Re: Windows 2003 + Certificate Store + AcquireCredentialsHandle + SEC_E_UNKNOWN_CREDENTIALS

From: Alun Jones [MS MVP] (alun_at_texis.com)
Date: 10/03/03

  • Next message: Christopher Kish: "AZMan audits with XML data store" 
    Date: Fri, 03 Oct 2003 15:39:47 GMT

    In article <OdUDkmRiDHA.1172@TK2MSFTNGP09.phx.gbl>, "Sergio Dutra [MS]"
    <sergiod@online.microsoft.com> wrote:
    >The client sends a PKCS#10 request to the CA.
    >
    >The PKCS#10 request contains the desired information to be added to the
    >certificate, such as the subject name, any extensions, and the public key.

    So far, I'm with you.

    >The PKCS#10 request is then signed using the private key corresponding to
    >that public key, so that the CA then knows that the one that issued the
    >PKCS#10 request is indeed the owner of the private key corresponding to the
    >public key in the request.

    In case someone misreads this, the signing of the PKCS#10 request is done by
    the client, before the client sends the request to the CA.

    >When the CA receives the PKCS#10 request, it verifies the signature and uses
    >the information in it to create a X.509 certificate, containing the
    >specified subject name, several extensions, the public key, the issuer name,
    >serial number and validity period. That certificate is then signed by the
    >CA.

    So a certificate can only have one signer, correct? I guess that explains
    why the clientHello extensions (RFC 3546) contains details of who the client
    will trust, so that the server can give up the right certificate in
    response.

    Alun.
    ~~~~

    [Please don't email posters, if a Usenet response is appropriate.] 

    -- 
Texas Imperial Software   | Find us at http://www.wftpd.com or email
1602 Harvest Moon Place   | alun@texis.com.
Cedar Park TX 78613-1419  | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.
  • Next message: Christopher Kish: "AZMan audits with XML data store"

    Relevant Pages

    • RE: Unable to unwrap a symmetric key using the private key of an X.509
      ... When I create my own certificate and install it in the stores, ... my client application that is consuming my WSE enabled webservice receives ... <request signatureOptions="IncludeAddressing, IncludeTimestamp, ... <response signatureOptions="IncludeAddressing, IncludeTimestamp, ...
      (microsoft.public.dotnet.framework.webservices.enhancements)
    • Re: Unable to authenticate via kerberos to IIS site accepting clie
      ... the dialog for selecting a certificate, IE accesses the page with integrated ... authenticated user" have no relation to the size of the request. ... Client Certificates are negotiated before server even sees the data, ... and Kerberos protocol of Integrated Authentication can affect the size ...
      (microsoft.public.inetserver.iis.security)
    • Re: Is this right? Question about SSL and PKI...
      ... > issuing CLIENT certificates. ... > certificate on my server. ... can be authenticated with some public key in their table of trusted ...
      (sci.crypt)
    • Re: Trouble using test X509 certificates:System.Security.Cryptography.CryptographicException: Crypto
      ... Are the client and service located on the same machine or different ... client's public key into the service's certificate store. ... 3.I tried generating s test certificate using the makecert tool with various ... current user account and the personal store in the local computer account. ...
      (microsoft.public.dotnet.framework.webservices.enhancements)
    • Re: CERTCA Web Sote Broken!
      ... If you apply hotfix Q323172 to both your client and CA web site, ... > certificate on my IIS server and encountered an infinite loop of page ... Click advanced certificate request ... After you have completed filling in your personal data, ...
      (microsoft.public.win2000.security)