Question about importing an X.509 certificate into IE

[burki...@hotmail.com]

Hi, everybody,

Right now in my project, I save the encoded X509 certificate at a location like

http://www.my-ca-web.com/clientcerts/your-cert.cer

, a user can simply click a link to that location on the web interface to download it.

And because .cer is a built-in file type of Windows, once a user double clicks that file,
Windows knows how to handle it, i.e., asks the user to import it to the browser IE.

However, I don't want to return the certificate to the client in such a shabby way. Instead I
want to put the encoded certificate in a session object. But then we have no way of utilizing
the .cer file extension.

So, here is the question:

If I store the encoded client certificate in a session object, in which case, we cannot make
use of the built-in .cer file type for Windows, how can we import the certificate to the IE
browser? I believe we need VBScript to do this, but I am very very dumb at VBScript.

Any sample code is highly appreciated. Thanks a lot.

[Michel Gallant (MVP)]

One approach is to use CAPICOM (scriptable from web page) and then
when you get the cert into a byte array, you can do anything with it, including
importing into various IE cert stores.
A generic standalone vbs sample, which shows some techniques is attached.
Some (security related) limitations will apply when scripted within browser:

'*************************************************************
' File: getimportcert.vbs (WSH for VBscript)
' Author: (c) M. Gallant 04/10/2003
'
' Network certificate download and import utility
' Installs certificate to "AddressBook" (Other) store.
' Displays certificate before adding to store.
' Handles base64 or binary DER certificates.
'
' Requires CAPICOM 2.0.0.1
' Requires WSH 5.6
'
' Michel Gallant Copyright 2003
'*************************************************************

Option Explicit
Const CAPICOM_CURRENT_USER_STORE = 2
Const CAPICOM_LOCAL_MACHINE_STORE = 1
Const CAPICOM_STORE_OPEN_READ_WRITE = 1
Const CAPICOM_MY_STORE = "CAPICOM_MY_STORE"
Const CAPICOM_OTHERS_STORE = "AddressBook"

Dim oHttp, oUtils, oCert, body, certStr, certURL, oMystore

set oHTTP = CreateObject("Microsoft.XMLHTTP")
set oUtils = CreateObject("CAPICOM.Utilities")
set oCert = CreateObject("CAPICOM.Certificate")

certURL = "<a valid url to a cert>"

oHTTP.open "GET", certURL, False
oHTTP.send
body = oHTTP.responseBody 'safearray (byte) contents

certStr = oUtils.ByteArrayToBinaryString(body)
oCert.Import(certStr)
oCert.Display()

'------- Now add to the MY store -----------
set oMystore = CreateObject("CAPICOM.Store")

oMystore.open CAPICOM_CURRENT_USER_STORE, CAPICOM_OTHERS_STORE, _
CAPICOM_STORE_OPEN_READ_WRITE
oMystore.add oCert
'---------------------------------------------

' Release all objects.
set oMystore = nothing
set oHTTP = nothing
set oUtils = nothing
set oCert = nothing

----------------- END VBS --------------------

<burki...@hotmail.com> wrote in message news:b8aiqg$4pu$1...@news.state.mn.us...

[krish shenoy[MS]]

In order to use client certificates for SSL you need to have both the client
certificate and the corresponding private key in the user's personal store.
Your approach will only get the client certificate to the personal store but
not the private key.
http://www.microsoft.com/windows2000/techinfo/planning/default.asp contains
articles on how to setup client certificates for SSL

--
This posting is provided "AS IS" with no warranties and confers no rights.
Use of any included samples is subject to the terms specified at
http://www.microsoft.com/info/copyright.htm"

<burki...@hotmail.com> wrote in message
news:b8aiqg$4pu$1...@news.state.mn.us...

[krish shenoy[MS]]

Specifically the article
http://www.microsoft.com/windows2000/techinfo/planning/security/mappingcerts.asp

--
This posting is provided "AS IS" with no warranties and confers no rights.
Use of any included samples is subject to the terms specified at
http://www.microsoft.com/info/copyright.htm"

"krish shenoy[MS]" <ksh...@online.microsoft.com> wrote in message
news:uPfhSs0C...@TK2MSFTNGP11.phx.gbl...

[burki...@hotmail.com]

Well, Krish, you are not right.

Before the certificate is returned to the client, the client sent a PKCS10
request to the CA I write.

And the PKCS10 is generated by IE. The RSA public key is sent to the CA
and private key is stored in the browser.

Thus, the client does have the private key.

[burki...@hotmail.com]

Michel, Thanks a lot. I will try it out and see what happens.

> ----------------- END VBS --------------------

> <burki...@hotmail.com> wrote in message news:b8aiqg$4pu$1...@news.state.mn.us...

[jellin...@gmail.com]

On your Windows Server, download and save the DigiCert® Certificate Utility for Windows executable (DigiCertUtil.exe).

Run the DigiCert® Certificate Utility for Windows.

Double-click DigiCertUtil.

In the DigiCert Certificate Utility for Windows©, click SSL (gold lock), select the certificate that you want to export as a .pfx file, and then click Export Certificate - http://livemnc.com/

In the Certificate Export wizard, select Yes, export the private key, select pfx file, and then check Include all certificates in the certification path if possible, and finally, click Next.
In the Password and Confirm Password boxes, enter and confirm your password, and then, click Next.
In the File name box, click … to browse for and select the location and file name where you want to save the .pfx file, provide a file name (i.e. mySSLCertificate), click Save, and then, click Finish.
After you receive the "Your certificate and key have been successfully exported" message, click OK.
http://livemnc.com/