Generate XAdES-BES with .pem, .cer, or .pfx?


The examples refer to a type certificate or “.pfx”.  My certificate is a “.pem” or “.cer” file.
Can I generate an XAdES-BES enveloped digital signature to insert in my xml file?
Which method should I use to load the certificate into memory and apply the password?


A private key is needed to create a digital signature.  The .pfx file format is a secure container for holding a certificate, the certs in the chain of authentication, and the private key that corresponds to the public key embedded within the cert.   The PFX format contains the encrypted private keys and a password is needed to access.  The certificate and certs in the chain, if any, are not protected (there is no need to protect an X.509 cert).     A .p12 file is just another name for .pfx.  (PFX is the PKCS12 format.)

A .cer file is traditionally just a single certificate (no private key) that is stored in binary (DER) representation.  Having only a .cer is not sufficient to create a digital signature because you don’t have the private key.  You only have the public key, which is embedded within the cert.

A .pem file is a general purpose format for containing cryptographic assets such as certificates, private keys, public keys, certificate signing requests, etc.   A .pem is text file that can be opened in a text editor and examined.  The various objects (certs, private keys, etc.) are in base64 encoding.   It is the base64 encoded binary DER that is contained in a .pem.

If you look at a PEM in text editor, you’ll see what is contained, such as this:

Bag Attributes
    localKeyID: 01 00 00 00
    friendlyName: le-2b09a3d2-9037-4a05-95cc-4d44518e8607
    Microsoft Local Key set: 
    Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
Key Attributes
    X509v3 Key Usage: 10
Bag Attributes 00 08 00 00 90 AF 6A 3A 94 5A 0B D8 90 EA 12 56 73 DF 43 B4 3A 28 DA E7 35 00 30 00 38 00 30 00 44 00 43 00 37 00 41 00 36 00 35 00 44 00 42 00 36 00 41 00 35 00 39 00 36 00 30 00 45 00 43 00 44 00 38 00 37 00 34 00 30 00 38 00 38 00 46 00 33 00 33 00 32 00 38 00 5F 00 00 00
subject=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority


A .pem can contain any combination of anything.  For example, it might contain just a certificate.  Or it might contain only a private key.  Or it can contain many objects.

The private key may or may not be encrypted within the .pem.   If you see “BEGIN ENCRYPTED PRIVATE KEY”, then you need a password.  If you see “BEGIN PRIVATE KEY”, then it’s not encrypted and you don’t need a password.

To finally answer your question…

The .cer file is certainly not enough.   If you have a .pem, check to see what it contains.  You’ll need a .pem that contains both the private key and the cert (and potentially any certs in the chain of authentication).   It may be that you have one .pem with the private key, another .pem with the cert.

Assuming you have a .pem containing both private key and cert(s), you could call Chilkat.Pfx.LoadPem(string pemStr, string pemPassword)

You would first load the contents of the .pem file into a string variable, and then pass it to LoadPem.  If the .pem is not password-protected, just pass an empty string for pemPassword.

(There are also other ways of doing it with Chilkat, depending on what you have.  For example, if you have the cert in one file, and the associated private key in another..)