000027295 - Unable to sign certificate request using the RCM 6.7 API

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000027295
Applies ToRSA Certificate Manager API 6.7
RSA Certificate Manager (RCM)
IssueAPI connection information for RCM 6.7
Getting XrcLDAPUNABLE when calling XudaCASignCertificate and connecting to the Secure Directory over port 389
Getting XrcXUDAUNABLE when calling XudaParsePKCS10Request and connecting to the Secure Directory over port 636
Call of XudaParsePKCS10Request is done prior to setting the SSL/Cert/Key
Unable to sign certificate request using the RCM 6.7 API
ResolutionFirst, all most of the API calls will need to happen over the secure port of the Secure Directory which, by default, is 636.
The API must know of the client SSL certificate in order to connect to the Secure Direfctory.

The call XudaParsePKCS10Request needs to connect to the Secure Directory in order to retrieve the schema of the xuda_cert_req LDAP object, which is why over port 389 the operation will succeed but will later fail to sign when calling XudaCASignCertificate.
Notes

Code snippet:

   if ((rc=XudaInit(&session, NULL)) != XrcOK)
   {
   printf("Can't init!, result is %d\n", rc);
   goto cleanup;
   }

   printf("Setting CA port & address...\n");
   rc = XudaSetResourceValue(session, XresCAPORT, ldapport, XresCAMACHINE, ldaphost, NULL);
   if (rc != XrcOK)
   {
   printf("Unable to point to remote CA: (%d) %s\n", rc, XC_XrcSymbol( rc ));
   goto cleanup;
   }

   rc = XudaSetResourceValue(session, XresSSLLDAP, 1, NULL);
   if (rc != XrcOK)
   {
   printf("Unable to set comms with CA over SSL (%d) %s\n", rc, XC_XrcSymbol( rc ));
   goto cleanup;
   }
   sslCert = RSAKEON_BuildX509CertFromFile(certFile);
   if (sslCert == NULL)
   {
   printf("Unable to create extract SSL Cert (%d) %s\n", rc, XC_XrcSymbol( rc ));
   rc = XrcOTHERERROR;
   goto cleanup;
   }

   rc = XudaSetResourceValue(session, XresSSLCERTIFICATE, sslCert, NULL);
   XudaFree(sslCert);
   if (rc != XrcOK)
   {
   printf("Unable to set SSL Key in session (%d) %s\n", rc, XC_XrcSymbol( rc ));
   goto cleanup;
   }

   rc = XudaCreateCryptoInfo( session, NULL, 0, 0, 0, "XCSP Default Provider", &decryptInfo );
   if ( rc != XrcOK )
   {
   printf("Unable to create extract SSL Cert (%d) %s\n", rc, XC_XrcSymbol( rc ));
   goto cleanup;
   }

   rc = XudaModifyCryptoInfo( session, decryptInfo, "password", XudaXPTUTF8Temp(keyPassPhrase), NULL );
   if ( rc == XrcOK )
   rc = XudaSetResourceValue( session, XresCRYPTODECRYPT, decryptInfo, XresNULL );
   if ( rc != XrcOK )
   {
   printf("Unable to set callback for decrypt (%d) %s\n", rc, XC_XrcSymbol( rc ));
   goto cleanup;
   }
   rc = XudaKeyReadFromFile( session, keyFile, &key );
   if (rc != XrcOK)
   {
   printf("Unable to create extract SSL Key (%d) %s\n", rc, XC_XrcSymbol( rc ));
   goto cleanup;
   }

   sslKey = (void *)key;

   rc = XudaSetResourceValue(session, XresSSLKEY, sslKey, NULL);
   XudaFree(sslKey);
   if (rc != XrcOK)
   {
   printf("Unable to set SSL Key in session (%d) %s\n", rc, XC_XrcSymbol( rc ));
   goto cleanup;
   }

   printf("Performing XudaParsePKCS10Request...\n");
   rc = XudaParsePKCS10Request(session, XudaXPTUTF8Temp((char *)pkcs10), &certRequest);
   if (certRequest == NULL)
   {
   printf("Unable to parse CSR, result is (%d) %s\n", rc, XC_XrcSymbol( rc ));
   goto cleanup;
   }

   if(juriID !=NULL)
   {
   rc = XudaSetResourceValue(session, XresJURISDICTION, XudaXPTUTF8Temp(juriID), NULL);
   if (rc != XrcOK)
   {
   printf("Unable to set jurisdiction in session (%d) %s\n", rc, XC_XrcSymbol( rc ));
   goto cleanup;
   }
   }

   printf("Setting validity period...\n");
   rc = XudaSetResourceValue(session, XresVALIDITYPERIOD, 31556926, NULL);
   if (rc != XrcOK)
   {
   printf("Unable to set XresVALIDITYPERIOD, (%d) %s\n", rc, XC_XrcSymbol( rc ));
   goto cleanup;
   }

   printf("Setting Certificate Request in session...\n" );
   rc = XudaSetResourceValue(session, XresCERTREQUEST, certRequest, NULL);
   if (rc != XrcOK)
   {
   printf("Unable to set XresCERTREQUEST, (%d) %s\n", rc, XC_XrcSymbol( rc ));
   goto cleanup;
   }

   printf("Performing XudaCASignCertificate...\n" );
   rc = XudaCASignCertificate(session, XudaXPTUTF8Temp(camd5), certRequest, &issuedCert, NULL);
   if (rc != XrcOK)
   {
   printf("error signing request, (%d) %s\n", rc, XC_XrcSymbol( rc ));
   goto cleanup;
   }
   printf("Performing XudaCertificateToPEM...\n" );
   rc = XudaCertificateToPEM (session, issuedCert, &certText);
   if (rc != XrcOK)
   {
   printf("error converting cert to PEM, (%d) %s\n", rc, XC_XrcSymbol( rc ));
   goto cleanup;
   }
   printf("Performing XudaXPTUTF8Get...\n" );
   rc = XudaXPTUTF8Get(certText, &signedCertText);
   if (rc != XrcOK)
   {
   printf("error XudaXPTUTF8Get, (%d) %s\n", rc, XC_XrcSymbol( rc ));
   goto cleanup;
   }
   printf("Performing cleanup..." );

Legacy Article IDa42332

Attachments

    Outcomes