Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

How to import a certificate into IE?

315 views
Skip to first unread message

markl...@yahoodotcom.com

unread,
Feb 28, 2003, 12:38:20 AM2/28/03
to
I am writing a CA.

At this point, my CA is able to get the PKCS10 request from the client
(IE) and generate an X509 certificate.

I want to return the certificate to the browser and let the human user
click "install" to import it into IE.

I have made an attempt to achieve this feature, but it did not work.

What I did is as follows:

1. On the CA server side, I Base64-encode the certificate, which results
in a string, and add

-----BEGIN CERTIFICATE-----

before the string and

-----END CERTIFICATE-----

after the string. Question: is this the right way to get the certificate
PEM-encoded?

2. I return the PEM-encoded certificate to a hidden form in an HTML(or ASP
or JSP) file.

3. Then a fragment of VBScript code tries to convert the PEM-encoded
certificate to a PKCS7 certificate and import it into the browser. It did
not work.

The fragment of VBSCript was passed to me by my friend, Mark. I am not
sure how the PEM-encoded certificate is converted to PKCS7. The source
code and sample screen snapshots are available at
http://www.geocities.com/markliu1989/ .

I believe you guys can give me a little bit hint. I really need your
help. I got stuck at this point and cannot proceed with my project.

Thanks in advance.

Mark


Michel Gallant (MVP)

unread,
Feb 28, 2003, 9:58:14 AM2/28/03
to
Why use PEM at all (that format is a bit dated).
You can simply use X509 format certificate (either b64 DER or bin DER) and
deploy it from the server directly as a .cer file extension.
Any IE client will recognize that extension, via:
rundll32.exe cryptext.dll,CryptExtOpenCER %1
and present the install dialog.

You can do the same thing, as a hidden form-field, if you want to wrap the
cert into a web page, but why do that? Having the certs directly accessed
makes it easier to maintain, if you have a more complex web application infrastructure.

Cheers,
- Michel Gallant
http://pages.istar.ca/~neutron


<markl...@yahoodotcom.com> wrote in message news:b3mskc$aib$1...@news.state.mn.us...

markl...@yahoodotcom.com

unread,
Feb 28, 2003, 10:20:03 AM2/28/03
to
That is cool. Actually, I don't care how the certificate is going to be
deployed, I just want the client's certificate to be installed in his/her
IE browser. So, the strategy you described should also be fine with me.

However, I don't understand this strategy.

Question 1: How to deploy the certificate from the CA server as a .cer
file?

Question 2: What code do we need to have IE client recoginze that
extension and present the install dialog?

Please continue educating. Thanks.

Michel Gallant (MVP)

unread,
Feb 28, 2003, 10:43:44 AM2/28/03
to
I was referring to the *built-in* capability of Win95 to XP to
automatically raise the certificate install dialog whenever a file
or link in a web page (or simply a URL) with a .cer file is presented.
Here is a simple example:
http://www3.sympatico.ca/mitchg/dotnet/
The bottom link on that page is a standard (X509 format) .cer file, placed
on a public web server (could be any server).
The end user does not have to configure their client. The Win OS has
built-in file association (as stated below) which automatically presents
the certificate import dialog box. (you may get an initial download
security warning before the Cert-import dialog appears).

If you have the .cer file on your desktop and dbl-click it, you raise
exactly the same cert-import dialog.

- Mitch

<markl...@yahoodotcom.com> wrote in message news:b3nun3$ipj$1...@news.state.mn.us...

markl...@yahoodotcom.com

unread,
Feb 28, 2003, 10:58:17 AM2/28/03
to
OK, I got a little bit taste of it. But then, if the client uses
Netscape Navigator, what shall we do in order to have the client import
his certificate into NN?

Michel Gallant (MVP)

unread,
Feb 28, 2003, 11:06:03 AM2/28/03
to
If you want the import dialog to work with both IE and Netscape, then
the web server will need to configure its mime-type mapping for
serving files of type .cer, crt, .der ----> application/x-x509-ca-cert

You can see from tables in this link that IIS5 does this already:

http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/iis/maintain/featusability/mimeiis.asp

- Mitch

<markl...@yahoodotcom.com> wrote in message news:b3o0up$ipj$2...@news.state.mn.us...

markl...@yahoodotcom.com

unread,
Feb 28, 2003, 11:25:02 AM2/28/03
to
That sounds cool. I am using Tomcat 4.1.12 as the web server for my
project. Any idea about how to configure it for
application/x-x509-ca-cert?

Michel Gallant (MVP)

unread,
Feb 28, 2003, 11:53:06 AM2/28/03
to
Look in the <installdir>\conf\web.xmp file.
Just quickly checking there (Tomcat 4), I see the entry:

<mime-mapping>
<extension>cer</extension>
<mime-type>application/x-x509-ca-cert</mime-type>
</mime-mapping>

so you should be OK TO GO ("Contact") by default.

- Mitch

<markl...@yahoodotcom.com> wrote in message news:b3o2gu$ipj$3...@news.state.mn.us...

markl...@yahoodotcom.com

unread,
Feb 28, 2003, 12:09:19 PM2/28/03
to
That is cool!

Seems you also you use tomcat? Then, given this feature of tomcat, the
client's operating system should not matter right?

I mean what if the client uses Solaris with Netscape Navigator or Mozzila?
Will she or he be able to click the cert file link and install the cert in
his browser?

You are so great, man!

markl...@yahoodotcom.com

unread,
Feb 28, 2003, 1:39:42 PM2/28/03
to
Dr. Gallant,

I tried your strategy with IE. It works perfect. Have not tried Netscape
yet.

markl...@yahoodotcom.com

unread,
Feb 28, 2003, 5:01:48 PM2/28/03
to
Mitch,

I tried with Netscape Navigator, it does not work.

0 new messages