I noticed recently while being part in the development of a web-banking system, that Windows Vista and Windows Server 2008 (Longhorn) are using a different resource DLL when it comes to certificate web enrollment. From a file point of view we have CERTENROLL.DLL on Vista & Longhorn while previous versions of Windows use XENROLL.DLL. The above means that any code previously written that uses XENROLL no longer works on Vista/Longhorn clients.
It also means that the Windows 2000/2003 certificate authority web enrollment pages will not allow Vista and Longhorn clients to enroll a certificate. What you will have to do is replace your Windows 2003 CA web certificate pages with the ones from Longhorn. Those can be found in the Longhorn beta VHD provided by Microsoft. More information about this can be found here.
Here is a javascript code example on how to use CERTENROLL.
<%
‘ Certificate Enrollment Example
‘ Dimitris Giakoumakis 2007
‘ Browser detection. Use CertEnroll if Windows Longhorn/Vista
Dim sBrowser
sBrowser = Request.ServerVariables(”HTTP_USER_AGENT”)
If 0 InStr(sBrowser, “Windows NT”) Then
numChar = InStr(Mid(sBrowser, InStr(sBrowser, “Windows NT”)+11), “.”)-1
If CInt(Mid(sBrowser, InStr(sBrowser, “Windows NT”)+11,numChar)) >= 6 Then
bLongHorn = True
End If
End If
If bLongHorn = True Then
%>
// Distinguished name variables
// for more RDN keys refer to http://msdn2.microsoft.com/en-us/library/aa377051.asp
var sCN = “GR”; // Common name
var sO = “Organisation”; // Organisation name
var sOU = “OrganisationUnit”; // Organisational Unit
var sL = “Locality”; // Locality
var sS = “Attika”; // State
var sC = “GR”; // Country
var sCertificate = null;
sDistinguishedName = “c=” + sC + “;o=” + sO + “;ou=” + sOU + “;cn=” + “Dimitris Giakoumakis;”;
// Initialization of the ActiveX component
var classFactory = new ActiveXObject(”X509Enrollment.CX509EnrollmentWebClassFactory”);
// Declaration of the objects
var objEnroll = classFactory.CreateObject(”X509Enrollment.CX509Enrollment”);
var objPrivateKey = classFactory.CreateObject(”X509Enrollment.CX509PrivateKey”);
var objRequest = classFactory.CreateObject(”X509Enrollment.CX509CertificateRequestPkcs10″);
var objDN = classFactory.CreateObject(”X509Enrollment.CX500DistinguishedName”);
// Specify the name of the cryptographic provider.
objPrivateKey.ProviderName = “Microsoft Enhanced RSA and AES Cryptographic Provider”;
// X509PrivateKeyUsageFlags
// Specify a value that identifies the specific purpose for which a private key can be used.
//
// typedef enum {
// XCN_NCRYPT_ALLOW_USAGES_NONE = 0,
// XCN_NCRYPT_ALLOW_DECRYPT_FLAG = 0×1,
// XCN_NCRYPT_ALLOW_SIGNING_FLAG = 0×2,
// XCN_NCRYPT_ALLOW_KEY_AGREEMENT_FLAG = 0×4,
// XCN_NCRYPT_ALLOW_ALL_USAGES = 0xffffff
// } X509PrivateKeyUsageFlags;
objPrivateKey.KeySpec = “1″;
// X509ProviderType
// Specification of the cryptographic standards and algorithms
//
// typedef enum X509ProviderType {
// XCN_PROV_NONE = 0,
// XCN_PROV_RSA_FULL = 1,
// XCN_PROV_RSA_SIG = 2,
// XCN_PROV_DSS = 3,
// XCN_PROV_FORTEZZA = 4,
// XCN_PROV_MS_EXCHANGE = 5,
// XCN_PROV_SSL = 6,
// XCN_PROV_RSA_SCHANNEL = 12,
// XCN_PROV_DSS_DH = 13,
// XCN_PROV_EC_ECDSA_SIG = 14,
// XCN_PROV_EC_ECNRA_SIG = 15,
// XCN_PROV_EC_ECDSA_FULL = 16,
// XCN_PROV_EC_ECNRA_FULL = 17,
// XCN_PROV_DH_SCHANNEL = 18,
// XCN_PROV_SPYRUS_LYNKS = 20,
// XCN_PROV_RNG = 21,
// XCN_PROV_INTEL_SEC = 22,
// XCN_PROV_REPLACE_OWF = 23,
// XCN_PROV_RSA_AES = 24
// } X509ProviderType;
objPrivateKey.ProviderType = “24″;
// Initialization of the certificate request by using an IX509PrivateKey (objPravateKey)
objRequest.InitializeFromPrivateKey(1, objPrivateKey, “”);
// Initializing the X.500 distinguished name
objDN.Encode(sDistinguishedName, 0);
// Specifing the X.500 distinguished name using the Subject property of IX509CertificateRequestPkcs10
objRequest.Subject = objDN;
// Initializing the enrollment object (objEnroll) using the existing certificate request object.
objEnroll.InitializeFromRequest(objRequest);
// Retrieving the encoded certificate request object
sCertificate = objEnroll.CreateRequest(1);
document.write(sCertificate);
For more information refer to the certificate enrollment API at MSDN.
If you have any questions please feel free to post a comment.
Filed under: Web Development | 2 Comments
Tags: ASP, CERTENROLL, Certificate, Enrollment, Javascript, Server, Vista Longhorn
Search
-
You are currently browsing the About stuff weblog archives.
I was looking for this code and trying to write it for ages. Yours worked first time. Still having problems getting it to install but 99% there. Thanks a million.
Hi,
I am a newbie to this. Can you please advice where i put this code snippet? I have some certificates which ran on my 2003 server. I am now upgrading to longhorn. the certificates are not available. so please advice what i need to do.