Re: Using Microsoft Certificate Server Programatically
From: Carlos Lopez (clopezonline_at_microsoft.com)
Date: 03/25/04
- Next message: Pieter Philippaerts: "Re: signing data with publc key that is not in the keystore"
- Previous message: Ryan Menezes [MSFT]: "Re: use of SYMMETRICWRAPKEYBLOB"
- In reply to: Cindy: "Re: Using Microsoft Certificate Server Programatically"
- Next in thread: Yan-Hong Huang[MSFT]: "Re: Using Microsoft Certificate Server Programatically"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 25 Mar 2004 18:53:28 GMT
Hi Cindy,
1. Client contacts server (web service) with encrypted registration
info.
2. Upon validation of registration info, the web service creates a
cert request on behalf of the client and sends it to the Certificate
Server.
3. The server issues the certificate (not sure how the web service
gets a hold of the cert).
[clopez] The samples provided by David Cross should answer that question.
You use the ICertRequest interface to retreive the certificate.
4. The web service returns the certificate to the client (not sure how
to do this the most secure way).
[clopez] If you are calling ICEnroll->createRequest/createPKCS10 on the web
service you are generating the private/public key on that machine. It is
possible for you to use CAPICOM's Certificates.Save method to save the
certificate in pfx format. You can generate a random password to protect
the pfx file. Of course you would have to send the pfx and password to the
client so it still a matter of how to send the password securely.
The Store.Load can be called on the client to install the certificate.
5. The client installs the certificate and adds it to the trust.
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: cindy.fisher@emersonProcess.com (Cindy)
| Newsgroups: microsoft.public.platformsdk.security
| Subject: Re: Using Microsoft Certificate Server Programatically
| Date: 22 Mar 2004 08:29:42 -0800
| Organization: http://groups.google.com
| Lines: 38
| Message-ID: <ae05deef.0403220829.41f647e0@posting.google.com>
| References: <ae05deef.0403161018.4d09f74a@posting.google.com>
<N8Y2JFEDEHA.3568@cpmsftngxa06.phx.gbl>
| NNTP-Posting-Host: 208.251.33.202
| Content-Type: text/plain; charset=ISO-8859-1
| Content-Transfer-Encoding: 8bit
| X-Trace: posting.google.com 1079972982 15166 127.0.0.1 (22 Mar 2004
16:29:42 GMT)
| X-Complaints-To: groups-abuse@google.com
| NNTP-Posting-Date: Mon, 22 Mar 2004 16:29:42 +0000 (UTC)
| Path:
cpmsftngxa06.phx.gbl!TK2MSFTNGXS01.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP0
8.phx.gbl!newsfeed00.sul.t-online.de!t-online.de!newsfeed.freenet.de!newsfee
d.news2me.com!newsfeed3.easynews.com!newsfeed1.easynews.com!easynews.com!eas
ynews!crtntx1-snh1.gtei.net!news.gtei.net!newsfeed2.dallas1.level3.net!news.
level3.com!postnews1.google.com!postnews2.google.com!not-for-mail
| Xref: cpmsftngxa06.phx.gbl microsoft.public.platformsdk.security:6217
| X-Tomcat-NG: microsoft.public.platformsdk.security
|
| Actually, I'm trying to do this for the client, not the server. Here's
| the scenario:
|
| 1. Client contacts server (web service) with encrypted registration
| info.
| 2. Upon validation of registration info, the web service creates a
| cert request on behalf of the client and sends it to the Certificate
| Server.
| 3. The server issues the certificate (not sure how the web service
| gets a hold of the cert).
| 4. The web service returns the certificate to the client (not sure how
| to do this the most secure way).
| 5. The client installs the certificate and adds it to the trust.
|
| Since we are writing the client and server (web service) code, I
| figured this wouldn't be a problem. Any recommendations on how to
| return the certificate safely?
|
| Thanks,
| cindy
|
|
| v-raygon@online.microsoft.com (Rhett Gong [MSFT]) wrote in message
news:<N8Y2JFEDEHA.3568@cpmsftngxa06.phx.gbl>...
| > Hi Cindy,
| > From your description, you would like to programmatically generate a
certificate request from a Certificate Server, issue the certificate
request and install the
| > issued certificate to the certificate store.
| >
| > Seems that you want to do something like Certificate Wizard which comes
with Internet Information Services. Generally, we use ICEnroll::create* to
generate a
| > certificate request. (for more information at:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/se
curity/icenroll.asp)
| > Then check the KB article -- "HOW TO: Programmatically Install SSL
Certificates for Internet Information Server (IIS)" at:
| > http://support.microsoft.com/default.aspx?scid=kb;en-us;313624#3 and
let me know if it could help to resolve your problem.
| >
| > thanks,
| > Rhett Gong [MSFT]
| > Microsoft Online Partner Support
| >
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
| > Please reply to newsgroups only. Thanks.
|
- Next message: Pieter Philippaerts: "Re: signing data with publc key that is not in the keystore"
- Previous message: Ryan Menezes [MSFT]: "Re: use of SYMMETRICWRAPKEYBLOB"
- In reply to: Cindy: "Re: Using Microsoft Certificate Server Programatically"
- Next in thread: Yan-Hong Huang[MSFT]: "Re: Using Microsoft Certificate Server Programatically"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
