Home Library Learn Downloads Support Community
Sign in | United States - English | |
1 out of 1 rated this helpful - Rate this topic

CertCreateSelfSignCertificate function

Applies to: desktop apps only

The CertCreateSelfSignCertificate function builds a self-signed certificate and returns a pointer to a CERT_CONTEXT structure that represents the certificate.

Syntax

Copy 
PCCERT_CONTEXT WINAPI CertCreateSelfSignCertificate(
  __in_opt  HCRYPTPROV_OR_NCRYPT_KEY_HANDLE hCryptProvOrNCryptKey,
  __in      PCERT_NAME_BLOB pSubjectIssuerBlob,
  __in      DWORD dwFlags,
  __in_opt  PCRYPT_KEY_PROV_INFO pKeyProvInfo,
  __in_opt  PCRYPT_ALGORITHM_IDENTIFIER pSignatureAlgorithm,
  __in_opt  PSYSTEMTIME pStartTime,
  __in_opt  PSYSTEMTIME pEndTime,
  __opt     PCERT_EXTENSIONS pExtensions
);

Parameters

hCryptProvOrNCryptKey [in, optional]

A handle of a cryptographic provider used to sign the certificate created. If NULL, information from the pKeyProvInfo parameter is used to acquire the needed handle. If pKeyProvInfo is also NULL, the default provider type, PROV_RSA_FULL provider type, the default key specification, AT_SIGNATURE, and a newly created key container with a unique container name are used.

This handle must be an HCRYPTPROV handle that has been created by using the CryptAcquireContext function or an NCRYPT_KEY_HANDLE handle that has been created by using the NCryptOpenKey function. New applications should always pass in the NCRYPT_KEY_HANDLE handle of a CNG cryptographic service provider (CSP).

pSubjectIssuerBlob [in]

A pointer to a BLOB that contains the distinguished name (DN) for the certificate subject. This parameter cannot be NULL. Minimally, a pointer to an empty DN must be provided. This BLOB is normally created by using the CertStrToName function. It can also be created by using the CryptEncodeObject function and specifying either the X509_NAME or X509_UNICODE_NAME StructType.

dwFlags [in]

A set of flags that override the default behavior of this function. This can be zero or a combination of one or more of the following values.

ValueMeaning
CERT_CREATE_SELFSIGN_NO_KEY_INFO
2

By default, the returned PCCERT_CONTEXT references the private keys by setting the CERT_KEY_PROV_INFO_PROP_ID. If you do not want the returned PCCERT_CONTEXT to reference private keys by setting the CERT_KEY_PROV_INFO_PROP_ID, specify CERT_CREATE_SELFSIGN_NO_KEY_INFO.

CERT_CREATE_SELFSIGN_NO_SIGN
1

By default, the certificate being created is signed. If the certificate being created is only a dummy placeholder, the certificate might not need to be signed. Signing of the certificate is skipped if CERT_CREATE_SELFSIGN_NO_SIGN is specified.

 

pKeyProvInfo [in, optional]

A pointer to a CRYPT_KEY_PROV_INFO structure. Before a certificate is created, the CSP is queried for the key provider, key provider type, and the key container name. If the CSP queried does not support these queries, the function fails. If the default provider does not support these queries, a pKeyProvInfo value must be specified. The RSA BASE does support these queries.

If the pKeyProvInfo parameter is not NULL, the corresponding values are set in the CERT_KEY_PROV_INFO_PROP_ID value of the generated certificate. You must ensure that all parameters of the supplied structure are correctly specified.

pSignatureAlgorithm [in, optional]

A pointer to a CRYPT_ALGORITHM_IDENTIFIER structure. If NULL, the default algorithm, SHA1RSA, is used.

pStartTime [in, optional]

A pointer to a SYSTEMTIME structure. If NULL, the system current time is used by default.

pEndTime [in, optional]

A pointer to a SYSTEMTIME structure. If NULL, the pStartTime value plus one year will be used by default.

pExtensions [optional]

A pointer to a CERT_EXTENSIONS array of CERT_EXTENSION structures. By default, the array is empty. An alternate subject name, if desired, can be specified as one of these extensions.

Return value

If the function succeeds, a PCCERT_CONTEXT variable that points to the created certificate is returned. If the function fails, it returns NULL. For extended error information, call GetLastError.

Requirements

Minimum supported client

Windows 2000 Professional

Minimum supported server

Windows 2000 Server

Header
Wincrypt.h

Library
Crypt32.lib

DLL
Crypt32.dll

See also

CERT_EXTENSION
CERT_EXTENSIONS
CertStrToName
CRYPT_ALGORITHM_IDENTIFIER
CryptEncodeObject
GetLastError
PCCERT_CONTEXT
SYSTEMTIME

 

 

Send comments about this topic to Microsoft

Build date: 3/6/2012

Did you find this helpful?
(1500 characters remaining)
Community Content Add
Annotations FAQ
DSA NCRYPT_KEY_HANDLE not supported
CertCreateSelfSignCertificate with a DSA NCRYPT_KEY_HANDLE passed as the first argument is not supported. GetLastError() returns ERROR_NOT_SUPPORTED. It works with RSA and ECDSA CNG keys.
History