Programmatic smartcard logon certificate renewal on behalf of...
- From: ps <ps@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 28 Apr 2008 07:59:03 -0700
Hello everyone,
Apologies for the double post, and the premature decision to put this
question on microsoft.public.security.crypto first (I've since found articles
on MSDN mentioning this as the go-to newsgroup for these questions)...
I am having the following problem:
Consider an application for domain administrators, that allows them to
manage smartcards, assign them to domain users and request smartcard logon
certificates on behalf of those users. Most of this functionality uses the
IEnroll API automatically wrapped by visual studio in an interop assembly.
All works fine, until the time comes to renew those certificates. Based on
the MSDN Article "Creating Certificate Requests Using the Certificate
Enrollment Control and CryptoAPI", "Creating a renewal request" topic
(http://msdn2.microsoft.com/en-us/library/ms867026.aspx#certenroll_topic8),
I've created a certificate renewal request, let's say for a user called
DEV\e. The currently logged on user is DEV\administrator. Once I submit the
renewal request to the CA, it gets accepted and issued. The certificate that
gets issued though, is not for the user DEV\e but for the user
DEV\administrator.
The certificate renewal request is created using the IEnroll4 interface
(I've omitted the error handling/initialization code for the sake of brevity):
IEnroll4* enroll = NULL;
CoCreateInstance(CLSID_CEnroll, NULL, CLSCTX_INPROC_SERVER, IID_IEnroll4,
(void **) &enroll);
CryptAcquireContext(&cryptoProvider, NULL, "provider name", PROV_RSA_FULL,
contextFlags);
CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, cryptoProvider,
CERT_SYSTEM_STORE_CURRENT_USER, L"MY");
certificate = CertFindCertificateInStore(certStore, X509_ASN_ENCODING |
PKCS_7_ASN_ENCODING, 0, CERT_FIND_ENHKEY_USAGE, &enhancedKeyUsage, NULL);
CertGetCertificateContextProperty(certificate, CERT_KEY_PROV_INFO_PROP_ID,
NULL, &providerInfoSize);
CertGetCertificateContextProperty(certificate, CERT_KEY_PROV_INFO_PROP_ID,
providerInfo, &providerInfoSize);
enroll->AddCertTypeToRequestWStr(templateFriendlyName);
enroll->put_RenewalCertificate(certificate);
enroll->put_UseExistingKeySet(useExistingKeySet);
enroll->put_ProviderNameWStr(providerInfo->pwszProvName);
enroll->put_ContainerNameWStr(providerInfo->pwszContainerName)
enroll->put_KeySpec(providerInfo->dwKeySpec);
enroll->put_ProviderType(PROV_RSA_FULL);
enroll->put_EnableSMIMECapabilities(TRUE);
enroll->createRequestWStr(XECR_CMC, NULL, L"", &requestBlob);
enroll->binaryBlobToString(CRYPT_STRING_BASE64REQUESTHEADER, &requestBlob,
&requestString);
requestString now contains the base64 encoded request. This string gets
returned to .NET code and submitted to the CA using the auto generated
wrapper for ICertRequest2. As mentioned above, the certificate gets issued
with no error message, only for the wrong user.
Is there something I'm missing? Is it even possible to request renewal
certificates on behalf of a different user this way? I can also post the
certutil.exe dumped request, but it is rather long...
Thanks in advance for any help or hints!
--
PS
.
- Follow-Ups:
- RE: Programmatic smartcard logon certificate renewal on behalf of...
- From: Mounir IDRASSI
- RE: Programmatic smartcard logon certificate renewal on behalf of...
- Prev by Date: Programmatic Access to LogOn Dialog
- Next by Date: RE: Programmatic Access to LogOn Dialog
- Previous by thread: Programmatic Access to LogOn Dialog
- Next by thread: RE: Programmatic smartcard logon certificate renewal on behalf of...
- Index(es):
Relevant Pages
|
