Re: How do we get the private key to do digital signature?

<antonyliu2002@xxxxxxxxx> wrote in message
news:1176169462.328707.197090@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Apr 9, 8:26 pm, "Mitch Gallant" <jensig...@xxxxxxxxxxxxxxxx> wrote:

Yes, but read the default settings on SetClientCertificate in the docs
there.
If IE finds more than one valid cert (for SSL authentication purposes) it
pops a dialog.
You will need to pop a dialog on your client, or else code searching his
MY
certs store for one with the necessary client-authenticadtion attributes
and
if more than one, pop a vb dialog on them.
You have some more coding to do to achieve what IE does.
- Mitch-

The popup dialog shown at the following URL

http://farm1.static.flickr.com/167/442962234_ab4a756b8c_o.png

is exactly on the client side with IE. So, I think you are suggesting
that I do

(1) initiate the https request from vbs like in the example you showed
as follows:

' Open an HTTP connection.
HttpReq.Open "GET", "https://somesecureurl/";, False

This will presumably prevent IE from popping up the dialog box.

(2) then in my vbs code, I search the key store, and find the
corresponding client certificate and submit it. Well, since the user
will enter his email on my login page, and the certificate contains
user email address, I should be able to locate client cert given this
info.

In other words, your suggestion is that we select the client cert
*for* the end user from the given subject info (such as the email
address), and the end user is not given the option to select his
cert. This way, we don't have to worry about polling the IE popup
dialog box, which you say is impossible.

Am I getting your idea?

Yes that is roughly what I was thinking.
If IE directly makes the SSL request (which you don't want because you can't
intercept the certificate dialog) then it pops up its own cert-selection
dialog.
If your vbs makes the SSL GET request, then you have full control of poping
a custom user cert selection or, as discussed above, you can find the cert
for the client (since it should be simple in most cases). Then, withing vbs
you can access the associated private key and sign anything you wish like
so:
http://www.jensign.com/JavaScience/www/wsh/capicom/clientsign
(note that this page uses a Java applet for MS JVM to access local file
system so that part might not work but signing any field or the entire web
html page will work).

- Mitch



.

Relevant Pages

  • Re: AD & LDAPs
    ... Make sure the client trusts the cert. ... make sure the cert is issued to the full dns name of the ... > talk ldap over ssl. ...
    (microsoft.public.windows.server.active_directory)
  • Re: SSL without certificates
    ... mccarthur@btinternet.com wrote that the client needs the server's ... because the client uses the public key from the cert to encrypt the data ... The secret key is created during the SSL handshake. ...
    (alt.computer.security)
  • Re: IIS Server/Client Authentication
    ... check whether you can browse your webpage with ssl but not requst client ... have SSL port 443 set. ... > cert selection window, but when you select a cert and click OK, you ... > the web site, my app runs fine. ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS website - only allow users with client cert from our CA. P
    ... Rootyou wish to permit certificates issued from for access to your site. ... our CA's client cert? ... I only have a server certificate from our CA ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS website - only allow users with client cert from our CA. Possi
    ... > Why does IIS allow me to see my website when it doesn't have ... > our CA's client cert? ... I only have a server certificate from our CA ...
    (microsoft.public.inetserver.iis.security)
Quantcast