X509 - Toolkit/API - C/C++ Certificate Management

Question

Hello

I am looking to identify a third party API which will perform certificate management using c/c++;

Ideally, the API should perform the following,

1. Generate CSR's
2. Perform Certificate conversions(pem<>DER)
3. Retrieves certificates from CA's
4. Parsing X509 certificates to extract various fields like public key, subject name, issuer details etc
5. CRL retrival and validation or to handle OCSP

My people are not in favour of open sources so i cannot use OpenSSL.I am aware of the MS interfaces.

1. Can you please share your experience and share what kind of products are available in this domain?
2. What criterias do i need to look at to select such an API?

Thank you
Raj

Answer 1

From the Libskba webpage:

Libksba is a library to make the tasks of working with X.509 certificates, CMS data and related objects more easy. It provides a highlevel interface to the implemented protocols and presents the data in a consistent way.

Answer 2

Disclaimer: I work for Cryptomathic.

PrimeInk from Cryptomathic does this and more. It is a C-based API, so if you are working in C++ you might find it a bit cumbersome, but it is very powerful.

I believe BSafe from RSA Labs would work too (but I have never used it). Most CA-server vendors will have an API for their servers.

Besides the price and the ease-of-use of the API, you should investigate the details of the support. The X.509 standard for certificates is a very generic and extensible standard, so most infrastructures will restrict itself to a certain profile: RFC3280 specifies certificate for use on the Internet and the American military has standards for their applications.

Things that will certainly vary between toolkits are string-support (Do the toolkit support Unicode? Do the toolkit support Teletex-strings?) and "Extension"s (this is a special field for supplying extra information. All toolkits can "handle" all extensions, but I doubt any toolkit can "understand" all extensions).