I am current trying to generate a CSR by using bouncycastle lib (java or C#) and a smartcard (epass2003) that have stored both private and public keys.
I found this example .Net Programmatically Sign PKCS#10 Request with Bouncy Castle that works quite well however it is necessary to directly access the pair of keys which is not possible since smartcards do not allow access to their private keys.
Can anyone give some help in generate a CSR by using the pair of keys from a smartcard ?
Best Regards
BouncyCastle has currently no built-in support for smartcards of any kind but it provides Org.BouncyCastle.Pkcs.Pkcs10CertificationRequestDelaySigned
class which generates CSR that can be signed by any external signing implementation (i.e. with the private key stored on your smartcard).
This is the description of Pkcs10CertificationRequestDelaySigned
class taken from BouncyCastle documentation:
A class for creating and verifying Pkcs10 Certification requests (this is an extension on Pkcs10CertificationRequest). The requests are made using delay signing. This is useful for situations where the private key is in another environment and not directly accessible (e.g. HSM). So the first step creates the request, then the signing is done outside this object and the signature is then used to complete the request.
You can take a look at my Net.Pkcs11Interop.PkiUtils.CertificateRequest class for a full code sample which signs CSR with the private key stored on smartcard. The code uses Pkcs11Interop library, which I am the author of, to access smartcard and the private key stored on it.