Examples for CryptoSys PKI Pro
==============================
---
This page contains some examples showing how to use the functions in
CryptoSys PKI Pro.
For hints on programming see the manual and
[Programming with CryptoSys PKI](pkiproglang.html)
Contents
--------
["Hello World" programs](#helloworld) |
[Example code and test modules in the distribution](#distribcode) |
[Recent examples](#recentexamples) |
[Examples of new features](#examplesv12) |
[Techniques and help about RSA keys](#rsakeys) |
[Using in Excel](#excelexample) |
[Creating S/MIME signedData and envelopedData objects](#smimeobjects) |
[Sending secure CMS messages using `VB.NET`](#cmsusingvbnet) |
[How to validate an X.509 certficate](#validatecert) |
[Doing RSA Encryption and Signing with C#](#rsacsharp) |
[Encrypting and decrypting using RSA-OAEP in XML](#xmlencryptrsaoaep) |
[Handling PFX/P12 data in memory](#xmlencryptrsaoaep) |
[SAT Mexico Examples](#satmexicoexample) |
[Examples using Python](#python) |
[Contact us](#contact)
Simple "Hello World" programs
----------------------------------------------------
The equivalent of the "Hello world" program for CryptoSys PKI is to call the
`[PKI_Version](manpki/pki_PKI_Version.html)` function.
A correct response demonstrates that the Toolkit is properly installed. See
[Hello World programs](manpki/pki_helloworld.html) for some sample code.
Example code and test modules in the distribution
-------------------------------------------------------------------------
There are a comprehensive set of tests provided in the distribution download, which give examples of how to use almost all the functions in the library.
You will find the latest versions of these files in the installation directory, usually `C:\Program Files (x86)\CryptoSysPKI`.
* C#: [TestPKIcsharp.cs](TestPKIcsharp.cs.html).
* `VB.NET`: [TestPKIvbnet.vb](TestPKIvbnet.vb.html).
* VBA/VB6: [TestPKI.bas](TestPKI.bas.html), [Vtests.bas](Vtests.bas.html) and [basSMIMEex.bas](basSMIMEex.bas.html)
* ANSI C: [TestPKI.c](TestPKI.c.html), [pki_check.c](pki_check.c.html)
and [PKICheck.c](PKICheck.c.html).
* C++ (STL): [TestPKI.cpp](TestPKI.cpp.html)
* Python: [test_pki.cpp](test_pki.py.html)
Recent examples using CryptoSys PKI
--------------------------------------------------------------
* [Using CryptoSys PKI to encrypt and decrypt using XMLENC](xmlenc-encrypt-decrypt.html).
* [Encrypt data like PHP encrypt](php_encrypt_aes256.html)
* [How to create and validate a JSON Web Signature (JWS)](json-web-signature.html)
* [Reproducing a raw Bitcoin transaction](ecc-bitcoin-raw-transaction.html)
* [Creating output for secure XML documents](output-for-xml-docs.html)
* [How to generate a UUID compliant with RFC 4122](uuid-rfc4122.html)
Examples of new features added to CryptoSys PKI
-----------------------------------------------------------------------
* [Compute ECDH shared secret using P-256 and X25519](ecdh-shared-secret.html)
* [Create self-signed and self-issued X.509 certificates using Ed25519 and X25519](x509-cert-ed25519-x25519.html)
* Add a video of your cat to an X.509 certificate: [MpegOfCat.cs](MpegOfCat.cs.html) — [[test files](MpegOfCat.zip)].
[x509cat.mp4](x509cat.mp4)
Your browser does not support the video tag.
* [GermanHealthExamples2018.bas](GermanHealthExamples2018.bas.html): VBA/VB6 code to create and read signed-and-enveloped PKCS7 (CMS) objects suitable for
the Security interface for data exchange in the German health service, 2018
—
[[test files](GermanHealth2018Files.zip)].
+ Same again in C#: [GermanHealthExamples2018.cs](GermanHealthExamples2018.cs.html).
* [SetupAliceBobCarl.cs](SetupAliceBobCarl.cs.html):
Create X.509 certificates for Alice, Bob and Carl similar to those given in [RFC4134 "Examples of S/MIME Messages"](https://tools.ietf.org/html/rfc4134 "External link") using RSA-PSS and ECDSA signature algorithms
— [[test files](SetupAliceBobCarl-keys.zip)].
+ [MakeAliceRsaPss.c](MakeAliceRsaPss.c.html): Shorter example of above just for Alice using C — [[test files](MakeAliceRsaPss.zip)].
+ Resulting [certificate files](rsapss-ecdsa-ref-certs.zip) (zipped, 8.3 kB).
* [Vtests.bas](Vtests.bas.html): all the VB6/VBA examples from the manual — [[test files](Vtestsfiles.zip)].
Plus you'll need the `ShowTextFile()` function in [VtestUtils.bas](VtestUtils.bas.html).
Techniques and help about RSA keys
------------------------------------------------------
See [RSA Techniques](rsatechniques.html) for some examples of using the "raw" RSA functions to carry out simple
encryption and signing operations.
(*Hint:* you are strongly recommended to use the S/MIME CMS functions if you need to pass secure messages.
The S/MIME protocols have been well designed and tested - be careful designing your own.)
If you need more information about RSA keys and how they can be stored and the functions available
in the Toolkit to handle them, see [RSA Key Formats](rsakeyformats.html).
**2018-06-10**:
You can pass a string directly instead of a filename for the 'keyFile' and 'certFile' arguments. See some C# code to do this in
[KeyCertsAsStrings.cs](KeyCertsAsStrings.cs.html).
**2019-01-19**:
The page [How to process a PFX file](process-pfx-file.html) shows how to extract your X.509 certificate and private key from a PFX (PKCS12/p12) file.
It includes C# and Python code.
Making an RSA signature in an Excel spreadsheet
------------------------------------------------------------------------
This [Excel spreadsheet](RSA-Sign.xls.zip) (65 kB) contains VBA macros that show how to use
CryptoSys PKI to make
and verify RSA signatures in a spreadsheet (it's Excel 2003 but should still work in the latest version).
Here is the [VBA code in Module1.bas](RSA-Sign-Module1.bas.html).
A sample certificate and encrypted private key is included
(the password for the sample key is, of course,
*password*). The key and certificate files must be in the same directory as the spreadsheet itself, and macros must be enabled.
The spreadsheet will show you how to
[make a signature](images/rsa-sign-make-signature.gif) and
[verify](images/rsa-sign-verify.gif) one.
Creating S/MIME signedData and envelopedData objects
-----------------------------------------------------------------------------
See [Sign and Encrypt](basSignEncrypt.txt.html) for a VB6/VBA example showing how to sign and then encrypt
some data to produce an S/MIME-conformant CMS object you could send as part of an email.
The output in the debug immediate window should [look like this](basSignEncrypt_out.txt).
[Download all files](basSignEncrypt.zip) including the test certificate and private key files here.
The password for both private keys is "password".
Sending secure CMS messages using `VB.NET`
--------------------------------------------------------------------
How to create and read secure CMS messages between parties, starting from scratch by generating your own keys and
your own private set of X.509 certificates:
[`VB.NET` source code](PKI_CMS_Examples.vb.html) ([zipped](PKI_CMS_Examples.vb.zip), 5kB).
You need to create your own certificates because the CMS format requires public key in X.509 form, but there's no need
to pay for them - just be your own CA. You can check that your end users have the correct certificates by comparing the
certificate file thumbprints (aka SHA-1 message digest values) over the phone.
How to validate an X.509 certficate
------------------------------------------------------------
The VB6 code in [How to Validate a Certificate Chain](x509_validatechain.html) shows
how you can validate that an end user's certificate is still current and really was issued by
the correct authority.
**2010-05-02:** Check out the [`X509_ValidatePath`](manpki/pki_X509_ValidatePath.html) function.
Doing RSA Encryption and Signing with C#
--------------------------------------------------------------
See [Doing RSA Encryption and Signing with C#](pkicsharp.html#doingrsa).
Encrypting and decrypting using RSA-OAEP in XML, handling PFX/P12 data in memory
--------------------------------------------------------------------------------------------------------------
*Question:*
I am programming in C. I want to encrypt and decrypt a session key using the following parameters:
```
```
Also, I already have the P12 (PFX) data in memory. Is there a way to access this without writing to a file?
And can I create an X.509 certificate (.cer) file from the PFX data?
*Answer:* yes, yes and yes. See the solution in [XmlEnc.c](XmlEnc.c.html).
The PFX file used is [bob.pfx](docs/bob.pfx.zip) with password "password".
(Remember if you were encrypting a message to Bob, you wouldn't have his PFX or private key data. This is just a demonstration of techniques.)
The EncryptedKey subset of your XML might look like this: [XmlEncKey.xml](XmlEncKey.xml.html).
To use a PFX file in memory instead of a file, pass a string containing the PFX file in PEM format
```
char *pfxstr="-----BEGIN PKCS12-----"
"MIIGhAIBAzCCBkoGCSqGSIb3DQEHAaCCBjsEggY3MI..."
"-----END PKCS12-----";
```
For more details about handling file data as a string, see [PEM string alternative](https://cryptosys.net/pki/manpki/pki_pemstring.html "External link").
SAT Mexico Examples
------------------------------------------------
See [SAT Mexico and CryptoSys PKI](satmexico.html)
(now mostly superseded by [FirmaSAT](../firmasat/index.html)). But also
* [How to create a SAT Cancelacion document using CryptoSys PKI](satcancelcfd.html)
* [How to generate a UUID compliant with RFC 4122](uuid-rfc4122.html)
Techniques shown in the example C/C++ code
------------------------------------------------------------------------
Carol is the CA who signs her own certificate. Ann, Ben and Damien are end users whose certificates are issued by Carol.
Damien's certificate is then revoked by Carol.
**Important Note:** Some examples of RSA encryption and signing given here use a 512-bit key.
This is for convenience and speed in demonstration and testing. Using a 512-bit key is not recommended for
production work. Use at least a 1024-bit key in practice.
* [Carol generates a 1024-bit RSA key pair](PKI_Examples.c-links.html#carol_creates_keys)
* [Carol creates her own self-signed X.509 certificate](PKI_Examples.c-links.html#carol_creates_ca_cert)
* [Ann and Ben generate their RSA keys](PKI_Examples.c-links.html#ann_and_ben_create_keys)
* [Carol issues certificates for Ann and Ben](PKI_Examples.c-links.html#carol_makes_certs_for_ann_and_ben)
* [Ben tests his keys 'in the raw'](PKI_Examples.c-links.html#ben_tests_his_keys_in_the_raw)
* [Ann sends an encrypted message to Ben](PKI_Examples.c-links.html#ann_sends_enc_msg_to_ben)
* [Ben decrypts the message from Ann](PKI_Examples.c-links.html#ben_decrypts_msg_from_ann)
* [Ann sends an encrypted message and Ben reads it](PKI_Examples.c-links.html#ann_sends_encmsg_ben_reads)
* [Ann sends an encrypted message in base64 format](PKI_Examples.c-links.html#ann_sends_encr_base64_ben_reads)
* [Ann signs a message](PKI_Examples.c-links.html#ann_signs_msg)
* [Ben verifies the signed message received from Ann](PKI_Examples.c-links.html#ben_verifies_msg_from_ann)
* [Ben reads the signed-data from Ann, saving as a file](PKI_Examples.c-links.html#ben_reads_signed_data)
* [Ann creates a signed-data object in base64 format; Ben verifies it](PKI_Examples.c-links.html#ann_signs_base64_ben_verifies)
* [Ben signs a detached message](PKI_Examples.c-links.html#ben_signs_det_msg)
* [Ann verifies the detached signature received from Ben](PKI_Examples.c-links.html#ann_verifies_det_msg_from_ben)
* [Ben prepares a certificate signing request in both PEM and binary formats](PKI_Examples.c-links.html#ben_makes_crs)
* [Ann verifies her certificate](PKI_Examples.c-links.html#ann_verifies_her_cert)
* [Ben reads and saves his RSA public key in different formats](PKI_Examples.c-links.html#ben_resaves_his_public_key)
* [Ben reads, checks and saves his RSA private keys in different formats (CAUTION)](PKI_Examples.c-links.html#ben_examines_his_private_key)
* [Carol extracts her public key from her X.509 certificate](PKI_Examples.c-links.html#carol_reads_public_key_from_cert)
* [Ann makes a PKCS7 certificate chain](PKI_Examples.c-links.html#ann_makes_cert_chain)
* [Ben makes a PKCS12 PFX file](PKI_Examples.c-links.html#ben_makes_pfx)
* [Ben uses 'raw' RSA to encrypt a secret for Ann](PKI_Examples.c-links.html#ben_encrypts_raw_key)
* [Ann decrypts the 'raw' data from Ben](PKI_Examples.c-links.html#ann_decrypts_raw_key)
* [Ann uses 'raw' RSA to sign a message](PKI_Examples.c-links.html#ann_signs_raw_msg)
* [Ben verifies the 'raw' RSA signature received from Ann](PKI_Examples.c-links.html#ben_verifies_raw_msg)
* [Ben creates a self-signed certificate with his name in Chinese](PKI_Examples.c-links.html#ben_creates_cjk_ca_cert)
* [Damien creates a certificate signing request (CSR) after making himself a pair of RSA keys](PKI_Examples.c-links.html#damien_creates_csr)
* [Carol makes an X.509 certificate for Damien using his Certificate Signing Request](PKI_Examples.c-links.html#carol_makes_cert_from_damiens_csr)
* [Damien validates the P7 cert chain file from Carol and extracts all the certificates](PKI_Examples.c-links.html#damien_reads_new_p7_chain_file)
* [Carol revokes Damien's certificate](PKI_Examples.c-links.html#carol_revokes_damiens_cert)
* [We check whether or not Damien's cert has been revoked](PKI_Examples.c-links.html#we_check_damiens_cert_in_crl)
Python
-------------------------
See the page [A Python interface to CryptoSys PKI Pro](python.html).
Contact
---------------------------
To comment on this page or get more information, please
[send us a message](https://di-mgt.com.au/contactmsg.php?topic=CryptoSys+PKI+Pro "External link").
*This page last updated 10 September 2025*
---
[
](https://validator.w3.org/nu/?doc=https://cryptosys.net/pki/pkiexamples.html "External link")
[
](https://cryptosys.net/pki/pkiexamples.html "External link")
Copyright © 2004-25 D.I. Management Services Pty Limited
t/a CryptoSys ABN 78 083 210 584
Australia. All rights reserved.
[](https://di-mgt.com.au "External link")
[](https://cryptosys.net "External link")
[CryptoSys Home](../index.html) |
[CryptoSys PKI Home](index.html) |
[Contact us](https://di-mgt.com.au/contactmsg.php "External link")