Re: CEnroll and EAP/TLS

From: John Banes [MS] (jbanes_at_online.microsoft.com)
Date: 01/21/04 

Date: Tue, 20 Jan 2004 23:34:57 -0800

I can only suggest that you examine the "key prov info" property on the
certificate in the certificate store, before and after the re-import, and
see if there are differences...

Regards,

John Banes
[Microsoft Security Developer]

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send email directly to this alias. This alias is for newsgroup
purposes only.

"John Starks" <js-newsREMOVE@lrce.net> wrote in message
news:OVXDvdv3DHA.1184@TK2MSFTNGP10.phx.gbl...
> Hi,
>
> I'm attempting to use the CEnroll API in VBScript through IE to install
user
> certificates for 802.1x (EAP/TLS). I have no problem generating a
request,
> sending it to a third-party CA, and adding the resulting signed
certificate
> to the user's store, but Windows XP refuses to use the certificate for
> 802.1x. I have checked the Certificates snap-in, and the certificate is
set
> up for Client Authentication and seems to be acceptable as far as
> certificate path goes.
>
> What makes this situation particularly vexing is that if I use the
> Certificates MMC snap-in to export the certificate and key in PKCS#12
> format, delete the key, and finally reimport it into exactly the same
> certificate store, Windows XP accepts the certificate for use in 802.1x.
> Without this step, I get "Windows was unable to find a certificate to log
> you on to the network <SSID>."
>
> I cannot perceive any difference between the certificate's properties
before
> or after the re-import. Some relevant code:
>
> Dim certHelper
> Set certHelper = CreateObject("CEnroll.CEnroll")
> ...
> certHelper.AcceptPKCS7(PKCS7Cert)
>
> Any ideas about what might be causing this? Are there any properties I
> should be setting before accepting the certificate in order to tell
Windows
> that it's OK to use it for EAP/TLS? Thanks.
>
> Cheers,
> John Starks
>
>

Relevant Pages

  • Smart Cards MY certificate store and Windows Forms
    ... solution -insert the smart card and the certs are copied to the windows ... MY certificate store. ...
    (microsoft.public.dotnet.security)
  • Certificates
    ... member server and 1 client) with active directory that ... When I try to have my Windows 2000 Pro PC ... receive a machine certificate from my Enterprise ROOT CA ... error message saying that the certificate store cannot be ...
    (microsoft.public.win2000.security)
  • Re: Obtaining X.509 Certifcates
    ... Certmgr.exe works with two types of certificate stores: ... and CRLs from your disk to a certificate store. ... Also by default, the ASP.NET service runs under the ASPNET account, ... Set the userName attribute of the element to specify ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Obtaining X.509 Certifcates
    ... > Certmgr.exe works with two types of certificate stores: ... > and CRLs from your disk to a certificate store. ... > In order for WSE to obtain the X.509 private key from the local ... > Also by default, the ASP.NET service runs under the ASPNET account, ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Deploying Root Cert via GPO
    ... certificate store, and by mmc, you are accessing current computer's ... Windows Server - Directory Services ... > certificate issued by the above root cert. ...
    (microsoft.public.windows.group_policy)
Quantcast