Name

xenc_x509_generate — Generates a X.509v3 certificate using client's public key

Synopsis

xenc_x509_generate ( in ca_key_name varchar ,
in public_key_name varchar ,
in serial integer ,
in validity integer ,
in subject vector ,
in extensions vector ,
in hours integer );

Description

This function creates a X.509v3 certificate from a public key and sign the certificate with CA private key

Parameters

ca_key_name

The name of CA key, the key must have corresponding certificate.

public_key_name

The name of the public key used to create certificate, it is given by certificate owner to CA. Note that public key must be imported already in CA'a key space.

serial

The serial number

validity

Certificate's validity in days

subject

An array of name/value pairs representing the subject aka name enties

extensions

An array of name/value pairs to add as X.509v3 extensions to certificate

hours

If specified it is added to the days which allows a more fine-grained control over the expiration date.

Examples

Example24.479.Issuing a certificate

The example below decodes a public key sent from client and then issue a certificate and sign it with CA's key 'id_rsa'. The client's key is create as temp key.

declare kname, cvalue varchar;
kname := xenc_SPKI_read (null, replace (get_keyword ('key', params), '\r\n', ''));
xenc_x509_generate ('id_rsa', kname, sequence_next ('ca_id_rsa'), 365,
                vector (
                        'CN', get_keyword ('name', params, name),
                        'C',  get_keyword ('c', params, name),
                        'O',  get_keyword ('o', params, name),
                        'OU', get_keyword ('ou', params, name),
                        'emailAddress', get_keyword ('email', params)
                        ),
                vector (
                  'subjectAltName',
                  'URI:'||webid,
                  'nsComment',
                  'Virtuoso Generated Certificate',
                        'authorityKeyIdentifier',
                        'keyid,issuer:always'));