Re: Change process owner to submit certificate requests
From: Fabien (fab_at_yahoo.com)
Date: 03/29/04
- Next message: Thomas F. Divine [DDK MVP]: "Re: Ndis packet wrapper"
- Previous message: Pieter Philippaerts: "Re: C++ and C# cryptography compatibility"
- In reply to: David Cross [MS]: "Re: Change process owner to submit certificate requests"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 29 Mar 2004 17:02:51 +0200
Hi David,
Thanks for your help... I did not think about the problem this way...
Unfortunatly, the certificate requests I am submitting are generated in web
pages, using VBScript. The signing certificate remains in the client's Key
Store.
The way I see it now, is that I have to use impersonation to submit the
request as if I am the user to whom it belongs... and that appears to be
kind of tricky... For the moment, I have problems retrieving my "Admin"
acessToken to enable TCB privilege...
If someone faced this before... and feels like sharing experience...
Thanks Fabien
"David Cross [MS]" <dcross@online.microsoft.com> a écrit dans le message de
news:%23HBDdUZFEHA.3096@TK2MSFTNGP11.phx.gbl...
> Here is how you can do it in Windows Server 2003 using the CMC format. In
> both Win2k and 2003, the request must be signed by an enrollment agent
cert
> in order to allow the requestor to be different than the certificate
> subject. You can see an example of this code in the win2k web enrollment
> pages for the smartcard enrollment station.
>
> here is a 2003 example using CMC:
>
> Creating an Enrollment Agent Signed CMC Request (Single Signer)
>
> The Certificate Enrollment Control allows a request to be signed using a
> single certificate. The certificate used to sign the request will
normally
> be an Enrollment Agent certificate which allows a user to enroll for a
> certificate on behalf of another user. In order to enroll on behalf of
> another user, the request must also contain an extra attribute, called
> RequesterName together with the user SAM name (acmecorp\JSmith).
Typically,
> enroll on behalf scenarios are used for corporate security officers to
> enroll smartcards through an in-person proofing process where the
> certificate requestor is not the user themselves.
>
> The following C++ code opens a certificate store using the CertOpenStore
> function, finds an enrollment certificate in the store using the
> CertFindCertificateInStore function. The certificate is then checked for
> validity using functions CertGetCertificateChain and
> CertVerifyCertificateChainPolicy. If the certificate is valid it is then
> passed when calling method SetSignerCertificate to set the certificate
used
> to sign the request. The AddNameValuePairToSignatureWStr method is used to
> set the RequesterName attribute to the user SAM name (acmecorp\JSmith).
(No
> example for VB Script is shown as it is not possible to sign a request
using
> the ICEnroll interface)
>
> PCCERT_CONTEXT pEnrollmentCert = NULL;
>
> LPSTR pszOIDs[1]={szOID_ENROLLMENT_AGENT};
>
> CERT_ENHKEY_USAGE stCertUsage = {1,pszOIDs};
>
> CERT_CHAIN_PARA ChainPara;
>
> PCCERT_CHAIN_CONTEXT ChainContext = NULL;
>
> HCERTSTORE hCertStore = CertOpenStore(
> CERT_STORE_PROV_SYSTEM,
> 0,
> NULL,
> CERT_SYSTEM_STORE_CURRENT_USER,
> L"MY" );
>
> If (( pEnrollmentCert = CertFindCertificateInStore(
> hCertStore,
> X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
> 0,
> CERT_FIND_ENHKEY_USAGE,
> &stCertUsage,
> NULL)) == NULL )
>
> {
>
> goto error;
>
> }
>
> ZeroMemory( &ChainPara, sizeof(ChainPara));
>
> ChainPara.cbSize = sizeof(ChainPara);
>
> ChainPara.RequestedUsage.dwType = USAGE_MATCH_TYPE_AND;
>
> ChainPara.RequestedUsage.Usage = stCertUsage;
>
> CertGetCertificateChain(
> NULL,
> hChainEngine,
> pEnrollmentCert,
> NULL,
> NULL,
> hAdditionalStore,
> &ChainPara,
> pChainPara,
> CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT,
> dwFlags,
> NULL,
> &ChainContext );
>
> if ( ChainContext->TrustStatus.dwErrorStatus != CERT_TRUST_NO_ERROR )
>
> {
>
> goto error;
>
> }
>
> ZeroMemory(&ChainPolicy, sizeof(ChainPolicy));
>
> ChainPolicy.cbSize = sizeof(ChainPolicy);
>
> ZeroMemory(&PolicyStatus, sizeof(PolicyStatus));
>
> PolicyStatus.cbSize = sizeof(PolicyStatus);
>
> ChainPolicy.dwFlags = CERT_CHAIN_POLICY_IGNORE_NOT_TIME_NESTED_FLAG;
>
> PolicyStatus.lChainIndex = -1;
>
> PolicyStatus.lElementIndex = -1;
>
> if ( !CertVerifyCertificateChainPolicy(
> CERT_CHAIN_POLICY_BASE,
> ChainContext,
> &ChainPolicy,
> &PolicyStatus))
>
> {
>
> goto error;
>
> }
>
> hr=CertEnroll->SetSignerCertificate( pEnrollmentCert );
>
> hr = CertEnroll->AddNameValuePairToSignatureWStr(
> (LPWSTR) L"RequesterName",
> L"acmecorp\\JSmith" );
>
>
> --
>
>
> David B. Cross [MS]
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> http://support.microsoft.com
>
> "Fabien" <fabienpuig@yahoo.com> wrote in message
> news:%23X8kECWFEHA.2868@TK2MSFTNGP12.phx.gbl...
> > Hi,
> >
> > I have a piece of C++ submitting certificate request to a Win2K Server
set
> > as an Enterprise CA (for the moment, the little prog runs on the
server).
> > Whatever the DN set in the certificate request, the resulting
certificate
> is
> > issued to the Admin (I'm logged as Admin when running the the prog).
> >
> > How can I dynamically change the context so that the request is
processed
> as
> > one belonging to another user?
> >
> > Thanks for your help - Fabien
> >
> > PS : special thanks to Nilesh & Valery for their valuable help on other
> > topics.
> >
> >
>
>
- Next message: Thomas F. Divine [DDK MVP]: "Re: Ndis packet wrapper"
- Previous message: Pieter Philippaerts: "Re: C++ and C# cryptography compatibility"
- In reply to: David Cross [MS]: "Re: Change process owner to submit certificate requests"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
