I noticed recently while being part in the development of a web-banking system, that Windows Vista and Windows Server 2008 (Longhorn) are using a different resource DLL when it comes to certificate web enrollment. From a file point of view we have CERTENROLL.DLL on Vista & Longhorn while previous versions of Windows use XENROLL.DLL. The above means that any code previously written that uses XENROLL no longer works on Vista/Longhorn clients.

It also means that the Windows 2000/2003 certificate authority web enrollment pages will not allow Vista and Longhorn clients to enroll a certificate. What you will have to do is replace your Windows 2003 CA web certificate pages with the ones from Longhorn. Those can be found in the Longhorn beta VHD provided by Microsoft. More information about this can be found here.

Here is a javascript code example on how to use CERTENROLL.

<%
‘ Certificate Enrollment Example
‘ Dimitris Giakoumakis 2007

‘ Browser detection. Use CertEnroll if Windows Longhorn/Vista
Dim sBrowser

sBrowser = Request.ServerVariables(“HTTP_USER_AGENT”)
If 0 InStr(sBrowser, “Windows NT”) Then
numChar = InStr(Mid(sBrowser, InStr(sBrowser, “Windows NT”)+11), “.”)-1
If CInt(Mid(sBrowser, InStr(sBrowser, “Windows NT”)+11,numChar)) >= 6 Then
bLongHorn = True
End If
End If

If bLongHorn = True Then
%>

// Distinguished name variables
// for more RDN keys refer to http://msdn2.microsoft.com/en-us/library/aa377051.asp
var sCN = “GR”; // Common name
var sO = “Organisation”; // Organisation name
var sOU = “OrganisationUnit”; // Organisational Unit
var sL = “Locality”; // Locality
var sS = “Attika”; // State
var sC = “GR”; // Country
var sCertificate = null;

sDistinguishedName = “c=” + sC + “;o=” + sO + “;ou=” + sOU + “;cn=” + “Dimitris Giakoumakis;”;

// Initialization of the ActiveX component
var classFactory = new ActiveXObject(“X509Enrollment.CX509EnrollmentWebClassFactory”);

// Declaration of the objects
var objEnroll = classFactory.CreateObject(“X509Enrollment.CX509Enrollment”);
var objPrivateKey = classFactory.CreateObject(“X509Enrollment.CX509PrivateKey”);
var objRequest = classFactory.CreateObject(“X509Enrollment.CX509CertificateRequestPkcs10″);
var objDN = classFactory.CreateObject(“X509Enrollment.CX500DistinguishedName”);

// Specify the name of the cryptographic provider.
objPrivateKey.ProviderName = “Microsoft Enhanced RSA and AES Cryptographic Provider”;

// X509PrivateKeyUsageFlags
// Specify a value that identifies the specific purpose for which a private key can be used.
//
// typedef enum {
// XCN_NCRYPT_ALLOW_USAGES_NONE = 0,
// XCN_NCRYPT_ALLOW_DECRYPT_FLAG = 0×1,
// XCN_NCRYPT_ALLOW_SIGNING_FLAG = 0×2,
// XCN_NCRYPT_ALLOW_KEY_AGREEMENT_FLAG = 0×4,
// XCN_NCRYPT_ALLOW_ALL_USAGES = 0xffffff
// } X509PrivateKeyUsageFlags;
objPrivateKey.KeySpec = “1″;

// X509ProviderType
// Specification of the cryptographic standards and algorithms
//
// typedef enum X509ProviderType {
// XCN_PROV_NONE = 0,
// XCN_PROV_RSA_FULL = 1,
// XCN_PROV_RSA_SIG = 2,
// XCN_PROV_DSS = 3,
// XCN_PROV_FORTEZZA = 4,
// XCN_PROV_MS_EXCHANGE = 5,
// XCN_PROV_SSL = 6,
// XCN_PROV_RSA_SCHANNEL = 12,
// XCN_PROV_DSS_DH = 13,
// XCN_PROV_EC_ECDSA_SIG = 14,
// XCN_PROV_EC_ECNRA_SIG = 15,
// XCN_PROV_EC_ECDSA_FULL = 16,
// XCN_PROV_EC_ECNRA_FULL = 17,
// XCN_PROV_DH_SCHANNEL = 18,
// XCN_PROV_SPYRUS_LYNKS = 20,
// XCN_PROV_RNG = 21,
// XCN_PROV_INTEL_SEC = 22,
// XCN_PROV_REPLACE_OWF = 23,
// XCN_PROV_RSA_AES = 24
// } X509ProviderType;
objPrivateKey.ProviderType = “24″;

// Initialization of the certificate request by using an IX509PrivateKey (objPravateKey)
objRequest.InitializeFromPrivateKey(1, objPrivateKey, “”);

// Initializing the X.500 distinguished name
objDN.Encode(sDistinguishedName, 0);

// Specifing the X.500 distinguished name using the Subject property of IX509CertificateRequestPkcs10
objRequest.Subject = objDN;

// Initializing the enrollment object (objEnroll) using the existing certificate request object.
objEnroll.InitializeFromRequest(objRequest);

// Retrieving the encoded certificate request object
sCertificate = objEnroll.CreateRequest(1);

document.write(sCertificate);

For more information refer to the certificate enrollment API at MSDN.

If you have any questions please feel free to post a comment.