Hi all!
This probably is a stupid question... but I am a bit tired trying to find out
how things work on NT machines, and maybe some of you knwo an easy answer...
I need to distribute client certificates to Netscape and Explorer browsers,
I can assume version 4 or above. It works perfectly for Netscape.
About MSIE though (I have 4.01), using xenroll.dll, I managed to create
a PKCS10 request, sign it using SSLeay 0.9.0 (thanks to some hint here,
by setting hash to MD5 in the request), send back the PKCS7 message
and, using "acceptPKCS7" of xenroll.dll, it seems I got the certificate
installed. At least, Enroll.acceptPKCS7() did not complain, plus the
"certmgr.exe -s My" produces the output (shortened a bit)
==============Certificate # 1 ==========
Subject::
[0,0] 2.5.4.6 (C) CH
[1,0] 2.5.4.8 (S) BE (Bern)
[2,0] 2.5.4.10 (O) BFI
[3,0] 2.5.4.11 (OU) SI
[4,0] 2.5.4.3 (CN) Explorer, Explorer :SEQ=1:
[5,0] 1.2.840.113549.1.9.1 (E) [EMAIL PROTECTED]
Issuer::
....
SHA1 Thumbprint::
A4A0CA86 85A4D591 36474CA2 240D9F95 BF2C7271
MD5 Thumbprint::
DDE058BC 6460FE50 9D70AD74 033DCE5A
Provider Type:: 1 Provider Name:: Microsoft Base Cryptographic Provider
v1.0 Container: 813fa804-ebc7-11d1-9e18-00805fa13dfd KeySpec: 2
NotBefore::
Fri May 15 09:45:25 1998
NotAfter::
Mon May 15 09:45:25 2000
==============No CTLs ==========
==============No CRLs ==========
==============================================
CertMgr Succeeded
Still, the certificate does NOT appear in Explorers certificate list
(View, Internet Options, Content, Personal) and is not shown as otpion
when trying to link to an SSL server. By checking the Registry, I found
out that:
- certenr3.dll, which I used before, stored its certificates in
HKEY_CURRENT_USER/Software/Microsoft/Cryptography/MapSessionPurpose and
HKEY_CURRENT_USER/Software/Microsoft/Cryptography/PersonalCertificates/
ClientAuth/CertificateAusiliaryInfo and
HKEY_CURRENT_USER/Software/Microsoft/Cryptography/UserKeys/...
- xenroll.dll seems to keep its certificates in
HKEY_CURRENT_USER/Software/Microsoft/SystemCertificates/My/...
where I think I can see my personal certificate (as certmgr.exe does)
I re-installed Explorer in the hope it would look at the right place, but
the problem remained. I suspect somehow that Explorer first checks for
the ...Cryptography entries and skips teh other ones. I do not dare to
remove these entries manually though. Does anybody know what to do, what's
going on? Is it documented somewhere? Notice that, as said, I had certenr3
insatlled before and some certificates (that Explorer actually showed),
and I could remove them using certmgr so certmgr now only shows teh xenroll
certificate. I could go back to certenr3 I assume, but it seems xenroll
would be more flexible and the better choice. Or any other suggestions?
Thanks for your help!
Andy
+-------------------------------------------------------------------------+
| Administrative requests should be sent to [EMAIL PROTECTED] |
| List service provided by Open Software Associates, http://www.osa.com/ |
+-------------------------------------------------------------------------+
