Hello.
The following works for me. I won't give you the full forms since they are
in Estonian and utterly unreadable, but the idea should be clear.
First, try everything with MSIE 5. It is much more intelligent than IE4 -
understands certificate chains, shows the certs in a nice and logical way,
and just seems to work in places where IE4 gives unclear errors. If stuff
works under IE5, you are sure that your methods in general are correct
and you can 'downgrade' to IE4 if you need.
Newer Windows versions seem to have xenroll.dll preinstalled (I had a lot
of pain with different versions of xenroll). Be sure to use xenroll, not
cenroll3 as some old examples suggest.
=== CREATING A REQUEST ===
<OBJECT
classid="clsid:43F8F289-7A20-11D0-8F06-00C04FC295E1"
CODEBASE="xenroll.dll"
id=xenroll>
</OBJECT>
You create the key pair and request with VBscript - this should be
called when user has entered the data and tries to submit the form:
' Construct DN
DN = "C="+country+"+O="+org+"+CN="+cn+"+EMAIL="+email
' Set the xenroll properties
xenroll.providerType = 1 ' Microsoft
xenroll.providerName = "Microsoft Base Cryptographic Provider v1.0"
xenroll.HashAlgorithm = "MD5" ' or "SHA1"
' xenroll.KeySpec = 2 ' AT_SIGNATURE
xenroll.KeySpec = 1 ' AT_KEYEXCHANGE
' Make your pick here :)
' xenroll.GenKeyFlags = 1 ' CRYPT_EXPORTABLE
' xenroll.GenKeyFlags = 2 ' CRYPT_USER_PROTECTED
xenroll.GenKeyFlags = 3
' Create the request
request = xenroll.CreatePKCS10(DN, "1.3.6.1.5.5.7.3.2")
TheForm.pkcs10Request.value = _
"-----BEGIN NEW CERTIFICATE REQUEST-----" + _
CHR(13) + _
request + _
"-----END NEW CERTIFICATE REQUEST-----"
This will give you a vanilla PEM-formatted PKCS10 request that you can
submit and process in a CA of your choice, getting back a cert.
=== INSTALLING THE CERTIFICATE ===
The cert must be included in another VBscript routine on the page that
installs the certificate. Like this:
<SCRIPT LANGUAGE="VBScript">
Sub INSTALL_OnClick
Dim sz10
sz10 = _
"-----BEGIN CERTIFICATE-----" & _
"MIICIjCCAYugAwIBAgICECAwDQYJKoZIhvcNAQEEBQAwOzELMAkGA1UEBhMCRUUx" & _
.. your certificate here..
"whateverisinyourcertxxxLB3B+01hWzjyYqWoLpp6y3gNbIzLSnHcD59pNpho8" & _
"8t37wrgh4g3+Hxq6Pvfm3zbY//qDnw==" & _
"-----END CERTIFICATE-----"
xenroll.DeleteRequestCert = TRUE
err.clear
xenroll.WriteCertToCSP = true
xenroll.acceptPKCS7(sz10)
if err.number <> 0 then
result = MsgBox("Bad luck, error code " & err.number, 0, "Error")
else
result = MsgBox("You got lucky today!", 0, "")
end if
End Sub
</SCRIPT>
I am not very sure in all the xenroll parameters, though. xenroll help
file (from Microsoft website) is not very informative either.
Anyway this works.
> I found no intelligible description of this stuff apart from examples.
SSLeay examples are totally outdated. OpenCA does not support IE yet
(I think?). Does pyCA?
I found that all kinds of strange errors disappeared after I upgraded
to IE5 and Win98. Try this, and my code snippets, and see what happens?
Kaur
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
