At this point, my CA is able to get the PKCS10 request from the client
(IE) and generate an X509 certificate.
I want to return the certificate to the browser and let the human user
click "install" to import it into IE.
I have made an attempt to achieve this feature, but it did not work.
What I did is as follows:
1. On the CA server side, I Base64-encode the certificate, which results
in a string, and add
-----BEGIN CERTIFICATE-----
before the string and
-----END CERTIFICATE-----
after the string. Question: is this the right way to get the certificate
PEM-encoded?
2. I return the PEM-encoded certificate to a hidden form in an HTML(or ASP
or JSP) file.
3. Then a fragment of VBScript code tries to convert the PEM-encoded
certificate to a PKCS7 certificate and import it into the browser. It did
not work.
The fragment of VBSCript was passed to me by my friend, Mark. I am not
sure how the PEM-encoded certificate is converted to PKCS7. The source
code and sample screen snapshots are available at
http://www.geocities.com/markliu1989/ .
I believe you guys can give me a little bit hint. I really need your
help. I got stuck at this point and cannot proceed with my project.
Thanks in advance.
Mark
You can do the same thing, as a hidden form-field, if you want to wrap the
cert into a web page, but why do that? Having the certs directly accessed
makes it easier to maintain, if you have a more complex web application infrastructure.
Cheers,
- Michel Gallant
http://pages.istar.ca/~neutron
<markl...@yahoodotcom.com> wrote in message news:b3mskc$aib$1...@news.state.mn.us...
However, I don't understand this strategy.
Question 1: How to deploy the certificate from the CA server as a .cer
file?
Question 2: What code do we need to have IE client recoginze that
extension and present the install dialog?
Please continue educating. Thanks.
If you have the .cer file on your desktop and dbl-click it, you raise
exactly the same cert-import dialog.
- Mitch
<markl...@yahoodotcom.com> wrote in message news:b3nun3$ipj$1...@news.state.mn.us...
You can see from tables in this link that IIS5 does this already:
- Mitch
<markl...@yahoodotcom.com> wrote in message news:b3o0up$ipj$2...@news.state.mn.us...
<mime-mapping>
<extension>cer</extension>
<mime-type>application/x-x509-ca-cert</mime-type>
</mime-mapping>
so you should be OK TO GO ("Contact") by default.
- Mitch
<markl...@yahoodotcom.com> wrote in message news:b3o2gu$ipj$3...@news.state.mn.us...
Seems you also you use tomcat? Then, given this feature of tomcat, the
client's operating system should not matter right?
I mean what if the client uses Solaris with Netscape Navigator or Mozzila?
Will she or he be able to click the cert file link and install the cert in
his browser?
You are so great, man!
I tried your strategy with IE. It works perfect. Have not tried Netscape
yet.
I tried with Netscape Navigator, it does not work.