Appcelerator Generating Developer Certificate And Private Public Keys

Create both asymmetric and symmetric cryptographic keys.

To manage server-scoped certificates select Setup Certificates and the Local Certificates tab. Account-based certificates are managed from the Private Certificates pane of the Certificates pane of the User Account page. You can use either page to get detailed information for a particular key, generate a key, delete a key, or export public and private keys. Generate a CSR and import the certificate and key You can use a Certificate Signing Request (CSR) from a Certificate Authority (CA) to obtain certificates used by API Gateway. Policy Studio can generate both X.509 certificates and associated private keys. However, it cannot generate a CSR. Generate an SSH key. From the Secure Client Main Window, click Manage Security. Click the User button and select the SSH Keys topic. Click the Generate button located in the toolbar. The Generate Key dialog box appears. Enter a value in the Key Name field.

Overview

Very often, you retrieve a key from an identity, a certificate, or the keychain, or with some other method described in Getting an Existing Key. Sometimes, however, you need to create your own keys.

Creating an Asymmetric Key Pair

An asymmetric cryptographic key pair is composed of a public and a private key that are generated together. You distribute the public key freely, but you keep the private key secret. One or both may be stored in a keychain for safekeeping.

You create an asymmetric key pair by first creating an attributes dictionary:

At a minimum, you specify the type and size of keys to create using the kSecAttrKeyType and kSecAttrKeySizeInBits parameters, respectively. The above example indicates 2048-bit RSA keys, though other options are available.

You then optionally add a kSecPrivateKeyAttrs parameter with a subdictionary that characterizes the private key. By assigning a value of true to the private key’s kSecAttrIsPermanent attribute, you store it in the default keychain while creating it. You also specify the kSecAttrApplicationTag attribute with a unique NSData value so that you can find and retrieve it from the keychain later. The tag data is constructed from a string, using reverse DNS notation, though any unique tag will do.

You could add a kSecPublicKeyAttrs attribute to the attributes dictionary, specifying a distinct tag and keychain storage for the public key. However, it’s typically easier to store only the private key and then generate the public key from it when needed. That way you don’t need to keep track of another tag or clutter your keychain.

For a complete list of available key attributes, see Key Generation Attributes.

Note

Be sure that you don’t generate multiple, identically tagged keys. These are difficult to tell apart during retrieval, unless they differ in some other, searchable characteristic. Instead, use a unique tag for each key generation operation, or delete old keys with a given tag using SecItemDelete(_:) before creating a new one with that tag.

You then call the SecKeyCreateRandomKey(_:_:) function with the attributes dictionary:

If the function fails to create a key, as indicated by a NULL return value, it fills in the error parameter to indicate the reason for failure. Otherwise, the key reference points to a new private key that’s ready for use. The key is also stored in the default keychain, from where you can read it later, as described in Storing Keys in the Keychain. If you need the corresponding public key (now or later), call the SecKeyCopyPublicKey(_:) function with the private key reference:

In Objective-C, when you’re done with these key references, however you obtained them, you are responsible for releasing the associated memory:

Creating a Symmetric Key

Asymmetric key cryptography is useful because it enables secure communication between two players who don’t share a secret ahead of time. However, it’s not ideal for bulk data transfer, because it’s computationally expensive and because it operates on small, fixed-sized chunks of data. Symmetric key cryptography, on the other hand, is computationally efficient. It allows you to handle data streams of arbitrary length but requires that both sender and receiver, and no one else, know the secret key.

To get the best of both worlds, you often use asymmetric cryptography to communicate a symmetric cryptographic key that you then use for bulk data transfer. When you do this with the certificate, key, and trust services API, you don’t explicitly create the symmetric key yourself. Instead, you call SecKeyCreateEncryptedData(_:_:_:_:) to create a symmetric key for you. This function creates the symmetric key, uses it to encrypt your data, and then encrypts the key itself with the public key that you provide. It then packages all of this data together and returns it to you. You then transmit it to a receiver, who uses the corresponding private key in a call to SecKeyCreateDecryptedData(_:_:_:_:) to reverse the operation. For more details, see Using Keys for Encryption.

When developing a secure service or client using Windows Communication Foundation (WCF), it is often necessary to supply an X.509 certificate to be used as a credential. The certificate typically is part of a chain of certificates with a root authority found in the Trusted Root Certification Authorities store of the computer. Having a certificate chain enables you to scope a set of certificates where typically the root authority is from your organization or business unit. To emulate this at development time, you can create two certificates to satisfy the security requirements. The first is a self-signed certificate that is placed in the Trusted Root Certification Authorities store, and the second certificate is created from the first and is placed in either the Personal store of the Local Machine location, or the Personal store of the Current User location. This topic walks through the steps to create these two certificates using the Powershell New-SelfSignedCertificate) cmdlet.

Important

The certificates that the New-SelfSignedCertificate cmdlet generates are provided for testing purposes only. When deploying a service or client, be sure to use an appropriate certificate provided by a certification authority. This could either be from a Windows Server certificate server in your organization or a third party.

By default, the New-SelfSignedCertificate cmdlet creates certificates that are self-signed and these certificates are insecure. Placing the self-signed certificates in the Trusted Root Certification Authorities store enables you to create a development environment that more closely simulates your deployment environment.

For more information about creating and using certificates, see Working with Certificates. For more information about using a certificate as a credential, see Securing Services and Clients. For a tutorial about using Microsoft Authenticode technology, see Authenticode Overviews and Tutorials.

To create a self-signed root authority certificate and export the private key

The following command creates a self-signed certificate with a subject name of 'RootCA' in the Current User Personal store.

We need to export the certificate to a PFX file so that it can be imported to where it's needed in a later step. When exporting a certificate with the private key, a password is needed to protect it. We save the password in a SecureString and use the Export-PfxCertificate cmdlet to export the certificate with the associated private key to a PFX file. We also save just the public certificate into a CRT file using the Export-Certificate cmdlet.

To create a new certificate signed by a root authority certificate

The following command creates a certificate signed by the RootCA with a subject name of 'SignedByRootCA' using the private key of the issuer.

Similarly, we save the signed certificate with private key into a PFX file and just the public key into a CRT file.

Installing a Certificate in the Trusted Root Certification Authorities Store

Once a self-signed certificate is created, you can install it in the Trusted Root Certification Authorities store. Any certificates that are signed with the certificate at this point are trusted by the computer. For this reason, delete the certificate from the store as soon as you no longer need it. When you delete this root authority certificate, all other certificates that signed with it become unauthorized. Root authority certificates are simply a mechanism whereby a group of certificates can be scoped as necessary. For example, in peer-to-peer applications, there is typically no need for a root authority because you simply trust the identity of an individual by its supplied certificate.

To install a self-signed certificate in the Trusted Root Certification Authorities

Open the certificate snap-in. For more information, see How to: View Certificates with the MMC Snap-in.
Open the folder to store the certificate, either the Local Computer or the Current User.
Open the Trusted Root Certification Authorities folder.
Right-click the Certificates folder and click All Tasks, then click Import.
Follow the on-screen wizard instructions to import the RootCA.pfx into the store.

Using certificates With WCF