Question about automatic registration of certificates

182 views
Skip to first unread message

SDM

unread,
Feb 28, 2013, 10:04:00 AM2/28/13
to eid...@googlegroups.com
Hello,

When an eID-card is inserted in a card reader connected to a computer, the certificates on that eID-card get registered.

In previous versions of the eID-Viewer, it was possible to check/uncheck several options:
- whether to automatically register the certificates
- whether the registered certificates should be removed when the eID-card is removed

In the current version of the eID-viewer (4.0.2), it's not possible to configure these options anymore.
In the release notes of the eID Middleware 4.0.2 I've read the following:

• The Quick installer will no longer register certificates itself.
• On Windows Vista and Windows 7, the Quick Installer will launch the certificate propagation sevice,
which will handle the registration of the certificates.
• On Windows XP, the Quick Installer will launch the sccertproptool, which will handle the registration
of the certificates.

So as far as I understand, the certificates now get registered by a certificate propagation service. After some googling, I found the following information about this topic:
- http://technet.microsoft.com/en-us/library/ff404288%28v=ws.10%29.aspx
- http://technet.microsoft.com/en-us/library/ff404287%28v=ws.10%29.aspx

Is it still possible to configure that registered certificates should be removed automatically after an eID-card is removed, and if so, how?
I suppose we should configure this somewhere in the Windows registry according to the links I mentioned above?

Thanks in advance!
Kind regards,
Stephanie

Frederik Vernelen

unread,
Feb 28, 2013, 10:50:00 AM2/28/13
to eid...@googlegroups.com
Hi,

I don't think it is possible to configure the certificate propagation service to automatically remove the registered certificates after removal of the eID card.

We did wrote a test application based on our new SDK 4.0 that provides this functionality. (so the certpropsvc can be turned off while this one is running).
You can find it here : http://code.google.com/p/eid-mw/downloads/detail?name=certreg-3.exe&can=2&q=#makechanges

Wkr,
 Frederik





--
Je hebt dit bericht ontvangen, omdat je je hebt aangemeld bij de groep 'eID Middleware' van Google Discussiegroepen.
Stuur een e-mail naar eid-mw+...@googlegroups.com om je af te melden bij deze groep en geen e-mail van deze groep meer te ontvangen.
Als je een bericht in deze groep wilt plaatsen, stuur je een e-mail naar eid...@googlegroups.com.
Bezoek deze groep op http://groups.google.com/group/eid-mw?hl=nl.
Bezoek voor meer opties https://groups.google.com/groups/opt_out.
 
 

SDM

unread,
Mar 1, 2013, 3:21:01 AM3/1/13
to eid...@googlegroups.com
Hello,

So the .exe you mentioned is still a test application? Then it doesn't sound like a good idea to use this instead of the certificate propagation service...
Why is the registration + removal of certificates not possible anymore as a feature of the eID-viewer?

Our customers capture data off a lot of different eID-cards, with the result that each certificate is stored on that computer.
When other applications show a list of certificates to choose from, our customers get a huge list to choose from, which is not very practical (the list is filled with all the certificates of each and every card they ever captured data off).
It would be better if we could configure something to automatically remove the certificates to avoid this kind of situation.

Wkr,
Stephanie

Frederik Vernelen

unread,
Mar 1, 2013, 4:27:50 AM3/1/13
to eid...@googlegroups.com
Hi,

The feature is no longer present in the eID-viewer, because since Windows Vista, the certificate propagation service is present, which already provides the automatic registration service.
Having 2 ways of providing the same functionality could be very confusing (user turns it off in the viewer, but the certpropsvc is still active..), so we decided to drop this feature from the viewer.

Besides the certreg.exe (which is indeed just written as a sample application for our SDK),
a manuel cleanup of the Windows certificate store can be performed by running "certmgr.msc" from the command prompt
(you will find all the leaf certificates in the Personal (MY) folder)

Wkr,
 Frederik


Stephanie

--

SDM

unread,
Mar 5, 2013, 10:33:00 AM3/5/13
to eid...@googlegroups.com
Hello,

Thank you for your quick reply.
I understand that it would be confusing to allow automatic registration of certificates in the eID-viewer when the certificate propagation service already provides that functionality.
But apparently the certificate propagation service doesn't provide an option to automatically remove certificates, so perhaps the eID-viewer should provide this option (in the form of a checkbox like in the previous version)?
It's just kind of strange that it doesn't seem to be possible anymore to automatically remove certificates in any way. What about public computers (or "kiosks") where people use their eID-card?
After a while, such computers will contain a very long list of certificates, and that can't be a good idea, right?

Wkr,
Stephanie
Reply all
Reply to author
Forward
0 new messages