views:

628

answers:

2

Hello

I am looking to identify a third party API which will perform certificate management using c/c++;

Ideally, the API should perform the following,

  1. Generate CSR's
  2. Perform Certificate conversions(pem<>DER)
  3. Retrieves certificates from CA's
  4. Parsing X509 certificates to extract various fields like public key, subject name, issuer details etc
  5. CRL retrival and validation or to handle OCSP

My people are not in favour of open sources so i cannot use OpenSSL.I am aware of the MS interfaces.

  1. Can you please share your experience and share what kind of products are available in this domain?
  2. What criterias do i need to look at to select such an API?

Thank you
Raj

A: 

From the Libskba webpage:

Libksba is a library to make the tasks of working with X.509 certificates, CMS data and related objects more easy. It provides a highlevel interface to the implemented protocols and presents the data in a consistent way.

Brandon E Taylor
Hello Brandon, This library is an open source one, So i have policy restrictions on using this. Thanks for your answer.
Raj
A: 

Disclaimer: I work for Cryptomathic.

PrimeInk from Cryptomathic does this and more. It is a C-based API, so if you are working in C++ you might find it a bit cumbersome, but it is very powerful.

I believe BSafe from RSA Labs would work too (but I have never used it). Most CA-server vendors will have an API for their servers.

Besides the price and the ease-of-use of the API, you should investigate the details of the support. The X.509 standard for certificates is a very generic and extensible standard, so most infrastructures will restrict itself to a certain profile: RFC3280 specifies certificate for use on the Internet and the American military has standards for their applications.

Things that will certainly vary between toolkits are string-support (Do the toolkit support Unicode? Do the toolkit support Teletex-strings?) and "Extension"s (this is a special field for supplying extra information. All toolkits can "handle" all extensions, but I doubt any toolkit can "understand" all extensions).

Rasmus Faber
Hello Rasmus, Thank you for this information. My application is for banking sector for secure data transfer and non-repudiation. I will investigate further on this.
Raj