RE: Programmatic smartcard logon certificate renewal on behalf of.

Hey,
thanks for the reply!

I am using the first certificate in the store, but the certificate store is
not the computer store, but the smartcard store. The smartcard (and the
certificate on it) belongs to the DEV\e user. For this sample we assume there
is only one certificate there, the one to be renewed. I can verify in the
debugger, that the certificate used in the put_RenewalCertificate method is
the correct one.
--
PS


"Mounir IDRASSI" wrote:

Hi,

By reading your code, it appears clearly that you are using the first
certificate you find on the store "MY". Since you are logged as
DEV\administrator, this certificate logically belongs to him.
If you want to renew the certificate of the user DEV\e, you must to find his
certificate explicitly by looping on the function CertFindCertificateInStore
and stopping on the one that belongs to this user (for example, you can use
the property CERT_FRIENDLY_NAME_PROP_ID for that purpose).
Of course, in order for the to work, you must have the smart card of the
user inserted in the administrator machine and his certificate loaded into
the "MY" store using the appropriate tool.

Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr


"ps" wrote:

Hello everyone,
Apologies for the double post, and the premature decision to put this
question on microsoft.public.security.crypto first (I've since found articles
on MSDN mentioning this as the go-to newsgroup for these questions)...

I am having the following problem:
Consider an application for domain administrators, that allows them to
manage smartcards, assign them to domain users and request smartcard logon
certificates on behalf of those users. Most of this functionality uses the
IEnroll API automatically wrapped by visual studio in an interop assembly.

All works fine, until the time comes to renew those certificates. Based on
the MSDN Article "Creating Certificate Requests Using the Certificate
Enrollment Control and CryptoAPI", "Creating a renewal request" topic
(http://msdn2.microsoft.com/en-us/library/ms867026.aspx#certenroll_topic8),
I've created a certificate renewal request, let's say for a user called
DEV\e. The currently logged on user is DEV\administrator. Once I submit the
renewal request to the CA, it gets accepted and issued. The certificate that
gets issued though, is not for the user DEV\e but for the user
DEV\administrator.

The certificate renewal request is created using the IEnroll4 interface
(I've omitted the error handling/initialization code for the sake of brevity):

IEnroll4* enroll = NULL;
CoCreateInstance(CLSID_CEnroll, NULL, CLSCTX_INPROC_SERVER, IID_IEnroll4,
(void **) &enroll);
CryptAcquireContext(&cryptoProvider, NULL, "provider name", PROV_RSA_FULL,
contextFlags);
CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, cryptoProvider,
CERT_SYSTEM_STORE_CURRENT_USER, L"MY");
certificate = CertFindCertificateInStore(certStore, X509_ASN_ENCODING |
PKCS_7_ASN_ENCODING, 0, CERT_FIND_ENHKEY_USAGE, &enhancedKeyUsage, NULL);
CertGetCertificateContextProperty(certificate, CERT_KEY_PROV_INFO_PROP_ID,
NULL, &providerInfoSize);
CertGetCertificateContextProperty(certificate, CERT_KEY_PROV_INFO_PROP_ID,
providerInfo, &providerInfoSize);
enroll->AddCertTypeToRequestWStr(templateFriendlyName);
enroll->put_RenewalCertificate(certificate);
enroll->put_UseExistingKeySet(useExistingKeySet);
enroll->put_ProviderNameWStr(providerInfo->pwszProvName);
enroll->put_ContainerNameWStr(providerInfo->pwszContainerName)
enroll->put_KeySpec(providerInfo->dwKeySpec);
enroll->put_ProviderType(PROV_RSA_FULL);
enroll->put_EnableSMIMECapabilities(TRUE);
enroll->createRequestWStr(XECR_CMC, NULL, L"", &requestBlob);

enroll->binaryBlobToString(CRYPT_STRING_BASE64REQUESTHEADER, &requestBlob,
&requestString);

requestString now contains the base64 encoded request. This string gets
returned to .NET code and submitted to the CA using the auto generated
wrapper for ICertRequest2. As mentioned above, the certificate gets issued
with no error message, only for the wrong user.
Is there something I'm missing? Is it even possible to request renewal
certificates on behalf of a different user this way? I can also post the
certutil.exe dumped request, but it is rather long...

Thanks in advance for any help or hints!

--
PS
.

Relevant Pages

  • Re: acceptPKCS7 do not work.
    ... When request is generated, a dummy certificate is created in the "Request" ... are trying to install) is searched in the store and the KEY_PROV_INFO ...
    (microsoft.public.platformsdk.security)
  • Re: Use Windows 2003 CA to create a web server certificate with alternative DNS names
    ... According to the MS recommendation we updated the website of our CA to use the website files from longhorn. ... There is also nothing there to store the local key. ... Advanced Certificate Request ... The policy of the CA determines the types of certificates you can request. ...
    (microsoft.public.windows.server.security)
  • Re: Computer and User Certificates Issues
    ... Enrollment of User Certificates using the custom v2 User Certificate Template ... I can NOT request the custom v2 Computer Cert nor the included v1 no ... Concerning permissions, these are the exact permissions I am using now: ...
    (microsoft.public.security)
  • Re: Cannot request computer certificate.
    ... request a computer certificate for about 9 months. ... and verify that you can get a computer/server certificate from it. ... List of NetBt transports currently bound to the Redir ... DNS Host Name: srvr3.domain.com ...
    (microsoft.public.windows.server.security)
  • RE: SIMple SSL question ??
    ... OK - i would also delete a cert request file lying around. ... But a certificate is a pub key + extra info. ... That said - if someone compromises the server he will also find a way to retrieve the private key. ... traffic between the initial web server and the client. ...
    (microsoft.public.dotnet.security)