Does Internet Explorer Support Smart Card?
I am working on a CA project, in which I have Internet Explorer generate the RSA public/private key pair and send it to the CA for a client certificate. This way, the private key stays somewhere with the local computer. And thus I assume that the certificate is confined to this computer. Well, I know that we can export it (including the private key) to a file called *.pfx, transfer it to another computer and import it. But I don't like this. Thus I am wondering if we can use smart card to do this. Can you guys tell me if Internet Explorer supports smart card? Suppose we visit a site which requires client authentication, IE will bring up a pop-up window and present us a list of valid certs for us to choose from. Now if I store my personal private key and certificate in a smart card, will IE be able to read such information for me to choose from? Thanks. __ Do you Yahoo!? Yahoo! Tax Center - File online, calculators, forms, and more http://tax.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Windows does not have enough information to verify this certificate
When we view a certificate issued by some CA, windows may tell us this: Windows does not have enough information to verify this certificate. What does this mean? Does it mean that I have not installed the CA cert as a trusted root CA? __ Do you Yahoo!? Yahoo! Web Hosting - establish your business online http://webhosting.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Problem running Tomcat SSL with my CA-generated certificate
I am sorry if I should not have posted this message in this list. But I've been trying in both tomcat-user and tomcat-dev, nobody has a clue. Therefore, I wanna try my luck here. I use Tomcat 4.1.12 under Windows 2000. I know how to run Tomcat in SSL mode by generating a self-signed cert using the keytool utility that comes with the Java J2SDK. But my project needs to run Tomcat SSL with the certificate generated by my little Java program. It has not been successful. Check the cert attached in this message (cert4ca.cer). It is generated by my little Java program. The keytool-generated self-signed cert works perfect. I can access both https://localhost and http://localhost. To try the cert generated by my little Java program, I deleted the tomcat cert in the keystore and imported the above cert into the keystore as tomcat. Then I can only access http://localhost, not https://localhost. And if I reverse to the keytool-generated certificate, both http and https work perfect again. Obviously, it looks like it is the problem of the cert generated by little Java program. But the thing is, the cert generated by my little Java program is a valid one as you can see from the attached cert. Can you guys give me a hint? I need to resolve this badly. __ Do you Yahoo!? Yahoo! Web Hosting - establish your business online http://webhosting.yahoo.com cert4ca.cer Description: cert4ca.cer
Re: Importing PKCS7 Certificate Into Internet Explorer
OK, this is something important to know. So, are you simply assigning the PEM-encoded cert to pkcs7 in the following statement? In other words, nothing is really done to pkcs7ChainBase64 before it is assigned to pkcs7, right? pkcs7 = result.header.pkcs7ChainBase64 And, the following line: pkcsa7 =< wherever or however you get your cert > also seems to mean that the PEM-encoded cert does not have to be put in the HTTP response header, right? Mark. --- [EMAIL PROTECTED] wrote: > Right > pkcs7 = result.header.pkcs7ChainBase64 > is all native to our installation and how we get the > cert back from the CA > > so you should have > > pkcsa7 =< wherever or however you get your cert > > > > Mark Liu <[EMAIL PROTECTED]> > Sent by: [EMAIL PROTECTED] > 02/27/03 09:25 AM > Please respond to openssl-users > > > To: [EMAIL PROTECTED] > cc: > Subject:Re: Importing PKCS7 > Certificate Into Internet Explorer > > > Thanks a lot, Mark, > > I actually read that MSDN description of acceptPKCS7 > function, which does not say what "result" is. > > Do you mean that "result" is actually a reserved key > word in VBScript that refers to an HTTP response? > > In other words, "result" is not the name of a hidden > HTML form? > > Thanks. > > Mark > > --- [EMAIL PROTECTED] wrote: > > - Forwarded by Mark Shoneman/DLX Guest on > > 02/27/03 06:36 AM - > > > > > > Mark Liu <[EMAIL PROTECTED]> > > Sent by: [EMAIL PROTECTED] > > 02/26/03 06:07 PM > > Please respond to openssl-users > > > > > > To: [EMAIL PROTECTED] > > cc: > > Subject:Importing PKCS7 > Certificate > > Into Internet Explorer > > > > > > Mr. Mark Shoneman gave a fragment of VBScript code > > to > > import a PKCS7 certificate into Internet Explorer. > > > > The code is pasted below. > > > > I am very dumb at VBScript, and have difficulty > > understanding line 5, i.e., > > > > pkcs7 = result.header.pkcs7ChainBase64 > > > > Question 1: What object is the "result"? > > > > See below > > > > Question 2: Does this line suggest that the PEM > > certificate is returned to the client in the HTTP > > response header? > > > > You bet > > > > Question 3: What is pkcs7ChainBase64? > > > > What I call the PEM certificate returned from the > CA > > > > The acceptPKCS7 method accepts and processes a > PKCS > > #7 message containing a certificate. > > The PKCS #7 is input as a parameter. This method > was > > first defined in the ICEnroll interface. > > HRESULT acceptPKCS7( > > BSTR PKCS7 > > ); > > Parameters > > PKCS7 > > [in] Represents the base64-encoded PKCS #7 > > containing the certificate and > > the chain of certificates identifying the issuer. > > Return Values > > The return value is an HRESULT. A value of S_OK > > indicates success. Upon successful completion of > > this > > function, the PKCS7 will be accepted. > > Remarks > > The PKCS #7 input as a parameter for acceptPKCS7 > > contains the request certificate and the chain of > > certificates > > identifying the issuer of the certificate. > > Typically, but not always, the > > chain of certificates does not include the root. > The > > PKCS #7 can be in > > base64-encoded, binary, or X.509 certificate > format > > (with or without the begin cert / end cert tags). > > The certificate and the associated keys generated > > for it are put in the > > MY store. A root certificate is placed in the ROOT > > store and the rest of the chain of certificates > are > > placed in the certification authority (CA) store. > If > > any ROOT certificates found in the PKCS #7 are > > accepted, > > Crypt32 will notify the user that a ROOT > certificate > > is being added to his > > store. The user has the option of declining the > ROOT > > certificate. This > > option is provided so that the user can decline to > > place an untrusted root > > in the ROOT store. Declining to place the ROOT in > > the ROOT store will not > > cause Certificate Enrollment Control to fail > > acceptance. > > By default, the system stores MY, CA, ROOT, and > > REQUEST are used to store > > the certificates. However, you can specify other > > stores by assigning the > > following prope
Re: Importing PKCS7 Certificate Into Internet Explorer
Thanks a lot, Mark,
I actually read that MSDN description of acceptPKCS7
function, which does not say what "result" is.
Do you mean that "result" is actually a reserved key
word in VBScript that refers to an HTTP response?
In other words, "result" is not the name of a hidden
HTML form?
Thanks.
Mark
--- [EMAIL PROTECTED] wrote:
> - Forwarded by Mark Shoneman/DLX Guest on
> 02/27/03 06:36 AM -
>
>
> Mark Liu <[EMAIL PROTECTED]>
> Sent by: [EMAIL PROTECTED]
> 02/26/03 06:07 PM
> Please respond to openssl-users
>
>
> To: [EMAIL PROTECTED]
> cc:
> Subject:Importing PKCS7 Certificate
> Into Internet Explorer
>
>
> Mr. Mark Shoneman gave a fragment of VBScript code
> to
> import a PKCS7 certificate into Internet Explorer.
>
> The code is pasted below.
>
> I am very dumb at VBScript, and have difficulty
> understanding line 5, i.e.,
>
> pkcs7 = result.header.pkcs7ChainBase64
>
> Question 1: What object is the "result"?
>
> See below
>
> Question 2: Does this line suggest that the PEM
> certificate is returned to the client in the HTTP
> response header?
>
> You bet
>
> Question 3: What is pkcs7ChainBase64?
>
> What I call the PEM certificate returned from the CA
>
> The acceptPKCS7 method accepts and processes a PKCS
> #7 message containing a certificate.
> The PKCS #7 is input as a parameter. This method was
> first defined in the ICEnroll interface.
> HRESULT acceptPKCS7(
> BSTR PKCS7
> );
> Parameters
> PKCS7
> [in] Represents the base64-encoded PKCS #7
> containing the certificate and
> the chain of certificates identifying the issuer.
> Return Values
> The return value is an HRESULT. A value of S_OK
> indicates success. Upon successful completion of
> this
> function, the PKCS7 will be accepted.
> Remarks
> The PKCS #7 input as a parameter for acceptPKCS7
> contains the request certificate and the chain of
> certificates
> identifying the issuer of the certificate.
> Typically, but not always, the
> chain of certificates does not include the root. The
> PKCS #7 can be in
> base64-encoded, binary, or X.509 certificate format
> (with or without the begin cert / end cert tags).
> The certificate and the associated keys generated
> for it are put in the
> MY store. A root certificate is placed in the ROOT
> store and the rest of the chain of certificates are
> placed in the certification authority (CA) store. If
> any ROOT certificates found in the PKCS #7 are
> accepted,
> Crypt32 will notify the user that a ROOT certificate
> is being added to his
> store. The user has the option of declining the ROOT
> certificate. This
> option is provided so that the user can decline to
> place an untrusted root
> in the ROOT store. Declining to place the ROOT in
> the ROOT store will not
> cause Certificate Enrollment Control to fail
> acceptance.
> By default, the system stores MY, CA, ROOT, and
> REQUEST are used to store
> the certificates. However, you can specify other
> stores by assigning the
> following properties before calling this method:
>
>
> Please kindly educate me. Thanks a lot.
>
>
>
> 1. Sub ImportCertificate
>
> 2. Dim pkcs7
>
> 3. On Error Resume Next
>
> 4.'Convert the PEM cert to PKCS7 format
> 5. pkcs7 = result.header.pkcs7ChainBase64
> 6. If (IsEmpty(pkcs7) OR theError <> 0) Then
> 7.ret = MsgBox("Could not convert
> certificate
> to PKCS7 format", 0, "Import Cert")
> 8.Exit Sub
> 9. End If
>
> 10. 'Import the PKCS7 object
> 11.Enroll.DeleteRequestCert = FALSE
> 12.Enroll.WriteCertToCSP = true
> 13.Enroll.acceptPKCS7(pkcs7)
> 14.if err.number <> 0 then
> 15. Enroll.WriteCertToCSP = false
> 16.end if
> 17.err.clear
> 18.Enroll.acceptPKCS7(pkcs7)
> 19.if err.number = 0 then
> 20. MsgBox "Certificate has been successfully
> imported.",0,"Certificate Success"
> 21.else
> 22. sz = "Error in acceptPKCS7. Error Number "
> &
> Hex(err.number) & "occurred."
> 23. MsgBox sz
> 24. end if
>
> 25. Exit Sub
>
> 26. End Sub
>
> 27. ImportCertificate()
>
>
>
> __
> Do you Yahoo!?
> Yahoo! Tax Center - forms, calculators, tips, more
> http://taxes.yahoo.com/
>
__
> OpenSSL Project
Importing PKCS7 Certificate Into Internet Explorer
Mr. Mark Shoneman gave a fragment of VBScript code to
import a PKCS7 certificate into Internet Explorer.
The code is pasted below.
I am very dumb at VBScript, and have difficulty
understanding line 5, i.e.,
pkcs7 = result.header.pkcs7ChainBase64
Question 1: What object is the "result"?
Question 2: Does this line suggest that the PEM
certificate is returned to the client in the HTTP
response header?
Question 3: What is pkcs7ChainBase64?
Please kindly educate me. Thanks a lot.
1. Sub ImportCertificate
2. Dim pkcs7
3. On Error Resume Next
4.'Convert the PEM cert to PKCS7 format
5. pkcs7 = result.header.pkcs7ChainBase64
6. If (IsEmpty(pkcs7) OR theError <> 0) Then
7.ret = MsgBox("Could not convert certificate
to PKCS7 format", 0, "Import Cert")
8.Exit Sub
9. End If
10. 'Import the PKCS7 object
11.Enroll.DeleteRequestCert = FALSE
12.Enroll.WriteCertToCSP = true
13.Enroll.acceptPKCS7(pkcs7)
14.if err.number <> 0 then
15. Enroll.WriteCertToCSP = false
16.end if
17.err.clear
18.Enroll.acceptPKCS7(pkcs7)
19.if err.number = 0 then
20. MsgBox "Certificate has been successfully
imported.",0,"Certificate Success"
21.else
22. sz = "Error in acceptPKCS7. Error Number " &
Hex(err.number) & "occurred."
23. MsgBox sz
24. end if
25. Exit Sub
26. End Sub
27. ImportCertificate()
__
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Mark, the new classid works now. Your version has an error.
The following works for the new clsid after I
installed the patch. See my comment in the code.
>
Thank you very much and have a nice day!
The other Mark
--- [EMAIL PROTECTED] wrote:
>
http://support.microsoft.com/default.aspx?scid=kb;en-us;323172
> for all
> versions
>
>
>
>
> Mark Liu <[EMAIL PROTECTED]>
> Sent by: [EMAIL PROTECTED]
> 02/03/03 03:54 PM
> Please respond to openssl-users
>
>
> To: [EMAIL PROTECTED]
> cc:
> Subject:Re: Does this mean that I
> don't have any Cryptographic Service Provider in
> my system?
>
>
> No, that one is for Windows NT 4.0, mine is Windows
> 2000 Professional. It refuses to install.
>
>
> --- [EMAIL PROTECTED] wrote:
> > Okay There is a patch that will do all this for
> you.
> > Microsoft KB Q323172.
> > When you apply this it does the xenroll.dll
> install
> > and registry changes
> > for you.
> > The registry has to match the actual DLL on your
> > box. Also our CA is on
> > Unix and for the CA registration part that DLL has
> > to match what's on the
> > enrolling
> > clients box. Check on your enrollment box and
> you'll
> > see the xenroll.dll,
> > This has to be the same as the client DLL
> >
> >
> Mark
> > S
> >
> >
> >
> >
> > Mark Liu <[EMAIL PROTECTED]>
> > Sent by: [EMAIL PROTECTED]
> > 02/03/03 02:09 PM
> > Please respond to openssl-users
> >
> >
> > To: [EMAIL PROTECTED]
> > cc:
> > Subject:Re: Does this mean that I
> > don't have any Cryptographic Service Provider in
> > my system?
> >
> >
> > Mark, thanks.
> >
> > Yes, I checked HKEY_CLASSES_ROOT, under which I
> had
> > only CEnroll.CEnroll\CurVer and
> > CEnroll.CEnroll.1\CLSID.
> >
> > The value of CEnroll.CEnroll.1\CLSID is
> > {43F8F289-7A20-11D0-8F06-00C04FC295E1}, the old
> one.
> >
> > The value of CEnroll.CEnroll\CurVer is
> > CEnroll.CEnroll.1.
> >
> > Then I manually added a new key at
> > CEnroll.CEnroll\CEnroll.CEnroll.2, under which I
> > added
> > CLSID and assigned the new value
> > {127698e4-e730-4e5c-a2b1-21490a70c8a1} to it.
> >
> > Now I changed the value of CurVer to
> > CEnroll.CEnroll.2. Then I restarted my Win2K,
> > launched my tomcat, tried the new clsid with my
> HTML
> > page.
> >
> > It did not work. Probably this is not the right
> way
> > to have my system work for the new clsid?
> >
> > What do you think, Mark?
> >
> > The other Mark
>
>
> __
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up
> now.
> http://mailplus.yahoo.com
>
__
> OpenSSL Project
> http://www.openssl.org
> User Support Mailing List
> [EMAIL PROTECTED]
> Automated List Manager
> [EMAIL PROTECTED]
>
>
>
> ATTACHMENT part 2 application/x-pkcs7-signature
name=smime.p7s
__
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Sorry, I meant both the new and old clsid stopped working.
sorry for the confusion.
--- [EMAIL PROTECTED] wrote:
>
http://support.microsoft.com/default.aspx?scid=kb;en-us;323172
> for all
> versions
>
>
>
>
> Mark Liu <[EMAIL PROTECTED]>
> Sent by: [EMAIL PROTECTED]
> 02/03/03 03:54 PM
> Please respond to openssl-users
>
>
> To: [EMAIL PROTECTED]
> cc:
> Subject:Re: Does this mean that I
> don't have any Cryptographic Service Provider in
> my system?
>
>
> No, that one is for Windows NT 4.0, mine is Windows
> 2000 Professional. It refuses to install.
>
>
> --- [EMAIL PROTECTED] wrote:
> > Okay There is a patch that will do all this for
> you.
> > Microsoft KB Q323172.
> > When you apply this it does the xenroll.dll
> install
> > and registry changes
> > for you.
> > The registry has to match the actual DLL on your
> > box. Also our CA is on
> > Unix and for the CA registration part that DLL has
> > to match what's on the
> > enrolling
> > clients box. Check on your enrollment box and
> you'll
> > see the xenroll.dll,
> > This has to be the same as the client DLL
> >
> >
> Mark
> > S
> >
> >
> >
> >
> > Mark Liu <[EMAIL PROTECTED]>
> > Sent by: [EMAIL PROTECTED]
> > 02/03/03 02:09 PM
> > Please respond to openssl-users
> >
> >
> > To: [EMAIL PROTECTED]
> > cc:
> > Subject:Re: Does this mean that I
> > don't have any Cryptographic Service Provider in
> > my system?
> >
> >
> > Mark, thanks.
> >
> > Yes, I checked HKEY_CLASSES_ROOT, under which I
> had
> > only CEnroll.CEnroll\CurVer and
> > CEnroll.CEnroll.1\CLSID.
> >
> > The value of CEnroll.CEnroll.1\CLSID is
> > {43F8F289-7A20-11D0-8F06-00C04FC295E1}, the old
> one.
> >
> > The value of CEnroll.CEnroll\CurVer is
> > CEnroll.CEnroll.1.
> >
> > Then I manually added a new key at
> > CEnroll.CEnroll\CEnroll.CEnroll.2, under which I
> > added
> > CLSID and assigned the new value
> > {127698e4-e730-4e5c-a2b1-21490a70c8a1} to it.
> >
> > Now I changed the value of CurVer to
> > CEnroll.CEnroll.2. Then I restarted my Win2K,
> > launched my tomcat, tried the new clsid with my
> HTML
> > page.
> >
> > It did not work. Probably this is not the right
> way
> > to have my system work for the new clsid?
> >
> > What do you think, Mark?
> >
> > The other Mark
>
>
> __
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up
> now.
> http://mailplus.yahoo.com
>
__
> OpenSSL Project
> http://www.openssl.org
> User Support Mailing List
> [EMAIL PROTECTED]
> Automated List Manager
> [EMAIL PROTECTED]
>
>
>
> ATTACHMENT part 2 application/x-pkcs7-signature
name=smime.p7s
__
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: Does this mean that I don't have any Cryptographic Service Provider in my system?
Mark,
Thanks a lot.
I downloaded q323172_W2K_SP4_X86_EN.exe from
http://www.microsoft.com/windows2000/downloads/critical/q323172/default.asp
and installed it, restarted my Win2K, then neither the
new clsid or the old one stopped working.
I removed the patch. Then the old one starts working
as usual. The new one still does not work.
Kinda funny, huh?
Mark
--- [EMAIL PROTECTED] wrote:
>
http://support.microsoft.com/default.aspx?scid=kb;en-us;323172
> for all
> versions
>
>
>
>
> Mark Liu <[EMAIL PROTECTED]>
> Sent by: [EMAIL PROTECTED]
> 02/03/03 03:54 PM
> Please respond to openssl-users
>
>
> To: [EMAIL PROTECTED]
> cc:
> Subject:Re: Does this mean that I
> don't have any Cryptographic Service Provider in
> my system?
>
>
> No, that one is for Windows NT 4.0, mine is Windows
> 2000 Professional. It refuses to install.
>
>
> --- [EMAIL PROTECTED] wrote:
> > Okay There is a patch that will do all this for
> you.
> > Microsoft KB Q323172.
> > When you apply this it does the xenroll.dll
> install
> > and registry changes
> > for you.
> > The registry has to match the actual DLL on your
> > box. Also our CA is on
> > Unix and for the CA registration part that DLL has
> > to match what's on the
> > enrolling
> > clients box. Check on your enrollment box and
> you'll
> > see the xenroll.dll,
> > This has to be the same as the client DLL
> >
> >
> Mark
> > S
> >
> >
> >
> >
> > Mark Liu <[EMAIL PROTECTED]>
> > Sent by: [EMAIL PROTECTED]
> > 02/03/03 02:09 PM
> > Please respond to openssl-users
> >
> >
> > To: [EMAIL PROTECTED]
> > cc:
> > Subject:Re: Does this mean that I
> > don't have any Cryptographic Service Provider in
> > my system?
> >
> >
> > Mark, thanks.
> >
> > Yes, I checked HKEY_CLASSES_ROOT, under which I
> had
> > only CEnroll.CEnroll\CurVer and
> > CEnroll.CEnroll.1\CLSID.
> >
> > The value of CEnroll.CEnroll.1\CLSID is
> > {43F8F289-7A20-11D0-8F06-00C04FC295E1}, the old
> one.
> >
> > The value of CEnroll.CEnroll\CurVer is
> > CEnroll.CEnroll.1.
> >
> > Then I manually added a new key at
> > CEnroll.CEnroll\CEnroll.CEnroll.2, under which I
> > added
> > CLSID and assigned the new value
> > {127698e4-e730-4e5c-a2b1-21490a70c8a1} to it.
> >
> > Now I changed the value of CurVer to
> > CEnroll.CEnroll.2. Then I restarted my Win2K,
> > launched my tomcat, tried the new clsid with my
> HTML
> > page.
> >
> > It did not work. Probably this is not the right
> way
> > to have my system work for the new clsid?
> >
> > What do you think, Mark?
> >
> > The other Mark
>
>
> __
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up
> now.
> http://mailplus.yahoo.com
>
__
> OpenSSL Project
> http://www.openssl.org
> User Support Mailing List
> [EMAIL PROTECTED]
> Automated List Manager
> [EMAIL PROTECTED]
>
>
>
> ATTACHMENT part 2 application/x-pkcs7-signature
name=smime.p7s
__
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: Does this mean that I don't have any Cryptographic Service Provider in my system?
No, that one is for Windows NT 4.0, mine is Windows
2000 Professional. It refuses to install.
--- [EMAIL PROTECTED] wrote:
> Okay There is a patch that will do all this for you.
> Microsoft KB Q323172.
> When you apply this it does the xenroll.dll install
> and registry changes
> for you.
> The registry has to match the actual DLL on your
> box. Also our CA is on
> Unix and for the CA registration part that DLL has
> to match what's on the
> enrolling
> clients box. Check on your enrollment box and you'll
> see the xenroll.dll,
> This has to be the same as the client DLL
>
> Mark
> S
>
>
>
>
> Mark Liu <[EMAIL PROTECTED]>
> Sent by: [EMAIL PROTECTED]
> 02/03/03 02:09 PM
> Please respond to openssl-users
>
>
> To: [EMAIL PROTECTED]
> cc:
> Subject:Re: Does this mean that I
> don't have any Cryptographic Service Provider in
> my system?
>
>
> Mark, thanks.
>
> Yes, I checked HKEY_CLASSES_ROOT, under which I had
> only CEnroll.CEnroll\CurVer and
> CEnroll.CEnroll.1\CLSID.
>
> The value of CEnroll.CEnroll.1\CLSID is
> {43F8F289-7A20-11D0-8F06-00C04FC295E1}, the old one.
>
> The value of CEnroll.CEnroll\CurVer is
> CEnroll.CEnroll.1.
>
> Then I manually added a new key at
> CEnroll.CEnroll\CEnroll.CEnroll.2, under which I
> added
> CLSID and assigned the new value
> {127698e4-e730-4e5c-a2b1-21490a70c8a1} to it.
>
> Now I changed the value of CurVer to
> CEnroll.CEnroll.2. Then I restarted my Win2K,
> launched my tomcat, tried the new clsid with my HTML
> page.
>
> It did not work. Probably this is not the right way
> to have my system work for the new clsid?
>
> What do you think, Mark?
>
> The other Mark
__
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: Does this mean that I don't have any Cryptographic Service Provider in my system?
Mark, thanks.
Yes, I checked HKEY_CLASSES_ROOT, under which I had
only CEnroll.CEnroll\CurVer and
CEnroll.CEnroll.1\CLSID.
The value of CEnroll.CEnroll.1\CLSID is
{43F8F289-7A20-11D0-8F06-00C04FC295E1}, the old one.
The value of CEnroll.CEnroll\CurVer is
CEnroll.CEnroll.1.
Then I manually added a new key at
CEnroll.CEnroll\CEnroll.CEnroll.2, under which I added
CLSID and assigned the new value
{127698e4-e730-4e5c-a2b1-21490a70c8a1} to it.
Now I changed the value of CurVer to
CEnroll.CEnroll.2. Then I restarted my Win2K,
launched my tomcat, tried the new clsid with my HTML
page.
It did not work. Probably this is not the right way
to have my system work for the new clsid?
What do you think, Mark?
The other Mark
--- [EMAIL PROTECTED] wrote:
> In the registry under HKEY_CLASSES_ROOT there are
> three keys
> CEnroll.CEnroll, CEnroll.CEnroll.1 CEnroll.CEnroll.2
> that tell the story
>
>
>
>
> Mark Liu <[EMAIL PROTECTED]>
> Sent by: [EMAIL PROTECTED]
> 02/03/03 01:02 PM
> Please respond to openssl-users
>
>
> To: [EMAIL PROTECTED]
> cc:
> Subject:Re: Does this mean that I
> don't have any Cryptographic Service Provider in
> my system?
>
>
> Mark,
>
> Thanks a lot for your reply. And it seems that this
> is the problem.
>
> But interestingly, the new one does not work for my
> Win2K box in my lab. That is, if I use the new one
> you offered, it won't give me a whole list of
> Cryptographic Service Providers, just like what
> happened to my Win2K box at home. The old one works
> in my lab, but does not work at my home. I'll see
> if
> the new one works for my home Win2K box when I get
> home.
>
> I use IE 6.0 for the Win2K boxes both at my home and
> at my lab in school.
>
> I am curious, what stuff in the Win2K operating
> system
> determines the version of the classid I need to use
> for my application?
>
> Thanks.
>
> The other Mark
>
> --- [EMAIL PROTECTED] wrote:
> > Yes but it also may mean you have the wrong
> > xenroll.dll. In your script
> > you probably have something like
> >
> >
> > >
> >
> classid="clsid:43F8F289-7A20-11D0-8F06-00C04FC295E1"
> > CODEBASE="/xenroll.dll"
> > id=Enroll>
> >
> >
> > which is the old dll you may need to change to
> >
> >
> > >
> >
> classid="clsid:127698e4-e730-4e5c-a2b1-21490a70c8a1"
> >
> > CODEBASE="/xenroll.dll"
> > id=Enroll>
> >
> > which is the new one
> >
> >
> >
> >
> > Mark Liu <[EMAIL PROTECTED]>
> > Sent by: [EMAIL PROTECTED]
> > 02/02/03 02:49 PM
> > Please respond to openssl-users
> >
> >
> > To: [EMAIL PROTECTED]
> > cc:
> > Subject:Does this mean that I
> don't
> > have any Cryptographic Service Provider in my
> > system?
> >
> >
> > I am working on an X509 public key certificate
> > authentication project.
> >
> > I have an HTML file called apply_ie.html in my web
> > application.
> >
> > When I tested this page on a Win2k box with
> > tomcat4.1
> > in my lab at school, it works great. The
> drop-down
> > menu gives me a list of dozens of Cryptographic
> > Service Providers.
> >
> > But when I try the same file on my Win2k box with
> > tomcat4.1 at home, The drop-down menu shows no
> list
> > of
> > Cryptographic Service Providers. And when I click
> > "OK" to submit, I get a pop-up window which says:
> >
> > Line 80: object does not support this attribute or
> > method: 'encoder.HashAlgorithm'
> >
> > I checked line 80 of the file apply_ie.html which
> > contains vbscript, and saw it is this line:
> > encoder.HashAlgorithm = "MD5"
> >
> > Does this mean that I don't have any Cryptographic
> > Service Providers installed on my Win2K box at
> home?
> >
> > But wait, before I tried this page with Tomcat, I
> > did
> > install Encpack_Win2000Admin_EN.exe, a
> cryptographic
> > packet I downloaded from Microsoft, and restart my
> > system.
> >
> > So, what's the problem? Any hint please?
> >
> > Here is source of apply_ie.html, which is a slight
> > modification of Tomas' EJBCA apply_exp.jsp
> >
> > *** beginning of apply_ie.html ***
> >
> >
> >
> > IE Certificate Request
> >
> &
Re: Does this mean that I don't have any Cryptographic Service Provider in my system?
Mark,
Thanks a lot for your reply. And it seems that this
is the problem.
But interestingly, the new one does not work for my
Win2K box in my lab. That is, if I use the new one
you offered, it won't give me a whole list of
Cryptographic Service Providers, just like what
happened to my Win2K box at home. The old one works
in my lab, but does not work at my home. I'll see if
the new one works for my home Win2K box when I get
home.
I use IE 6.0 for the Win2K boxes both at my home and
at my lab in school.
I am curious, what stuff in the Win2K operating system
determines the version of the classid I need to use
for my application?
Thanks.
The other Mark
--- [EMAIL PROTECTED] wrote:
> Yes but it also may mean you have the wrong
> xenroll.dll. In your script
> you probably have something like
>
>
>
> classid="clsid:43F8F289-7A20-11D0-8F06-00C04FC295E1"
> CODEBASE="/xenroll.dll"
> id=Enroll>
>
>
> which is the old dll you may need to change to
>
>
>
> classid="clsid:127698e4-e730-4e5c-a2b1-21490a70c8a1"
>
> CODEBASE="/xenroll.dll"
> id=Enroll>
>
> which is the new one
>
>
>
>
> Mark Liu <[EMAIL PROTECTED]>
> Sent by: [EMAIL PROTECTED]
> 02/02/03 02:49 PM
> Please respond to openssl-users
>
>
> To: [EMAIL PROTECTED]
> cc:
> Subject:Does this mean that I don't
> have any Cryptographic Service Provider in my
> system?
>
>
> I am working on an X509 public key certificate
> authentication project.
>
> I have an HTML file called apply_ie.html in my web
> application.
>
> When I tested this page on a Win2k box with
> tomcat4.1
> in my lab at school, it works great. The drop-down
> menu gives me a list of dozens of Cryptographic
> Service Providers.
>
> But when I try the same file on my Win2k box with
> tomcat4.1 at home, The drop-down menu shows no list
> of
> Cryptographic Service Providers. And when I click
> "OK" to submit, I get a pop-up window which says:
>
> Line 80: object does not support this attribute or
> method: 'encoder.HashAlgorithm'
>
> I checked line 80 of the file apply_ie.html which
> contains vbscript, and saw it is this line:
> encoder.HashAlgorithm = "MD5"
>
> Does this mean that I don't have any Cryptographic
> Service Providers installed on my Win2K box at home?
>
> But wait, before I tried this page with Tomcat, I
> did
> install Encpack_Win2000Admin_EN.exe, a cryptographic
> packet I downloaded from Microsoft, and restart my
> system.
>
> So, what's the problem? Any hint please?
>
> Here is source of apply_ie.html, which is a slight
> modification of Tomas' EJBCA apply_exp.jsp
>
> *** beginning of apply_ie.html ***
>
>
>
> IE Certificate Request
>
>
> classid="clsid:43F8F289-7A20-11D0-8F06-00C04FC295E1"
>id="encoder">
>
>
> <!--
>Function GetProviderList()
>
>Dim CspList, cspIndex, ProviderName
>On Error Resume Next
>
>count = 0
>base = 0
>enhanced = 0
>CspList = ""
>ProviderName = ""
>
>For ProvType = 0 to 13
> cspIndex = 0
> encoder.ProviderType = ProvType
> ProviderName =
> encoder.enumProviders(cspIndex,0)
>
> while ProviderName <> ""
> Set oOption =
> document.createElement("OPTION")
> oOption.text = ProviderName
> oOption.value = ProvType
>
> Document.CertReqForm.CspProvider.add(oOption)
> if ProviderName = "Microsoft Base
> Cryptographic Provider v1.0" Then
> base = count
> end if
> if ProviderName = "Microsoft Enhanced
> Cryptographic Provider v1.0" Then
> enhanced = count
> end if
> cspIndex = cspIndex +1
> ProviderName = ""
> ProviderName =
> encoder.enumProviders(cspIndex,0)
> count = count + 1
> wend
>Next
>Document.CertReqForm.CspProvider.selectedIndex =
> base
>if enhanced then
> Document.CertReqForm.CspProvider.selectedIndex
> =
> enhanced
>end if
>End Function
> -->
>
>
> link="black" vlink="black" alink="black">
>
> IE Certificate
> Request
>
>
>
> Welcome to certificate enrollment.
>
>
> ACTION="/x509/servlet/CertReq"
> ENCTYPE=x-www-form-encoded METHOD=POST>
> Please give your name and email, then click OK to
> submit your request.
>
> Name: name=clientname
> value="foo">
> Email: name=clientemail value="[EMAIL PROTECTED]">
>
> Please choose the CSP you wish to use from
> the
> list below (the default is probably good):
>
>
>
>
>
>
>
>
>
>
RE: Does the Web server have to run SSL in order to do certificat es?
Thanks a lot, but what about my 2nd question, which I repeat here: I know there is a big problem with this sample code, because this code does not specify to which servlet the PKCS#10 request should be submitted. I want tospecify it, but I have no clue where and how to do this. Please continue to educate. Thanks. Mark "Shalkebaev,AntonMSCAG" <[EMAIL PROTECTED]> wrote: You don't need to run SSL for your For your IE your should adjust settings to permit run ActiveX.Anton-Original Message-From: Mark Liu [mailto:[EMAIL PROTECTED]]Sent: Monday, January 27, 2003 08:56To: [EMAIL PROTECTED]Subject: Does the Web server have to run SSL in order to do certificates?I am working on an X509 public key certificateauthentication project using Java technology.The client applies for a certificate from the Webinterface of the CA. Currently, I only want toconsider Internet Explorer.Question 1:I run Tomcat 4.1.18 under my win2k box as the CA Webserver. Do I have to run it in SSL mode in order tohandle clients' certificate request?I got a sample vbscript code for certificateenrollment fromhttp://msdn.microsoft.com/library/default.asp?url="" security/security/request_sample_in_vbscript.asp, which I paste in the following:*** beginning of the sample code *classid=""codebase="" id=Enroll >classid=""codebase="" id=Request >Certificate Enrollment Control Request Sample *** end of the sample code I saved this code as certreq.html under my webapplication folder.When I visit this page with IE, I get a VBscriptpop-up dialog box, which reads:Creating PKCS #10 CN=UserName, OU=UserUnit,O=UserOrg,L=UserCity, S=WA,C=USI click OK, then I get another VBscript pop-up dialogbox, which reads:Submitting requestIICdTCCAh8CAQAwldfasldk8425lkasdfasdfADSFASDa/sdfoiujaASDFkj9/asldfkadfr98SADkjla0ASDF09rASdfjasdlfkjASDFadfoiujlerASDFadfloiwerLKJalkjafoiWERo0lkj934lkasfDlkj[snip]It is just a mess of codes.If I click OK, I get a warning pop-up windows, whichreads:! An ActiveX Control on this page is not safe.Your current security settings prohibit running unsafecontrols on this page.As a result, this page may not display as intended.And if I click OK, I see another popup windows, whichreads:Error in Reques t Submit 438These are all I get with this certreq.html page.I know there is a big problem with this sample code,because this code does not specify to which servletthe PKCS#10 request should be submitted. I want tospecify it, but I have no clue where and how to dothis.Can you guys please help? Thanks a lot!__Do you Yahoo!?Yahoo! Mail Plus - Powerful. Affordable. Sign up now.http://mailplus.yahoo.com__OpenSSL Project http://www.openssl.orgUser Support Mailing List [EMAIL PROTECTED]Automated List Manager [EMAIL PROTECTED]__OpenSSL Project http://www.openssl.orgUser Support Mailing List [EMAIL PROTECTED]Automated List Manager [EMAIL PROTECTED]Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now
Does the Web server have to run SSL in order to do certificates?
I am working on an X509 public key certificate authentication project using Java technology. The client applies for a certificate from the Web interface of the CA. Currently, I only want to consider Internet Explorer. Question 1: I run Tomcat 4.1.18 under my win2k box as the CA Web server. Do I have to run it in SSL mode in order to handle clients' certificate request? I got a sample vbscript code for certificate enrollment from http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/request_sample_in_vbscript.asp , which I paste in the following: *** beginning of the sample code * VBScript Certificate Enrollment Control Sample Certificate Enrollment Control Request Sample *** end of the sample code I saved this code as certreq.html under my web application folder. When I visit this page with IE, I get a VBscript pop-up dialog box, which reads: Creating PKCS #10 CN=UserName, OU=UserUnit, O=UserOrg,L=UserCity, S=WA,C=US I click OK, then I get another VBscript pop-up dialog box, which reads: Submitting request IICdTCCAh8CAQAwldfasldk8425lkasdfasdfADSFASDa/sdfoiuj aASDFkj9/asldfkadfr98SADkjla0ASDF09rASdfjasdlfkjASDFa dfoiujlerASDFadfloiwerLKJalkjafoiWERo0lkj934lkasfDlkj [snip] It is just a mess of codes. If I click OK, I get a warning pop-up windows, which reads: ! An ActiveX Control on this page is not safe. Your current security settings prohibit running unsafe controls on this page. As a result, this page may not display as intended. And if I click OK, I see another popup windows, which reads: Error in Request Submit 438 These are all I get with this certreq.html page. I know there is a big problem with this sample code, because this code does not specify to which servlet the PKCS#10 request should be submitted. I want to specify it, but I have no clue where and how to do this. Can you guys please help? Thanks a lot! __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
