Thanks for the detailed reply!! Actually I was going to post my code once I am done. It's basically two perl modules, one is the interface to openssl, mainly ca specific functions although I have a perl template for the ciphers as well, and the other one is to handle writing out/retrieving the information from a database using DBI. I wanted a more robust way to handle the actual data then what openssl comes with, plus we need some stuff like the ability to have two certificates with the same common name. So the openssl module doesn't write any files (just some tmp files), and then you call the database routines to write/retrieve certificates, keys, csr's, etc.. I am doing ours using mysql, but it should work with any database that supports DBI.
I'm probably another 4-5 days away from wanting to release it though, want to clean it up and do a couple things like having it read passwords through a file descriptor instead of passing them on the command line, etc.. We process credit card transactions, and FYI what has worked really well for us is we issue certificates to our merchants, and keep a copy of their public key in our database and encrypt all the card numbers with their public key. They have access to the card numbers but we don't. Plus we use their certificate to authenticate them when they log into our web administration area. The only problems we have are making it easy for people. Issuing their certificate is one of the first things they do when they become a client, and it's a big hurdle to throw at some people right off the bat. With all the stuff that can go wrong on the client side, we keep as much as possible on our end. Chris ----- Original Message ----- From: "Bart J. Smit" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, August 30, 2003 1:52 AM Subject: RE: MSIE certificate installation Download CAPICOM which is a wrapper around the Crypto API for Visual Basic: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecur e/html/intcapicom.asp If you don't have a copy of Visual Basic, download the Control Creation Edition: http://msdn.microsoft.com/vbasic/downloads/tools/cce/default.aspx Finally you need Authenticode from: http://msdn.microsoft.com/library/default.asp?url=/workshop/security/aut hcode/signing.asp Here's the plan: Get all your users to import your CA public key into IE if they have not already done so. This is more or less a prerequisite unless you trust your users to blindly click yes on security warnings (most will anyway). Create an ActiveX control in VB using CAPICOM which inserts the appropriate certificates in the appropriate stores. Some good examples are included in the package. This part is left as an exercise to the reader ;-) Sign the CAB file of your ActiveX with signcode.exe included in the Authenticode package. To do this you need to issue a code signing cert to yourself with all purposes. Don't bother with the esoteric signcode command line options, just run the exe to get a nice GUI. The timestamp url is http://timestamp.verisign.com/scripts/timstamp.dll (yes that is timstamp and not a typo). You need to sign the ActiveX, otherwise IE will bluntly refuse to run it. Signed controls will give a security warning on which your users will have to click yes. If they have your CA cert in their root cert store, they will see a nice and familiar security dialog with your CN and optional URL. If not they will see a slightly uglier version that says that it doesn't know your cert from Adam. Most of them will click yes without appreciating the finer subtleties. This is how pr0n diallers make their money. Have fun Bart... P.S. your server side code sounds intriguing. Any chance of posting it here? -----Original Message----- From: openssl [mailto:[EMAIL PROTECTED] Sent: 29 August 2003 21:09 To: openssl-users Subject: MSIE certificate installation I know this is slightly off topic, but I seem to find better answers searching the openssl archives on stuff like this than I do the windows cryptoapi mailing list. Is there a way to install a certificate and the private key on MSIE without having to go through the import wizard? Something similar to enroll.acceptpkcs7? Specifically why I don't want to use the wizard is that I want to simplify the import process and not have the user prompted for things like whether to make the key exportable or whether to use strong protection. I would like to just have them prompted for the password and set the other parameters myself. I realize this wouldn't be an issue if MSIE generated the private key and csr, but our PKI structure precludes us from being able to do it that way and we generate the private key and csr on the server side. For those curious why we do that, we need to be able to renew certificates using the same private key which can be a major PITA on windows, plus it's a lot easier to make the whole process work every single time across different browser types if we handle it all on the server side. Chris ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]