Download CAPICOM which is a wrapper around the Crypto API for Visual Basic: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecur e/html/intcapicom.asp
If you don't have a copy of Visual Basic, download the Control Creation Edition: http://msdn.microsoft.com/vbasic/downloads/tools/cce/default.aspx Finally you need Authenticode from: http://msdn.microsoft.com/library/default.asp?url=/workshop/security/aut hcode/signing.asp Here's the plan: Get all your users to import your CA public key into IE if they have not already done so. This is more or less a prerequisite unless you trust your users to blindly click yes on security warnings (most will anyway). Create an ActiveX control in VB using CAPICOM which inserts the appropriate certificates in the appropriate stores. Some good examples are included in the package. This part is left as an exercise to the reader ;-) Sign the CAB file of your ActiveX with signcode.exe included in the Authenticode package. To do this you need to issue a code signing cert to yourself with all purposes. Don't bother with the esoteric signcode command line options, just run the exe to get a nice GUI. The timestamp url is http://timestamp.verisign.com/scripts/timstamp.dll (yes that is timstamp and not a typo). You need to sign the ActiveX, otherwise IE will bluntly refuse to run it. Signed controls will give a security warning on which your users will have to click yes. If they have your CA cert in their root cert store, they will see a nice and familiar security dialog with your CN and optional URL. If not they will see a slightly uglier version that says that it doesn't know your cert from Adam. Most of them will click yes without appreciating the finer subtleties. This is how pr0n diallers make their money. Have fun Bart... P.S. your server side code sounds intriguing. Any chance of posting it here? -----Original Message----- From: openssl [mailto:[EMAIL PROTECTED] Sent: 29 August 2003 21:09 To: openssl-users Subject: MSIE certificate installation I know this is slightly off topic, but I seem to find better answers searching the openssl archives on stuff like this than I do the windows cryptoapi mailing list. Is there a way to install a certificate and the private key on MSIE without having to go through the import wizard? Something similar to enroll.acceptpkcs7? Specifically why I don't want to use the wizard is that I want to simplify the import process and not have the user prompted for things like whether to make the key exportable or whether to use strong protection. I would like to just have them prompted for the password and set the other parameters myself. I realize this wouldn't be an issue if MSIE generated the private key and csr, but our PKI structure precludes us from being able to do it that way and we generate the private key and csr on the server side. For those curious why we do that, we need to be able to renew certificates using the same private key which can be a major PITA on windows, plus it's a lot easier to make the whole process work every single time across different browser types if we handle it all on the server side. Chris ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
