Highlighted
Respected Contributor.
Respected Contributor.
124 views

Export User Certificate with API or CLI

Jump to solution

We using user objects as a computer certificate. This certificate is stored manually to the computer with commandline "certutil.exe -p pwd -importpfx "My" path_to_pfx_cert_file". The certificate is used for authentication for a WLAN connection.

Masscreation of certificates are possible with iManager. But a export with private key is not possible.

So is there a way to using a API (like NDK) or a cli to export a user certificate with private key?

I has opend a SR (101294181011), but currently there is no SDK available.

We running the CA Certificate Server on Netware 6.5 SP8 with eDirectory Version 8.7.3.10.
Also we have a OES 2018 SP1 with eDirectory 9.1.4.

best regards

Andre

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Respected Contributor.
Respected Contributor.

Hi Mathias!

This correct.
We know the credentials of the "user" Objects - this is a computer object 🙂

Now i'm ready to export the certificate with the NPKI API. I have search a long time to find the right files.

With the "novell-ncslib-devel-2007.10.03-1cross_platform" ZIP File and the dlls from the eDirectory-Server ISO 8.8 (Path \nt\I386\NDSonNT\ni\bin) the compiled binary works fine in our environment.

With the credentials from the "user" object i can export the certificate with private key as a pfx file.

ccode = NPKIExportUserKey 
(
myPKI,
myNick,
pword,
PKI_OBJECT_KEY_CERTIFICATE | PKI_CHAIN_CERTIFICATE,
&pfxSize,
&pfx
);

View solution in original post

3 Replies
Highlighted
Respected Contributor.
Respected Contributor.

No one out there, who can help me?

So can someone explain the "nDSPKIUserCertificateInfo" Ldap Attriubte?

OID: 2.16.840.1.113719.1.48.4.1.12

There is the DN of the Certserver followed by binary data.

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

AFAIK, private keys of user certificates can be exported exclusively by the tied user. I'd guess this "restriction" is per design as anything else would pretty much contradict the very reason for user certs (e.g. for an end-to-end protocol such as smime).

From the admin's perspective some sort of "administrative overrule" would come handy, but i don't know of anything like that.

 

If you like it: like it.
0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Hi Mathias!

This correct.
We know the credentials of the "user" Objects - this is a computer object 🙂

Now i'm ready to export the certificate with the NPKI API. I have search a long time to find the right files.

With the "novell-ncslib-devel-2007.10.03-1cross_platform" ZIP File and the dlls from the eDirectory-Server ISO 8.8 (Path \nt\I386\NDSonNT\ni\bin) the compiled binary works fine in our environment.

With the credentials from the "user" object i can export the certificate with private key as a pfx file.

ccode = NPKIExportUserKey 
(
myPKI,
myNick,
pword,
PKI_OBJECT_KEY_CERTIFICATE | PKI_CHAIN_CERTIFICATE,
&pfxSize,
&pfx
);

View solution in original post

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.