Thanks for the detailed reply!!
Actually I was going to post my code once I am done. It's basically two
perl modules, one is the interface to openssl, mainly ca specific functions
although I have a perl template for the ciphers as well, and the other one
is to handle writing out/retrieving the information from a database using
DBI. I wanted a more robust way to handle the actual data then what openssl
comes with, plus we need some stuff like the ability to have two
certificates with the same common name. So the openssl module doesn't write
any files (just some tmp files), and then you call the database routines to
write/retrieve certificates, keys, csr's, etc.. I am doing ours using
mysql, but it should work with any database that supports DBI.
I'm probably another 4-5 days away from wanting to release it though, want
to clean it up and do a couple things like having it read passwords through
a file descriptor instead of passing them on the command line, etc..
We process credit card transactions, and FYI what has worked really well for
us is we issue certificates to our merchants, and keep a copy of their
public key in our database and encrypt all the card numbers with their
public key. They have access to the card numbers but we don't. Plus we use
their certificate to authenticate them when they log into our web
administration area. The only problems we have are making it easy for
people. Issuing their certificate is one of the first things they do when
they become a client, and it's a big hurdle to throw at some people right
off the bat. With all the stuff that can go wrong on the client side, we
keep as much as possible on our end.
Chris
- Original Message -
From: Bart J. Smit [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Saturday, August 30, 2003 1:52 AM
Subject: RE: MSIE certificate installation
Download CAPICOM which is a wrapper around the Crypto API for Visual
Basic:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecur
e/html/intcapicom.asp
If you don't have a copy of Visual Basic, download the Control Creation
Edition:
http://msdn.microsoft.com/vbasic/downloads/tools/cce/default.aspx
Finally you need Authenticode from:
http://msdn.microsoft.com/library/default.asp?url=/workshop/security/aut
hcode/signing.asp
Here's the plan:
Get all your users to import your CA public key into IE if they have not
already done so. This is more or less a prerequisite unless you trust
your users to blindly click yes on security warnings (most will anyway).
Create an ActiveX control in VB using CAPICOM which inserts the
appropriate certificates in the appropriate stores. Some good examples
are included in the package. This part is left as an exercise to the
reader ;-)
Sign the CAB file of your ActiveX with signcode.exe included in the
Authenticode package. To do this you need to issue a code signing cert
to yourself with all purposes. Don't bother with the esoteric signcode
command line options, just run the exe to get a nice GUI. The timestamp
url is http://timestamp.verisign.com/scripts/timstamp.dll (yes that is
timstamp and not a typo). You need to sign the ActiveX, otherwise IE
will bluntly refuse to run it. Signed controls will give a security
warning on which your users will have to click yes. If they have your CA
cert in their root cert store, they will see a nice and familiar
security dialog with your CN and optional URL. If not they will see a
slightly uglier version that says that it doesn't know your cert from
Adam. Most of them will click yes without appreciating the finer
subtleties. This is how pr0n diallers make their money.
Have fun
Bart...
P.S. your server side code sounds intriguing. Any chance of posting it
here?
-Original Message-
From: openssl [mailto:[EMAIL PROTECTED]
Sent: 29 August 2003 21:09
To: openssl-users
Subject: MSIE certificate installation
I know this is slightly off topic, but I seem to find better answers
searching the openssl archives on stuff like this than I do the windows
cryptoapi mailing list.
Is there a way to install a certificate and the private key on MSIE
without
having to go through the import wizard? Something similar to
enroll.acceptpkcs7? Specifically why I don't want to use the wizard is
that
I want to simplify the import process and not have the user prompted for
things like whether to make the key exportable or whether to use strong
protection. I would like to just have them prompted for the password
and
set the other parameters myself.
I realize this wouldn't be an issue if MSIE generated the private key
and
csr, but our PKI structure precludes us from being able to do it that
way
and we generate the private key and csr on the server side. For those
curious why we do that, we need to be able to renew certificates using
the
same private key which can be a major PITA on windows, plus it's a lot
easier to make the whole process work every single time across different
browser types if we
