I'm astonished the solution to this problem isn't all over the web, what
with IE being the browser of around 80% of web users and client
certificates being a fairly major part of what SSL is about, but from
searching Google and this list, I can't find a solution...
I can't get certificates returned through a web page to be installed in
the 'Personal' section. THis question has been visited before on this
list, but the solution was seemingly never found so I'm trying again..
I have two fairly simple web pages. Both of them have an xenroll object
called certHelper. One of them has a script looking something like this,
which is run when a form is submitted and sends a PKCS10 request to the
server PHP script:
<SCRIPT>
szNAme = "CN=gdb; [EMAIL PROTECTED]; C=GB; S=Cambridgeshire;
L=Cambridge; O=Human.IT; OU=Staff"
certHelper.providerType = 1;
certHelper.providerName = "Microsoft Base Cryptographic Provider
v1.0";
certHelper.hashAlgorithm = "MD5";
certHelper.keySpec = 1;
certHelper.genKeyFlags = 0x4000003;
sz10 = certHelper.createPKCS10(szName, "1.3.6.1.5.5.7.3.2");
document.myForm.reqEntry.value = sz10;
</SCRIPT>
The server PHP script extracts the certificate request and runs:
openssl ca -batch -in <REQUEST> -out <RESULT> -days 360
to produce a client certificate. This is packaged up in PKCS#7 with:
openssl crl2pkcs7 -certfile <RESULT> -in <CRL> -out <PKCS7>
The data between the BEGIN and END tags in <PKCS7> is then sent back to
the client in the following script (again the certHelper object is
present) :
<SCRIPT>
cert = "blahblahblahblah (From PKCS7 file)";
certHelper.deleteRequestCert = 0;
certHelper.writeCertToCSP = 1;
certHelper.installPKCS7(cert);
</SCRIPT>
The certificate gets installed in the 'Other People' section rather than
the 'Personal' section. From reading previous posts on this forum, I
discover that this is because it doesn't have a private key attached to
it. By dragging the certificate onto the desktop and re-importing it, I
can get it into the Personal section, but that doesn't really help.
What am I doing wrong? I had a look at Verisign's free client certificate
stuff (and some of the seemingly pointless lines in the above were added
because they were in their scripts and might have made a difference) but
couldn't see anything significantly different (except that the request
didn't contain the real DN but the returned certificate did).
How do I get MSIE to connect the returned PKCS7 certificate with the
internally-held private key from the request?
BEGIN:VCARD
TEL;WORK;VOICE;PREF;MSG:+44 (1223) 713640
TEL;WORK;FAX:+44 (1223) 713641
ADR;WORK;INTL;POSTAL;PARCEL;ENCODING=QUOTED-PRINTABLE:;;Murdoch House=0D=0AStation Road;Cambridge;Cambridgeshire;CB1 2JH;GB
LABEL;WORK;INTL;POSTAL;PARCEL;ENCODING=QUOTED-PRINTABLE:human.IT=0D=0AMurdoch House=0D=0AStation Road=0D=0ACambridge=0D=0ACambridgeshire=0D=0ACB1 2JH=0D=0AUNITED KINGDOM
N:Boden;Gareth;David;Mr.
FN:Gareth Boden
EMAIL;INTERNET:[EMAIL PROTECTED]
TZ:+0000
GEO:52.13,0.08
TITLE:Head of Software Development
ROLE:Programmer
ORG:Human Information Technology Ltd
REV:20000719T113007Z
URL:http://human.IT/
UID:mailto:[EMAIL PROTECTED]
VERSION:2.1
END:VCARD
