Re: Auto certificate and key generation to pfx
From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: 04/21/05
- Next message: Greg M: "RE: Group Policies across External Trust Relationship???"
- Previous message: David Cross [MS]: "Re: Smartcard Issue in 2003? : Problem Solved"
- In reply to: Gary: "Re: Auto certificate and key generation to pfx"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 21 Apr 2005 05:32:34 -0700
If you want to submit from a Windows 2000 client, you will have to use
IcertRequest. Both XP and 2003 suppport ICertRequest2
-- David B. Cross [MS] -- This posting is provided "AS IS" with no warranties, and confers no rights. Top Whitepapers: Auto-enrollment whitepaper: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx Best Practices for implementing Windows Server 2003 PKI: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx Troubleshooting Certificate Status and Revocation whitepaper: http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx Windows Server 2003 web enrollment and troubleshooting guide: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx "Gary" <gman@discussions.microsoft.com> wrote in message news:025101c543f2$4d415100$a501280a@phx.gbl... > Hi again, > > So IEnroll allows creating requests and ICertRequest2 > allows submitting it to a Certificate Services server. But > in MSDN help it says that ICertRequest2 is only available > on Windows Server 2003. Does this mean that a client > running say Win 2000 can call this function, but it > actually executes on the server? > > Does any code need to be written by me on the server side? > > Thanks, > Gary. > > >>-----Original Message----- >>Thanks, it looks like that whitepaper might have all the >>answers. >> >>Gary. >> >> >>>-----Original Message----- >>>Technically speaking, CryptoAPI is not used for >>generating requests or >>>enrollment, but the classes merely use CryptoAPI for >>certain functionality. >>>Enrollment samples: >>> >>>http://msdn.microsoft.com/security/default.aspx? >>pull=/library/en-us/dncapi/html/certenrollment.asp >>> >>> >>>-- >>>David B. Cross [MS] >>>-- >>>This posting is provided "AS IS" with no warranties, and >>confers no rights. >>> >>> >>>Top Whitepapers: >>> >>>Auto-enrollment whitepaper: >>>http://www.microsoft.com/technet/prodtechnol/windowsserve > r >>2003/technologies/security/autoenro.mspx >>> >>>Best Practices for implementing Windows Server 2003 PKI: >>>http://www.microsoft.com/technet/prodtechnol/windowsserve > r >>2003/technologies/security/ws3pkibp.mspx >>> >>>Troubleshooting Certificate Status and Revocation >>whitepaper: >>>http://www.microsoft.com/technet/security/topics/crypto/t > s >>htcrl.mspx >>> >>>Windows Server 2003 web enrollment and troubleshooting >>guide: >>>http://www.microsoft.com/technet/prodtechnol/windowsserve > r >>2003/technologies/security/webenroll.mspx >>>"Gary" <gman@discussions.microsoft.com> wrote in message >>>news:04ea01c54157$aec4a410$a501280a@phx.gbl... >>>> Thanks for the reply. I suppose my question should have >>>> been: is it possible to use the CryptoAPI to perform > all >>>> the tasks involved in requesting a certificate and >>>> keypair, receiving the generated certificate and >>keypair, >>>> exporting them to a pfx file and then deleting the cert >>>> and private key off the machine? >>>> >>>> Regarding the certificate request: >>>> I have found the example using the CryptoAPI to create > a >>>> certificate request (I assume you can request a new >>>> keypair to be generated). How is this request sent to >>the >>>> certificate server, and how is it returned? >>>> >>>> Regarding the certificate and keypair export: >>>> As far as I know, I can use the PFXExportCertStoreEx >>>> function to export the certificate and private key to a >>>> pfx file. Does this function export all certificates in >>>> the chain? How do you delete the private key? >>>> >>>> Thanks, >>>> Gary. >>>> >>>> >>>>>-----Original Message----- >>>>>No, certificate server does not return a PFX file, you >>>> would have to export >>>>>the key pair and certificate after it had been > generated >>>> and issued. >>>>> >>>>>-- >>>>>David B. Cross [MS] >>>>>-- >>>>>This posting is provided "AS IS" with no warranties, > and >>>> confers no rights. >>>>> >>>>> >>>>>Top Whitepapers: >>>>> >>>>>Auto-enrollment whitepaper: >>>>>http://www.microsoft.com/technet/prodtechnol/windowsser > v >>er >>>> 2003/technologies/security/autoenro.mspx >>>>> >>>>>Best Practices for implementing Windows Server 2003 > PKI: >>>>>http://www.microsoft.com/technet/prodtechnol/windowsser > v >>er >>>> 2003/technologies/security/ws3pkibp.mspx >>>>> >>>>>Troubleshooting Certificate Status and Revocation >>>> whitepaper: >>>>>http://www.microsoft.com/technet/security/topics/crypto > / >>ts >>>> htcrl.mspx >>>>> >>>>>Windows Server 2003 web enrollment and troubleshooting >>>> guide: >>>>>http://www.microsoft.com/technet/prodtechnol/windowsser > v >>er >>>> 2003/technologies/security/webenroll.mspx >>>>>"Gary" <gman@discussions.microsoft.com> wrote in > message >>>>>news:100601c54015$25ffa910$a501280a@phx.gbl... >>>>>> Hi, >>>>>> >>>>>> Is it was possible to use the Crypto API and a >>>> certificate >>>>>> server to automate the generation of a certificate > and >>>> its >>>>>> keypair, and export to a pfx file? >>>>>> >>>>>> For example, is it possible to pass all the >>information >>>>>> such as the subject name, the type of certificate, > the >>>>>> hashing algorithm, validity period, etc in a string >>(or >>>>>> equivalent) along with a private key password which >>>> would >>>>>> then be processed by the certificate server. The cert >>>>>> server would then return the generated cert and >>keypair >>>> in >>>>>> a pfx file or just the cert in a cer file (or both >>>> formats >>>>>> if requested)... >>>>>> >>>>>> Thanks, >>>>>> Gary. >>>>>> >>>>> >>>>> >>>>>. >>>>> >>> >>> >>>. >>> >>. >>
- Next message: Greg M: "RE: Group Policies across External Trust Relationship???"
- Previous message: David Cross [MS]: "Re: Smartcard Issue in 2003? : Problem Solved"
- In reply to: Gary: "Re: Auto certificate and key generation to pfx"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
