I am having a problem generating a valid PKCS10 request to Microsoft
Certificate Server from a Mozilla based browser. Going the IE route
is straight forward, using the enroll object on the client side to
generate a PKCS10 request.
Enroll.addCertTypeToRequest("Workstation")
strReq = Enroll.createPKCS10( strDN, "1.1")
*strDN predefined
Specifying the template type and the DN string, then forwarding the
resulting request to server side ASP.NET processing.
disposition = certRequest.Submit(CR_IN_BASE64 Or CR_IN_PKCS10,
Request("req_str"), "", "******")
*server name removed
note the attribute part of this function call is empty since somehow
all the necessary information has been already captured through the
createPKCS10 function.
This works perfectly, the server allows the request and valid
disposition is returned and all is good in the world.
To get this to work in Mozilla it's quite a chalange. The <KeyGen>
tag generates the keys on the client side such as...
<KeyGen Name="CertRequest" Challenge="provePequalsNP">
which I forward to the server. At which point (as I understand) I
have a Base64 encoded string which is only a part of the PKCS10
request? (again, I might be completely wrong here).
Digging through ASP code of the Microsoft Certificate Server itself I
found that (for Mozilla users) they create an ATTRIBUTE string that
looks like this...
(code converted to .Net)
str += "challenge: provePequalsNP" + vbNewLine
str += "country:" + Trim(dr("country")) + vbNewLine
str += "state:" + Trim(dr("state")) + vbNewLine
str += "locality:" + Trim(dr("city")) + vbNewLine
str += "org:" + Trim(dr("organization")) + vbNewLine
str += "orgunit:" + Trim(dr("organizational_unit")) + vbNewLine
str += "email:" + Trim(email.Text) + vbNewLine
str += "commonname:" + Trim(user_name) + vbNewLine
str += "CertificateTemplate: Workstation" + vbNewLine
str += "UserAgentString:" + Request.ServerVariables("HTTP_USER_AGENT")
+ vbNewLine
* I am pulling some things from the database hence the datareader
Now that we have both the CertificateRequest (coming from <KeyGen>)
and the Attributes (str that later becomes Request("sAttributes"))
they are passed to the Enroll object as so:
disposition = certRequest.Submit(CR_IN_KEYGEN Or CR_IN_BASE64,
Request("CertRequest"), Request("sAttributes"), "*****")
*note CR_IN_KEYGEN is specified for Mozilla
basically the same thing as it is with IE except that with IE the
request string was the only thing required, and now we are also
passing attributes.
All this said, I end up getting disposition 2 error from the server
stating:
The request subject name is invalid or too long. 0x80094001
(-2146877439)
The good news that it indeed picks up the template (because if I
remove that from the attributes list it complains) and it also picks
up the challange (which again if I remove it says key is invalid).
But it looks like it doesn't agree with the rest of my attributes. I
tried removing some, changing things around and nothing helped. I made
sure they are all short (2 letters) and that did nothing. Perhaps my
format is wrong or something?
I also noticed that the Microsoft Certificate Server uses a com object
and references CertificateAuthority.Request that is installed when you
install the server (I assume) where I reference
CERTCLIENTLib.CCertRequest in CERTCLIENTLib.DLL
I am not sure if there is a difference between the two, they look the
same to me.
Any help would be greatly appreciated!
- Alex Litvak
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
