|
Author | PFX - Common Interoperability Problems and Solutions |
Henrick Wibell Hellström 2017-06-02 10:37:19 Registered user |
1. The password is usually encoded using UTF-16-BE or BMPString. The iSecretKey interface wraps raw bytes only, which means you have to apply the correct character encoding prior to calling e.g. ImportFromPFX. One way of doing that is by using the tSecretKey.CreateBMPStr constructor. Confer the examples.
2. When encoding the password, take notice of the trailing #0 character. Beware in particular that in some versions of Delphi, you can't rely on the trailing #0 always being present in every string value, so you can't mix code that relies on null termination with code that requires explicit lengths. This is in particular true of shortstring, fixed length Char arrays and of string literals in some Delphi versions. 3. When generating a PFX files with one PKCS#12 implementation and using it with a completely different implementation, use only passwords with printable characters from the 7-bit US ASCII character set. 4. Use only two-prime RSA. Also, ensure that the two primes are of exactly equal bit length and that the RSA modulus has a commonly supported bit length, such as 2048, 3072, 4096. 5. Do not use OpenSSL for generating self signed server certificates. The OpenSSL implementation uses an illegal certificate extension for non-CA self signed server certificates. This extension (a non-critical BasicConstraint with cA set to True) is presumably meant to prevent clients from installing the certificate into persistent root CA certificate stores. Some implementations (such as ST 4.0) perform a more thorough certificate chaining and will not accept those extensions in any certificate at all. 6. Intermediate CA certificates are not necessarily loaded correctly, if only loaded as part of the PFX import. In particular, in ST 2.x the root CA certificate should be loaded separately, prior to loading the PFX. 7. Certificates expire. Beware that when loading an old PFX, it might contain a certificate that has already expired, causing it to be silently ignored. |