Does Internet Explorer Support Smart Card?
I am working on a CA project, in which I have Internet Explorer generate the RSA public/private key pair and send it to the CA for a client certificate. This way, the private key stays somewhere with the local computer. And thus I assume that the certificate is confined to this computer. Well, I know that we can export it (including the private key) to a file called *.pfx, transfer it to another computer and import it. But I don't like this. Thus I am wondering if we can use smart card to do this. Can you guys tell me if Internet Explorer supports smart card? Suppose we visit a site which requires client authentication, IE will bring up a pop-up window and present us a list of valid certs for us to choose from. Now if I store my personal private key and certificate in a smart card, will IE be able to read such information for me to choose from? Thanks. __ Do you Yahoo!? Yahoo! Tax Center - File online, calculators, forms, and more http://tax.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Windows does not have enough information to verify this certificate
When we view a certificate issued by some CA, windows may tell us this: Windows does not have enough information to verify this certificate. What does this mean? Does it mean that I have not installed the CA cert as a trusted root CA? __ Do you Yahoo!? Yahoo! Web Hosting - establish your business online http://webhosting.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Problem running Tomcat SSL with my CA-generated certificate
I am sorry if I should not have posted this message in this list. But I've been trying in both tomcat-user and tomcat-dev, nobody has a clue. Therefore, I wanna try my luck here. I use Tomcat 4.1.12 under Windows 2000. I know how to run Tomcat in SSL mode by generating a self-signed cert using the keytool utility that comes with the Java J2SDK. But my project needs to run Tomcat SSL with the certificate generated by my little Java program. It has not been successful. Check the cert attached in this message (cert4ca.cer). It is generated by my little Java program. The keytool-generated self-signed cert works perfect. I can access both https://localhost and http://localhost. To try the cert generated by my little Java program, I deleted the tomcat cert in the keystore and imported the above cert into the keystore as tomcat. Then I can only access http://localhost, not https://localhost. And if I reverse to the keytool-generated certificate, both http and https work perfect again. Obviously, it looks like it is the problem of the cert generated by little Java program. But the thing is, the cert generated by my little Java program is a valid one as you can see from the attached cert. Can you guys give me a hint? I need to resolve this badly. __ Do you Yahoo!? Yahoo! Web Hosting - establish your business online http://webhosting.yahoo.com cert4ca.cer Description: cert4ca.cer
Re: Importing PKCS7 Certificate Into Internet Explorer
OK, this is something important to know. So, are you simply assigning the PEM-encoded cert to pkcs7 in the following statement? In other words, nothing is really done to pkcs7ChainBase64 before it is assigned to pkcs7, right? pkcs7 = result.header.pkcs7ChainBase64 And, the following line: pkcsa7 =< wherever or however you get your cert > also seems to mean that the PEM-encoded cert does not have to be put in the HTTP response header, right? Mark. --- [EMAIL PROTECTED] wrote: > Right > pkcs7 = result.header.pkcs7ChainBase64 > is all native to our installation and how we get the > cert back from the CA > > so you should have > > pkcsa7 =< wherever or however you get your cert > > > > Mark Liu <[EMAIL PROTECTED]> > Sent by: [EMAIL PROTECTED] > 02/27/03 09:25 AM > Please respond to openssl-users > > > To: [EMAIL PROTECTED] > cc: > Subject:Re: Importing PKCS7 > Certificate Into Internet Explorer > > > Thanks a lot, Mark, > > I actually read that MSDN description of acceptPKCS7 > function, which does not say what "result" is. > > Do you mean that "result" is actually a reserved key > word in VBScript that refers to an HTTP response? > > In other words, "result" is not the name of a hidden > HTML form? > > Thanks. > > Mark > > --- [EMAIL PROTECTED] wrote: > > - Forwarded by Mark Shoneman/DLX Guest on > > 02/27/03 06:36 AM - > > > > > > Mark Liu <[EMAIL PROTECTED]> > > Sent by: [EMAIL PROTECTED] > > 02/26/03 06:07 PM > > Please respond to openssl-users > > > > > > To: [EMAIL PROTECTED] > > cc: > > Subject:Importing PKCS7 > Certificate > > Into Internet Explorer > > > > > > Mr. Mark Shoneman gave a fragment of VBScript code > > to > > import a PKCS7 certificate into Internet Explorer. > > > > The code is pasted below. > > > > I am very dumb at VBScript, and have difficulty > > understanding line 5, i.e., > > > > pkcs7 = result.header.pkcs7ChainBase64 > > > > Question 1: What object is the "result"? > > > > See below > > > > Question 2: Does this line suggest that the PEM > > certificate is returned to the client in the HTTP > > response header? > > > > You bet > > > > Question 3: What is pkcs7ChainBase64? > > > > What I call the PEM certificate returned from the > CA > > > > The acceptPKCS7 method accepts and processes a > PKCS > > #7 message containing a certificate. > > The PKCS #7 is input as a parameter. This method > was > > first defined in the ICEnroll interface. > > HRESULT acceptPKCS7( > > BSTR PKCS7 > > ); > > Parameters > > PKCS7 > > [in] Represents the base64-encoded PKCS #7 > > containing the certificate and > > the chain of certificates identifying the issuer. > > Return Values > > The return value is an HRESULT. A value of S_OK > > indicates success. Upon successful completion of > > this > > function, the PKCS7 will be accepted. > > Remarks > > The PKCS #7 input as a parameter for acceptPKCS7 > > contains the request certificate and the chain of > > certificates > > identifying the issuer of the certificate. > > Typically, but not always, the > > chain of certificates does not include the root. > The > > PKCS #7 can be in > > base64-encoded, binary, or X.509 certificate > format > > (with or without the begin cert / end cert tags). > > The certificate and the associated keys generated > > for it are put in the > > MY store. A root certificate is placed in the ROOT > > store and the rest of the chain of certificates > are > > placed in the certification authority (CA) store. > If > > any ROOT certificates found in the PKCS #7 are > > accepted, > > Crypt32 will notify the user that a ROOT > certificate > > is being added to his > > store. The user has the option of declining the > ROOT > > certificate. This > > option is provided so that the user can decline to > > place an untrusted root > > in the ROOT store. Declining to place the ROOT in > > the ROOT store will not > > cause Certificate Enrollment Control to fail > > acceptance. > > By default, the system stores MY, CA, ROOT, and > > REQUEST are used to store > > the certificates. However, you can specify other > > stores by assigning the > > following prope
Re: Importing PKCS7 Certificate Into Internet Explorer
Thanks a lot, Mark, I actually read that MSDN description of acceptPKCS7 function, which does not say what "result" is. Do you mean that "result" is actually a reserved key word in VBScript that refers to an HTTP response? In other words, "result" is not the name of a hidden HTML form? Thanks. Mark --- [EMAIL PROTECTED] wrote: > - Forwarded by Mark Shoneman/DLX Guest on > 02/27/03 06:36 AM - > > > Mark Liu <[EMAIL PROTECTED]> > Sent by: [EMAIL PROTECTED] > 02/26/03 06:07 PM > Please respond to openssl-users > > > To: [EMAIL PROTECTED] > cc: > Subject:Importing PKCS7 Certificate > Into Internet Explorer > > > Mr. Mark Shoneman gave a fragment of VBScript code > to > import a PKCS7 certificate into Internet Explorer. > > The code is pasted below. > > I am very dumb at VBScript, and have difficulty > understanding line 5, i.e., > > pkcs7 = result.header.pkcs7ChainBase64 > > Question 1: What object is the "result"? > > See below > > Question 2: Does this line suggest that the PEM > certificate is returned to the client in the HTTP > response header? > > You bet > > Question 3: What is pkcs7ChainBase64? > > What I call the PEM certificate returned from the CA > > The acceptPKCS7 method accepts and processes a PKCS > #7 message containing a certificate. > The PKCS #7 is input as a parameter. This method was > first defined in the ICEnroll interface. > HRESULT acceptPKCS7( > BSTR PKCS7 > ); > Parameters > PKCS7 > [in] Represents the base64-encoded PKCS #7 > containing the certificate and > the chain of certificates identifying the issuer. > Return Values > The return value is an HRESULT. A value of S_OK > indicates success. Upon successful completion of > this > function, the PKCS7 will be accepted. > Remarks > The PKCS #7 input as a parameter for acceptPKCS7 > contains the request certificate and the chain of > certificates > identifying the issuer of the certificate. > Typically, but not always, the > chain of certificates does not include the root. The > PKCS #7 can be in > base64-encoded, binary, or X.509 certificate format > (with or without the begin cert / end cert tags). > The certificate and the associated keys generated > for it are put in the > MY store. A root certificate is placed in the ROOT > store and the rest of the chain of certificates are > placed in the certification authority (CA) store. If > any ROOT certificates found in the PKCS #7 are > accepted, > Crypt32 will notify the user that a ROOT certificate > is being added to his > store. The user has the option of declining the ROOT > certificate. This > option is provided so that the user can decline to > place an untrusted root > in the ROOT store. Declining to place the ROOT in > the ROOT store will not > cause Certificate Enrollment Control to fail > acceptance. > By default, the system stores MY, CA, ROOT, and > REQUEST are used to store > the certificates. However, you can specify other > stores by assigning the > following properties before calling this method: > > > Please kindly educate me. Thanks a lot. > > > > 1. Sub ImportCertificate > > 2. Dim pkcs7 > > 3. On Error Resume Next > > 4.'Convert the PEM cert to PKCS7 format > 5. pkcs7 = result.header.pkcs7ChainBase64 > 6. If (IsEmpty(pkcs7) OR theError <> 0) Then > 7.ret = MsgBox("Could not convert > certificate > to PKCS7 format", 0, "Import Cert") > 8.Exit Sub > 9. End If > > 10. 'Import the PKCS7 object > 11.Enroll.DeleteRequestCert = FALSE > 12.Enroll.WriteCertToCSP = true > 13.Enroll.acceptPKCS7(pkcs7) > 14.if err.number <> 0 then > 15. Enroll.WriteCertToCSP = false > 16.end if > 17.err.clear > 18.Enroll.acceptPKCS7(pkcs7) > 19.if err.number = 0 then > 20. MsgBox "Certificate has been successfully > imported.",0,"Certificate Success" > 21.else > 22. sz = "Error in acceptPKCS7. Error Number " > & > Hex(err.number) & "occurred." > 23. MsgBox sz > 24. end if > > 25. Exit Sub > > 26. End Sub > > 27. ImportCertificate() > > > > __ > Do you Yahoo!? > Yahoo! Tax Center - forms, calculators, tips, more > http://taxes.yahoo.com/ > __ > OpenSSL Project
Importing PKCS7 Certificate Into Internet Explorer
Mr. Mark Shoneman gave a fragment of VBScript code to import a PKCS7 certificate into Internet Explorer. The code is pasted below. I am very dumb at VBScript, and have difficulty understanding line 5, i.e., pkcs7 = result.header.pkcs7ChainBase64 Question 1: What object is the "result"? Question 2: Does this line suggest that the PEM certificate is returned to the client in the HTTP response header? Question 3: What is pkcs7ChainBase64? Please kindly educate me. Thanks a lot. 1. Sub ImportCertificate 2. Dim pkcs7 3. On Error Resume Next 4.'Convert the PEM cert to PKCS7 format 5. pkcs7 = result.header.pkcs7ChainBase64 6. If (IsEmpty(pkcs7) OR theError <> 0) Then 7.ret = MsgBox("Could not convert certificate to PKCS7 format", 0, "Import Cert") 8.Exit Sub 9. End If 10. 'Import the PKCS7 object 11.Enroll.DeleteRequestCert = FALSE 12.Enroll.WriteCertToCSP = true 13.Enroll.acceptPKCS7(pkcs7) 14.if err.number <> 0 then 15. Enroll.WriteCertToCSP = false 16.end if 17.err.clear 18.Enroll.acceptPKCS7(pkcs7) 19.if err.number = 0 then 20. MsgBox "Certificate has been successfully imported.",0,"Certificate Success" 21.else 22. sz = "Error in acceptPKCS7. Error Number " & Hex(err.number) & "occurred." 23. MsgBox sz 24. end if 25. Exit Sub 26. End Sub 27. ImportCertificate() __ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Mark, the new classid works now. Your version has an error.
The following works for the new clsid after I installed the patch. See my comment in the code. > Thank you very much and have a nice day! The other Mark --- [EMAIL PROTECTED] wrote: > http://support.microsoft.com/default.aspx?scid=kb;en-us;323172 > for all > versions > > > > > Mark Liu <[EMAIL PROTECTED]> > Sent by: [EMAIL PROTECTED] > 02/03/03 03:54 PM > Please respond to openssl-users > > > To: [EMAIL PROTECTED] > cc: > Subject:Re: Does this mean that I > don't have any Cryptographic Service Provider in > my system? > > > No, that one is for Windows NT 4.0, mine is Windows > 2000 Professional. It refuses to install. > > > --- [EMAIL PROTECTED] wrote: > > Okay There is a patch that will do all this for > you. > > Microsoft KB Q323172. > > When you apply this it does the xenroll.dll > install > > and registry changes > > for you. > > The registry has to match the actual DLL on your > > box. Also our CA is on > > Unix and for the CA registration part that DLL has > > to match what's on the > > enrolling > > clients box. Check on your enrollment box and > you'll > > see the xenroll.dll, > > This has to be the same as the client DLL > > > > > Mark > > S > > > > > > > > > > Mark Liu <[EMAIL PROTECTED]> > > Sent by: [EMAIL PROTECTED] > > 02/03/03 02:09 PM > > Please respond to openssl-users > > > > > > To: [EMAIL PROTECTED] > > cc: > > Subject:Re: Does this mean that I > > don't have any Cryptographic Service Provider in > > my system? > > > > > > Mark, thanks. > > > > Yes, I checked HKEY_CLASSES_ROOT, under which I > had > > only CEnroll.CEnroll\CurVer and > > CEnroll.CEnroll.1\CLSID. > > > > The value of CEnroll.CEnroll.1\CLSID is > > {43F8F289-7A20-11D0-8F06-00C04FC295E1}, the old > one. > > > > The value of CEnroll.CEnroll\CurVer is > > CEnroll.CEnroll.1. > > > > Then I manually added a new key at > > CEnroll.CEnroll\CEnroll.CEnroll.2, under which I > > added > > CLSID and assigned the new value > > {127698e4-e730-4e5c-a2b1-21490a70c8a1} to it. > > > > Now I changed the value of CurVer to > > CEnroll.CEnroll.2. Then I restarted my Win2K, > > launched my tomcat, tried the new clsid with my > HTML > > page. > > > > It did not work. Probably this is not the right > way > > to have my system work for the new clsid? > > > > What do you think, Mark? > > > > The other Mark > > > __ > Do you Yahoo!? > Yahoo! Mail Plus - Powerful. Affordable. Sign up > now. > http://mailplus.yahoo.com > __ > OpenSSL Project > http://www.openssl.org > User Support Mailing List > [EMAIL PROTECTED] > Automated List Manager > [EMAIL PROTECTED] > > > > ATTACHMENT part 2 application/x-pkcs7-signature name=smime.p7s __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Sorry, I meant both the new and old clsid stopped working.
sorry for the confusion. --- [EMAIL PROTECTED] wrote: > http://support.microsoft.com/default.aspx?scid=kb;en-us;323172 > for all > versions > > > > > Mark Liu <[EMAIL PROTECTED]> > Sent by: [EMAIL PROTECTED] > 02/03/03 03:54 PM > Please respond to openssl-users > > > To: [EMAIL PROTECTED] > cc: > Subject:Re: Does this mean that I > don't have any Cryptographic Service Provider in > my system? > > > No, that one is for Windows NT 4.0, mine is Windows > 2000 Professional. It refuses to install. > > > --- [EMAIL PROTECTED] wrote: > > Okay There is a patch that will do all this for > you. > > Microsoft KB Q323172. > > When you apply this it does the xenroll.dll > install > > and registry changes > > for you. > > The registry has to match the actual DLL on your > > box. Also our CA is on > > Unix and for the CA registration part that DLL has > > to match what's on the > > enrolling > > clients box. Check on your enrollment box and > you'll > > see the xenroll.dll, > > This has to be the same as the client DLL > > > > > Mark > > S > > > > > > > > > > Mark Liu <[EMAIL PROTECTED]> > > Sent by: [EMAIL PROTECTED] > > 02/03/03 02:09 PM > > Please respond to openssl-users > > > > > > To: [EMAIL PROTECTED] > > cc: > > Subject:Re: Does this mean that I > > don't have any Cryptographic Service Provider in > > my system? > > > > > > Mark, thanks. > > > > Yes, I checked HKEY_CLASSES_ROOT, under which I > had > > only CEnroll.CEnroll\CurVer and > > CEnroll.CEnroll.1\CLSID. > > > > The value of CEnroll.CEnroll.1\CLSID is > > {43F8F289-7A20-11D0-8F06-00C04FC295E1}, the old > one. > > > > The value of CEnroll.CEnroll\CurVer is > > CEnroll.CEnroll.1. > > > > Then I manually added a new key at > > CEnroll.CEnroll\CEnroll.CEnroll.2, under which I > > added > > CLSID and assigned the new value > > {127698e4-e730-4e5c-a2b1-21490a70c8a1} to it. > > > > Now I changed the value of CurVer to > > CEnroll.CEnroll.2. Then I restarted my Win2K, > > launched my tomcat, tried the new clsid with my > HTML > > page. > > > > It did not work. Probably this is not the right > way > > to have my system work for the new clsid? > > > > What do you think, Mark? > > > > The other Mark > > > __ > Do you Yahoo!? > Yahoo! Mail Plus - Powerful. Affordable. Sign up > now. > http://mailplus.yahoo.com > __ > OpenSSL Project > http://www.openssl.org > User Support Mailing List > [EMAIL PROTECTED] > Automated List Manager > [EMAIL PROTECTED] > > > > ATTACHMENT part 2 application/x-pkcs7-signature name=smime.p7s __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Does this mean that I don't have any Cryptographic Service Provider in my system?
Mark, Thanks a lot. I downloaded q323172_W2K_SP4_X86_EN.exe from http://www.microsoft.com/windows2000/downloads/critical/q323172/default.asp and installed it, restarted my Win2K, then neither the new clsid or the old one stopped working. I removed the patch. Then the old one starts working as usual. The new one still does not work. Kinda funny, huh? Mark --- [EMAIL PROTECTED] wrote: > http://support.microsoft.com/default.aspx?scid=kb;en-us;323172 > for all > versions > > > > > Mark Liu <[EMAIL PROTECTED]> > Sent by: [EMAIL PROTECTED] > 02/03/03 03:54 PM > Please respond to openssl-users > > > To: [EMAIL PROTECTED] > cc: > Subject:Re: Does this mean that I > don't have any Cryptographic Service Provider in > my system? > > > No, that one is for Windows NT 4.0, mine is Windows > 2000 Professional. It refuses to install. > > > --- [EMAIL PROTECTED] wrote: > > Okay There is a patch that will do all this for > you. > > Microsoft KB Q323172. > > When you apply this it does the xenroll.dll > install > > and registry changes > > for you. > > The registry has to match the actual DLL on your > > box. Also our CA is on > > Unix and for the CA registration part that DLL has > > to match what's on the > > enrolling > > clients box. Check on your enrollment box and > you'll > > see the xenroll.dll, > > This has to be the same as the client DLL > > > > > Mark > > S > > > > > > > > > > Mark Liu <[EMAIL PROTECTED]> > > Sent by: [EMAIL PROTECTED] > > 02/03/03 02:09 PM > > Please respond to openssl-users > > > > > > To: [EMAIL PROTECTED] > > cc: > > Subject:Re: Does this mean that I > > don't have any Cryptographic Service Provider in > > my system? > > > > > > Mark, thanks. > > > > Yes, I checked HKEY_CLASSES_ROOT, under which I > had > > only CEnroll.CEnroll\CurVer and > > CEnroll.CEnroll.1\CLSID. > > > > The value of CEnroll.CEnroll.1\CLSID is > > {43F8F289-7A20-11D0-8F06-00C04FC295E1}, the old > one. > > > > The value of CEnroll.CEnroll\CurVer is > > CEnroll.CEnroll.1. > > > > Then I manually added a new key at > > CEnroll.CEnroll\CEnroll.CEnroll.2, under which I > > added > > CLSID and assigned the new value > > {127698e4-e730-4e5c-a2b1-21490a70c8a1} to it. > > > > Now I changed the value of CurVer to > > CEnroll.CEnroll.2. Then I restarted my Win2K, > > launched my tomcat, tried the new clsid with my > HTML > > page. > > > > It did not work. Probably this is not the right > way > > to have my system work for the new clsid? > > > > What do you think, Mark? > > > > The other Mark > > > __ > Do you Yahoo!? > Yahoo! Mail Plus - Powerful. Affordable. Sign up > now. > http://mailplus.yahoo.com > __ > OpenSSL Project > http://www.openssl.org > User Support Mailing List > [EMAIL PROTECTED] > Automated List Manager > [EMAIL PROTECTED] > > > > ATTACHMENT part 2 application/x-pkcs7-signature name=smime.p7s __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Does this mean that I don't have any Cryptographic Service Provider in my system?
No, that one is for Windows NT 4.0, mine is Windows 2000 Professional. It refuses to install. --- [EMAIL PROTECTED] wrote: > Okay There is a patch that will do all this for you. > Microsoft KB Q323172. > When you apply this it does the xenroll.dll install > and registry changes > for you. > The registry has to match the actual DLL on your > box. Also our CA is on > Unix and for the CA registration part that DLL has > to match what's on the > enrolling > clients box. Check on your enrollment box and you'll > see the xenroll.dll, > This has to be the same as the client DLL > > Mark > S > > > > > Mark Liu <[EMAIL PROTECTED]> > Sent by: [EMAIL PROTECTED] > 02/03/03 02:09 PM > Please respond to openssl-users > > > To: [EMAIL PROTECTED] > cc: > Subject:Re: Does this mean that I > don't have any Cryptographic Service Provider in > my system? > > > Mark, thanks. > > Yes, I checked HKEY_CLASSES_ROOT, under which I had > only CEnroll.CEnroll\CurVer and > CEnroll.CEnroll.1\CLSID. > > The value of CEnroll.CEnroll.1\CLSID is > {43F8F289-7A20-11D0-8F06-00C04FC295E1}, the old one. > > The value of CEnroll.CEnroll\CurVer is > CEnroll.CEnroll.1. > > Then I manually added a new key at > CEnroll.CEnroll\CEnroll.CEnroll.2, under which I > added > CLSID and assigned the new value > {127698e4-e730-4e5c-a2b1-21490a70c8a1} to it. > > Now I changed the value of CurVer to > CEnroll.CEnroll.2. Then I restarted my Win2K, > launched my tomcat, tried the new clsid with my HTML > page. > > It did not work. Probably this is not the right way > to have my system work for the new clsid? > > What do you think, Mark? > > The other Mark __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Does this mean that I don't have any Cryptographic Service Provider in my system?
Mark, thanks. Yes, I checked HKEY_CLASSES_ROOT, under which I had only CEnroll.CEnroll\CurVer and CEnroll.CEnroll.1\CLSID. The value of CEnroll.CEnroll.1\CLSID is {43F8F289-7A20-11D0-8F06-00C04FC295E1}, the old one. The value of CEnroll.CEnroll\CurVer is CEnroll.CEnroll.1. Then I manually added a new key at CEnroll.CEnroll\CEnroll.CEnroll.2, under which I added CLSID and assigned the new value {127698e4-e730-4e5c-a2b1-21490a70c8a1} to it. Now I changed the value of CurVer to CEnroll.CEnroll.2. Then I restarted my Win2K, launched my tomcat, tried the new clsid with my HTML page. It did not work. Probably this is not the right way to have my system work for the new clsid? What do you think, Mark? The other Mark --- [EMAIL PROTECTED] wrote: > In the registry under HKEY_CLASSES_ROOT there are > three keys > CEnroll.CEnroll, CEnroll.CEnroll.1 CEnroll.CEnroll.2 > that tell the story > > > > > Mark Liu <[EMAIL PROTECTED]> > Sent by: [EMAIL PROTECTED] > 02/03/03 01:02 PM > Please respond to openssl-users > > > To: [EMAIL PROTECTED] > cc: > Subject:Re: Does this mean that I > don't have any Cryptographic Service Provider in > my system? > > > Mark, > > Thanks a lot for your reply. And it seems that this > is the problem. > > But interestingly, the new one does not work for my > Win2K box in my lab. That is, if I use the new one > you offered, it won't give me a whole list of > Cryptographic Service Providers, just like what > happened to my Win2K box at home. The old one works > in my lab, but does not work at my home. I'll see > if > the new one works for my home Win2K box when I get > home. > > I use IE 6.0 for the Win2K boxes both at my home and > at my lab in school. > > I am curious, what stuff in the Win2K operating > system > determines the version of the classid I need to use > for my application? > > Thanks. > > The other Mark > > --- [EMAIL PROTECTED] wrote: > > Yes but it also may mean you have the wrong > > xenroll.dll. In your script > > you probably have something like > > > > > > > > > > classid="clsid:43F8F289-7A20-11D0-8F06-00C04FC295E1" > > CODEBASE="/xenroll.dll" > > id=Enroll> > > > > > > which is the old dll you may need to change to > > > > > > > > > > classid="clsid:127698e4-e730-4e5c-a2b1-21490a70c8a1" > > > > CODEBASE="/xenroll.dll" > > id=Enroll> > > > > which is the new one > > > > > > > > > > Mark Liu <[EMAIL PROTECTED]> > > Sent by: [EMAIL PROTECTED] > > 02/02/03 02:49 PM > > Please respond to openssl-users > > > > > > To: [EMAIL PROTECTED] > > cc: > > Subject:Does this mean that I > don't > > have any Cryptographic Service Provider in my > > system? > > > > > > I am working on an X509 public key certificate > > authentication project. > > > > I have an HTML file called apply_ie.html in my web > > application. > > > > When I tested this page on a Win2k box with > > tomcat4.1 > > in my lab at school, it works great. The > drop-down > > menu gives me a list of dozens of Cryptographic > > Service Providers. > > > > But when I try the same file on my Win2k box with > > tomcat4.1 at home, The drop-down menu shows no > list > > of > > Cryptographic Service Providers. And when I click > > "OK" to submit, I get a pop-up window which says: > > > > Line 80: object does not support this attribute or > > method: 'encoder.HashAlgorithm' > > > > I checked line 80 of the file apply_ie.html which > > contains vbscript, and saw it is this line: > > encoder.HashAlgorithm = "MD5" > > > > Does this mean that I don't have any Cryptographic > > Service Providers installed on my Win2K box at > home? > > > > But wait, before I tried this page with Tomcat, I > > did > > install Encpack_Win2000Admin_EN.exe, a > cryptographic > > packet I downloaded from Microsoft, and restart my > > system. > > > > So, what's the problem? Any hint please? > > > > Here is source of apply_ie.html, which is a slight > > modification of Tomas' EJBCA apply_exp.jsp > > > > *** beginning of apply_ie.html *** > > > > > > > > IE Certificate Request > > > &
Re: Does this mean that I don't have any Cryptographic Service Provider in my system?
Mark, Thanks a lot for your reply. And it seems that this is the problem. But interestingly, the new one does not work for my Win2K box in my lab. That is, if I use the new one you offered, it won't give me a whole list of Cryptographic Service Providers, just like what happened to my Win2K box at home. The old one works in my lab, but does not work at my home. I'll see if the new one works for my home Win2K box when I get home. I use IE 6.0 for the Win2K boxes both at my home and at my lab in school. I am curious, what stuff in the Win2K operating system determines the version of the classid I need to use for my application? Thanks. The other Mark --- [EMAIL PROTECTED] wrote: > Yes but it also may mean you have the wrong > xenroll.dll. In your script > you probably have something like > > > > classid="clsid:43F8F289-7A20-11D0-8F06-00C04FC295E1" > CODEBASE="/xenroll.dll" > id=Enroll> > > > which is the old dll you may need to change to > > > > classid="clsid:127698e4-e730-4e5c-a2b1-21490a70c8a1" > > CODEBASE="/xenroll.dll" > id=Enroll> > > which is the new one > > > > > Mark Liu <[EMAIL PROTECTED]> > Sent by: [EMAIL PROTECTED] > 02/02/03 02:49 PM > Please respond to openssl-users > > > To: [EMAIL PROTECTED] > cc: > Subject:Does this mean that I don't > have any Cryptographic Service Provider in my > system? > > > I am working on an X509 public key certificate > authentication project. > > I have an HTML file called apply_ie.html in my web > application. > > When I tested this page on a Win2k box with > tomcat4.1 > in my lab at school, it works great. The drop-down > menu gives me a list of dozens of Cryptographic > Service Providers. > > But when I try the same file on my Win2k box with > tomcat4.1 at home, The drop-down menu shows no list > of > Cryptographic Service Providers. And when I click > "OK" to submit, I get a pop-up window which says: > > Line 80: object does not support this attribute or > method: 'encoder.HashAlgorithm' > > I checked line 80 of the file apply_ie.html which > contains vbscript, and saw it is this line: > encoder.HashAlgorithm = "MD5" > > Does this mean that I don't have any Cryptographic > Service Providers installed on my Win2K box at home? > > But wait, before I tried this page with Tomcat, I > did > install Encpack_Win2000Admin_EN.exe, a cryptographic > packet I downloaded from Microsoft, and restart my > system. > > So, what's the problem? Any hint please? > > Here is source of apply_ie.html, which is a slight > modification of Tomas' EJBCA apply_exp.jsp > > *** beginning of apply_ie.html *** > > > > IE Certificate Request > > > classid="clsid:43F8F289-7A20-11D0-8F06-00C04FC295E1" >id="encoder"> > > > <!-- >Function GetProviderList() > >Dim CspList, cspIndex, ProviderName >On Error Resume Next > >count = 0 >base = 0 >enhanced = 0 >CspList = "" >ProviderName = "" > >For ProvType = 0 to 13 > cspIndex = 0 > encoder.ProviderType = ProvType > ProviderName = > encoder.enumProviders(cspIndex,0) > > while ProviderName <> "" > Set oOption = > document.createElement("OPTION") > oOption.text = ProviderName > oOption.value = ProvType > > Document.CertReqForm.CspProvider.add(oOption) > if ProviderName = "Microsoft Base > Cryptographic Provider v1.0" Then > base = count > end if > if ProviderName = "Microsoft Enhanced > Cryptographic Provider v1.0" Then > enhanced = count > end if > cspIndex = cspIndex +1 > ProviderName = "" > ProviderName = > encoder.enumProviders(cspIndex,0) > count = count + 1 > wend >Next >Document.CertReqForm.CspProvider.selectedIndex = > base >if enhanced then > Document.CertReqForm.CspProvider.selectedIndex > = > enhanced >end if >End Function > --> > > > link="black" vlink="black" alink="black"> > > IE Certificate > Request > > > > Welcome to certificate enrollment. > > > ACTION="/x509/servlet/CertReq" > ENCTYPE=x-www-form-encoded METHOD=POST> > Please give your name and email, then click OK to > submit your request. > > Name: name=clientname > value="foo"> > Email: name=clientemail value="[EMAIL PROTECTED]"> > > Please choose the CSP you wish to use from > the > list below (the default is probably good): > > > > > > > > > >
RE: Does the Web server have to run SSL in order to do certificat es?
Thanks a lot, but what about my 2nd question, which I repeat here: I know there is a big problem with this sample code, because this code does not specify to which servlet the PKCS#10 request should be submitted. I want tospecify it, but I have no clue where and how to do this. Please continue to educate. Thanks. Mark "Shalkebaev,AntonMSCAG" <[EMAIL PROTECTED]> wrote: You don't need to run SSL for your For your IE your should adjust settings to permit run ActiveX.Anton-Original Message-From: Mark Liu [mailto:[EMAIL PROTECTED]]Sent: Monday, January 27, 2003 08:56To: [EMAIL PROTECTED]Subject: Does the Web server have to run SSL in order to do certificates?I am working on an X509 public key certificateauthentication project using Java technology.The client applies for a certificate from the Webinterface of the CA. Currently, I only want toconsider Internet Explorer.Question 1:I run Tomcat 4.1.18 under my win2k box as the CA Webserver. Do I have to run it in SSL mode in order tohandle clients' certificate request?I got a sample vbscript code for certificateenrollment fromhttp://msdn.microsoft.com/library/default.asp?url="" security/security/request_sample_in_vbscript.asp, which I paste in the following:*** beginning of the sample code *classid=""codebase="" id=Enroll >classid=""codebase="" id=Request >Certificate Enrollment Control Request Sample *** end of the sample code I saved this code as certreq.html under my webapplication folder.When I visit this page with IE, I get a VBscriptpop-up dialog box, which reads:Creating PKCS #10 CN=UserName, OU=UserUnit,O=UserOrg,L=UserCity, S=WA,C=USI click OK, then I get another VBscript pop-up dialogbox, which reads:Submitting requestIICdTCCAh8CAQAwldfasldk8425lkasdfasdfADSFASDa/sdfoiujaASDFkj9/asldfkadfr98SADkjla0ASDF09rASdfjasdlfkjASDFadfoiujlerASDFadfloiwerLKJalkjafoiWERo0lkj934lkasfDlkj[snip]It is just a mess of codes.If I click OK, I get a warning pop-up windows, whichreads:! An ActiveX Control on this page is not safe.Your current security settings prohibit running unsafecontrols on this page.As a result, this page may not display as intended.And if I click OK, I see another popup windows, whichreads:Error in Reques t Submit 438These are all I get with this certreq.html page.I know there is a big problem with this sample code,because this code does not specify to which servletthe PKCS#10 request should be submitted. I want tospecify it, but I have no clue where and how to dothis.Can you guys please help? Thanks a lot!__Do you Yahoo!?Yahoo! Mail Plus - Powerful. Affordable. Sign up now.http://mailplus.yahoo.com__OpenSSL Project http://www.openssl.orgUser Support Mailing List [EMAIL PROTECTED]Automated List Manager [EMAIL PROTECTED]__OpenSSL Project http://www.openssl.orgUser Support Mailing List [EMAIL PROTECTED]Automated List Manager [EMAIL PROTECTED]Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now
Does the Web server have to run SSL in order to do certificates?
I am working on an X509 public key certificate authentication project using Java technology. The client applies for a certificate from the Web interface of the CA. Currently, I only want to consider Internet Explorer. Question 1: I run Tomcat 4.1.18 under my win2k box as the CA Web server. Do I have to run it in SSL mode in order to handle clients' certificate request? I got a sample vbscript code for certificate enrollment from http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/request_sample_in_vbscript.asp , which I paste in the following: *** beginning of the sample code * VBScript Certificate Enrollment Control Sample Certificate Enrollment Control Request Sample *** end of the sample code I saved this code as certreq.html under my web application folder. When I visit this page with IE, I get a VBscript pop-up dialog box, which reads: Creating PKCS #10 CN=UserName, OU=UserUnit, O=UserOrg,L=UserCity, S=WA,C=US I click OK, then I get another VBscript pop-up dialog box, which reads: Submitting request IICdTCCAh8CAQAwldfasldk8425lkasdfasdfADSFASDa/sdfoiuj aASDFkj9/asldfkadfr98SADkjla0ASDF09rASdfjasdlfkjASDFa dfoiujlerASDFadfloiwerLKJalkjafoiWERo0lkj934lkasfDlkj [snip] It is just a mess of codes. If I click OK, I get a warning pop-up windows, which reads: ! An ActiveX Control on this page is not safe. Your current security settings prohibit running unsafe controls on this page. As a result, this page may not display as intended. And if I click OK, I see another popup windows, which reads: Error in Request Submit 438 These are all I get with this certreq.html page. I know there is a big problem with this sample code, because this code does not specify to which servlet the PKCS#10 request should be submitted. I want to specify it, but I have no clue where and how to do this. Can you guys please help? Thanks a lot! __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]