Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: Certreq and Enrollment of Smartcard Logon Certificates

527 views
Skip to first unread message

Saleh Matani

unread,
Nov 28, 2005, 3:11:57 AM11/28/05
to
Hello Dominik ,
for the Windows CA (Standard and Enterprise) you can use the V1
Templates if you do not make a copy from the Standard Templates!
its possible to enroll a Smartcard logon certificate with the
Xenroll.dll (API) and the scrdenrl.dll(API) "you can use API with C# VB.NET"
You can find the scrdenrl.dll on CA Server
For more help doing that please take a look to the CA ASP sites that you
can find by Windows CA !

about certreq i do not know for smartcards :)

i hope that can help you

Q: why you do not want to use the website ?

Saleh Matani

Zemp Dominik wrote:
> Hi
>
> Is it possible to enroll a smartcard logon certificate (v1 template from a
> Windows Server 2003 Standard CA) on a smartcard with the certreq command?
> If yes, how can I do this?
> If no, which other easy solution exists (except the website)?
>
> Thanks an lot
> Dominik

Zemp Dominik

unread,
Nov 28, 2005, 5:13:04 AM11/28/05
to
Hi Saleh

Thank you for your answer. I see that you are the right person to answer my
questions (and for my C# project). :-)

> Q: why you do not want to use the website ?

Because the application is for our human resources department. My desire is
that they can initialize the Aladdin eToken and request the Smartcard Logon
certificate within the same application. At the moment, they can initialize
only the eToken...

Now, I would like to implement a function so that they can request the
Smartcard Logon certificate on behalf of another user.
Now, it looks like that this not working with certreq.exe and I must use an
API (xenroll.dll or scrdenrl.dll). But, I don't have experience within these
ranges.
As I read however from many posts, you have already some experiences. :-)
Can you help me? Do you have possibly code examples of me, how I can request
a certificate on behalf of another user and save it on the Aladdin eToken?
That would be really very nice. ;-)

Thanks and Regards
Dominik

Saleh Matani

unread,
Nov 28, 2005, 7:01:20 AM11/28/05
to
its an Enterprise CA ? (using Domain controller "Active Directory") ?
if yes then you can request certificates for other users when you make
some changes in CA Certificate Template for the user certificate you
need , its exactly about to configurate that template to use the DN from
request and not getting that from Active directory.

to use the Xenroll.dll and scrdenrl.dll API you need to register them
with regsvr32.exe and to add them to your C# project using the Reference
Wizard

for C# this is the example how to create a request and send to CA -->get
Certificate -->save with private key to pfx file and export it to etoken
this example is just for creating an eMail certificate outside of eToken
and can be very useful if you lost or damaged eToken to have the
possibility to decrypt your emails getting the pfx Backup


//use first to import the APIs DLLs:
using XENROLLLib;
using CERTCLIENTLib; //CERTCLIENTLib.dll allready regestred for XP
using SCRDENRLLib;




int creationState;
string CertificateTemplate = "your Template Name";
string ProviderName ="Microsoft Enhanced Cryptographic Provider v1.0";
string EmailCertOID = "1.3.6.1.5.5.7.3.4" ; //Email Certificate
// creating cert request:
try
{
XENROLLLib.CEnroll certEnroll = new XENROLLLib.CEnroll();
certEnroll.GenKeyFlags = 1024 * (256*256); //KEY
certEnroll.GenKeyFlags = CRYPT_EXPORTABLE;
certEnroll.UseExistingKeySet = 0;
certEnroll.EnableSMIMECapabilities=1;
certEnroll.addCertTypeToRequest (CertificateTemplate);
certEnroll.ProviderName =ProviderName;
//certEnroll.PVKFileName = @"C:\pvk1.pvk"; //if you need to export
the private key (not req. because you generate

string dn = "CN="+ CommonName.txt +",E="+ Email.Text +",O="+
Organisation.Text +",L="+ City.Text +",S="+ State.Text
+",C="+Countrycode.Text+"";
string req = certEnroll.createPKCS10(dn, EmailCertOID); //create the
Request
int CR_IN_BASE64 = 0x1;
int CR_IN_PKCS10 = 0x100;

CERTCLIENTLib.CCertRequest certRequest = new
CERTCLIENTLib.CCertRequest();
creationState = certRequest.Submit(CR_IN_BASE64 | CR_IN_PKCS10, req,
"", @"Your CA Server Name\your CA Name");

if ( 3 == creationState)

{
String PFXFileName = @"C:\"+Name of your pfx +".pfx";
string Cert;
String pswd =PFXPass.Text;
Cert =
(string)certRequest.GetFullResponseProperty(FR_PROP_FULLRESPONSE,0,PROPTYPE_BINARY,CR_OUT_BASE64);
certEnroll.acceptResponse(Cert); //accept certificate
Cert = certRequest.GetCertificate(CR_OUT_BASE64);
certEnroll.createFilePFX(pswd,PFXFileName); //create pfx (p12) file

String pfxDir ="C:\\"+Name of your pfx+".pfx";
ProcessStartInfo startInfo = new ProcessStartInfo("ImportPFX.exe");
//copy the ImportPFX.exe under system32 to call it like that
startInfo.WindowStyle = ProcessWindowStyle.Hidden;
startInfo.Arguments =" " +pfxDir+ " "+pswd;
Process.Start(startInfo); //import the pfx to eToken
} //the importpfx.exe is a part of some examples from the Alladin
SDK 3.6
}
catch(Exception ex)
{
MessageBox.Show(ex.Message , "Error", MessageBoxButtons.OK,
MessageBoxIcon.Hand, MessageBoxDefaultButton.Button1);
}


i hope that can help you.

Zemp Dominik

unread,
Nov 28, 2005, 3:49:07 PM11/28/05
to
Hi

Thanks for your code. That's very helpful for me.

Yes, it is an Enterprise CA! But I don't want to make changes to the
template (create a V2 template). I would like to use the original Smartcard
Logon template (and also, if you have only a Standard Server OS, you can't
create some V2 templates. That's only possible if you have an Enterprise
Editon Server).
Is it not possible to request a certificate on behalf another user without
create a V2 certificate template? It works with the "built-in" Microsoft
Smartcard Enrollment Station (website)?!?!

Oh yes, is it possible to save the certificate directly on the eToken
without creating first a .pfx file?

Thanks
Dominik

Saleh Matani

unread,
Nov 29, 2005, 3:04:48 AM11/29/05
to
Hello Dominik ,
that code is just useful for creating non Smartcard certificates ,
about how to create Smartcard certificates "windows logon" "saving cert
directly to eToken you use to look to the ASP site of smartcard
enrollment on CA , i think you will finde there the Answer of your Quastion.
All i know about that is that you can use the scrdenrl.dll API and
xenroll.dll to enroll smardcard certificates for other users.
i am using also to write an application doing that exactly , mybe this
will be the next days "if i get time for that!!!"

Zemp Dominik

unread,
Nov 30, 2005, 4:47:02 PM11/30/05
to
Hello Saleh

OK, I'll check the ASP site (Enrollment Station) and try to translate the
code into C#.

> i am using also to write an application doing that exactly , mybe this
> will be the next days "if i get time for that!!!"

If you have good tips, I'm very grateful. :-)

Now, an other question: Do you know, how I can change the user PIN on eToken
after initialization (with eTSAPI or PKCS#11)? I don't find an appropriate
example in the SDK 3.60!

Saleh Matani

unread,
Dec 6, 2005, 10:29:01 AM12/6/05
to
hello Dominik,

i am now working on that project "enroll smartcard certificates with C#
CA Client" and getting some small problems that i use to solve :) , any
way.. if i get a working version i will write you some tipps how to do
that :) , i hope that u do that also , in this way we can save time and
mony ;)
So , about the Alladin etoken Quastion: to change the PIN i allready did
that with Visual Basic , it use to be easy if you use the eTox.dll from
the SDK 3.51 "i think that is easy to do that also with C#", it also
includes an example doing that(VB Example) , i really do not know why
Alladin dose not include that ocx with the new Framework.

because this subject has no more relation with the Microsoft cryptoAPI i
am asking you if you have more quastions to send me that directly to my
eMail "saleh[at]matani.net"

Thank you

so Dominik

Regards

0 new messages