Steve, > OK since Xenroll is the most secure way to give individuals certificates > I'll stick to that problem. > > Can you outline what you've done? > > Normally you do something like this. > > 1. Generate a PKCS#10 request with Xenroll. Set the KeySpec to 1 and > GenKeyFlags to 3. > 2. Add BEGIN and END lines to it and get OpenSSL to sign the request. > 3. Use crl2pkcs7 to generate a PKCS#7 file with the user certificate in. > 4. strip off the begin and end lines and stuff the result into > acceptPKCS7. 1. I have generated PKCS#10 with xenroll, 2. I have generated a PKCS#7 chain 3. I have send the PKCS#7 chain back as base64 4. I called acceptPKCS7 on it and that fails with Error Number -2146881532 > IE 4.0 BTW is pretty horrible when it comes to certificates and in > particular PKCS#12 files: it rejects perfectly valid files because they > don't fit in with its very narrow version of the spec. IE 5.0 is much > better. See, this is the kind of stuff I'm interested in. What are the known problems, and how does one fix or work around them? Looking at the OpenSSL options I have recognized that there are some tricks needed to deal with MSIE, it even goes as far as requiring a broken DER encoding to make things work. It would be nice to know these things. I have to live with pretty tight constraints. I may even have to support IE3, I should not require our folks to upgrade to IE5. There is a chance that the certificate I produce is not good for MSIE (even though it works for Netscape.) If I knew what is wrong I'd fix it. So even an interpretation of this dumb error number -2146881532 would help me a lot. Meanwhile I'll do some more of this stupid trial-and-error type of debugging :-( thanks -Gunther -- Gunther_Schadow-------------------------------http://aurora.rg.iupui.edu Regenstrief Institute for Health Care 1050 Wishard Blvd., Indianapolis IN 46202, Phone: (317) 630 7960 [EMAIL PROTECTED]#include <usual/disclaimer>
begin:vcard n:Schadow;Gunther tel;fax:+1 317 630 6962 tel;home:+1 317 816 0516 tel;work:+1 317 630 7960 x-mozilla-html:FALSE url:http://aurora.rg.iupui.edu org:Regenstrief Institute adr:;;1050 Wishard Blvd;Indianapolis;Indiana;46202;USA version:2.1 email;internet:[EMAIL PROTECTED] title:M.D. fn:Gunther Schadow end:vcard
