Re: Using OpenSSL on unix to manage certs for Windows boxes (CSR's and PKCS12)

[Vsevolod Stakhov]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Victor B. Wagner wrote:
| On 2005.01.13 at 13:55:37 +0100, Dr. Stephen Henson wrote:
|
|>It doesn't. You can do that of course but the preferred technique is
the same
|>as every other environment: create a private key on the microsoft box,
sign a
|>request with it, send request to the CA and install the resulting
certificate.
|>
|>For MSIE you can use Xenroll for that.
| BTW, it is not clear for me how to create DSA certificates from xenroll.
| (really I oo need GOST94 certificates, not DSA)

You can use such kind of script for IE:

<HTML>
<HEAD>
<TITLE>VBScript Certificate Enrollment Control Sample
</TITLE>
<OBJECT classid="clsid:127698E4-E730-4E5C-A2b1-21490A70C8A1"
~    codebase="xenroll.dll"
~    id=Enroll >
</OBJECT>
<OBJECT classid="clsid:98AFF3F0-5524-11D0-8812-00A0C903B83C"
~    codebase="certcli.dll"
~    id=Request >
</OBJECT>
<BR>
Certificate Enrollment Control Request Sample
<BR>
<BR>

<SCRIPT language="VBScript">
<!--
' Declare the distinguished name variable.
Dim strDN

' Declare the request variable.
Dim strReq

' Declare a local variable for request disposition.
Dim nDisp

' Enable error handling.
On Error Resume Next

' Declare consts used by CertRequest object.
const CR_IN_BASE64 = &H1
const CR_IN_PKCS10 = &H100

' Build the DN.
strDN =  "CN=UserName" _
~      & ",OU=UserUnit" _
~      & ",O=UserOrg" _
~      & ",L=UserCity" _
~      & ",S=WA" _
~      & ",C=US"

' Attempt to use the control, in this case, to create a PKCS #10.
MsgBox("Creating PKCS #10 " & strDN)
strReq = Enroll.createPKCS10( strDN, "1.3.6.1.4.1.311.2.1.21")
' If above line failed, Err.Number will not be 0.
if ( Err.Number <> 0 ) then
~    MsgBox("Error in call to createPKCS10 " & Err.Number)
~    err.clear
else
~    MsgBox("Submitting request " & strReq)
~    nDisp = Request.Submit( CR_IN_BASE64 OR CR_IN_PKCS10, _
~                            strReq, _
~                            "", _
~                            "Machine\CertAuth")
~    ' If the preceding line failed, Err.Number will not be 0.
~    if ( Err.Number <> 0 ) then
~        MsgBox("Error in Request Submit " & Err.Number)
~        err.clear
~    else
~        MsgBox("Submitted certificate; disposition = " & nDisp)
~    end if

end if
- -->
</SCRIPT>
<BR>
</HEAD>
</HTML>

AFAIK for GOST certificates you should use OID 1.2.643.2.2.4 for algorithm.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFB59EKhLKMVkIXtlERAgvZAJ9A1T0WDLlSEGdsb2BX3pyjNzQvtQCgk0bS
HDunYdWMXR4ve1GNmpyzAao=
=dRbM
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]