I'm astonished the solution to this problem isn't all over the web, what with IE being the browser of around 80% of web users and client certificates being a fairly major part of what SSL is about, but from searching Google and this list, I can't find a solution... I can't get certificates returned through a web page to be installed in the 'Personal' section. THis question has been visited before on this list, but the solution was seemingly never found so I'm trying again.. I have two fairly simple web pages. Both of them have an xenroll object called certHelper. One of them has a script looking something like this, which is run when a form is submitted and sends a PKCS10 request to the server PHP script: <SCRIPT> szNAme = "CN=gdb; [EMAIL PROTECTED]; C=GB; S=Cambridgeshire; L=Cambridge; O=Human.IT; OU=Staff" certHelper.providerType = 1; certHelper.providerName = "Microsoft Base Cryptographic Provider v1.0"; certHelper.hashAlgorithm = "MD5"; certHelper.keySpec = 1; certHelper.genKeyFlags = 0x4000003; sz10 = certHelper.createPKCS10(szName, "1.3.6.1.5.5.7.3.2"); document.myForm.reqEntry.value = sz10; </SCRIPT> The server PHP script extracts the certificate request and runs: openssl ca -batch -in <REQUEST> -out <RESULT> -days 360 to produce a client certificate. This is packaged up in PKCS#7 with: openssl crl2pkcs7 -certfile <RESULT> -in <CRL> -out <PKCS7> The data between the BEGIN and END tags in <PKCS7> is then sent back to the client in the following script (again the certHelper object is present) : <SCRIPT> cert = "blahblahblahblah (From PKCS7 file)"; certHelper.deleteRequestCert = 0; certHelper.writeCertToCSP = 1; certHelper.installPKCS7(cert); </SCRIPT> The certificate gets installed in the 'Other People' section rather than the 'Personal' section. From reading previous posts on this forum, I discover that this is because it doesn't have a private key attached to it. By dragging the certificate onto the desktop and re-importing it, I can get it into the Personal section, but that doesn't really help. What am I doing wrong? I had a look at Verisign's free client certificate stuff (and some of the seemingly pointless lines in the above were added because they were in their scripts and might have made a difference) but couldn't see anything significantly different (except that the request didn't contain the real DN but the returned certificate did). How do I get MSIE to connect the returned PKCS7 certificate with the internally-held private key from the request?
BEGIN:VCARD TEL;WORK;VOICE;PREF;MSG:+44 (1223) 713640 TEL;WORK;FAX:+44 (1223) 713641 ADR;WORK;INTL;POSTAL;PARCEL;ENCODING=QUOTED-PRINTABLE:;;Murdoch House=0D=0AStation Road;Cambridge;Cambridgeshire;CB1 2JH;GB LABEL;WORK;INTL;POSTAL;PARCEL;ENCODING=QUOTED-PRINTABLE:human.IT=0D=0AMurdoch House=0D=0AStation Road=0D=0ACambridge=0D=0ACambridgeshire=0D=0ACB1 2JH=0D=0AUNITED KINGDOM N:Boden;Gareth;David;Mr. FN:Gareth Boden EMAIL;INTERNET:[EMAIL PROTECTED] TZ:+0000 GEO:52.13,0.08 TITLE:Head of Software Development ROLE:Programmer ORG:Human Information Technology Ltd REV:20000719T113007Z URL:http://human.IT/ UID:mailto:[EMAIL PROTECTED] VERSION:2.1 END:VCARD