into a string variable, and then pass it to LoadPem. If the .pem is not password-protected, just pass an empty string for pemPassword.
(There are also other ways of doing it with Chilkat, depending on what you have. For example, if you have the cert in one file, and the associated private key in another..)