[EMAIL PROTECTED] (Alex Litvak) wrote in message news:<[EMAIL PROTECTED]>...
> I am having a problem generating a valid PKCS10 request to Microsoft
> Certificate Server from a Mozilla based browser. Going the IE route
> is straight forward, using the enroll object on the client side to
> generate a PKCS10 request.
>
> Enroll.addCertTypeToRequest("Workstation")
> strReq = Enroll.createPKCS10( strDN, "1.1")
> *strDN predefined
>
> Specifying the template type and the DN string, then forwarding the
> resulting request to server side ASP.NET processing.
>
> disposition = certRequest.Submit(CR_IN_BASE64 Or CR_IN_PKCS10,
> Request("req_str"), "", "******")
> *server name removed
>
> note the attribute part of this function call is empty since somehow
> all the necessary information has been already captured through the
> createPKCS10 function.
>
> This works perfectly, the server allows the request and valid
> disposition is returned and all is good in the world.
>
> To get this to work in Mozilla it's quite a chalange. The <KeyGen>
> tag generates the keys on the client side such as...
>
> <KeyGen Name="CertRequest" Challenge="provePequalsNP">
>
> which I forward to the server. At which point (as I understand) I
> have a Base64 encoded string which is only a part of the PKCS10
> request? (again, I might be completely wrong here).
>
> Digging through ASP code of the Microsoft Certificate Server itself I
> found that (for Mozilla users) they create an ATTRIBUTE string that
> looks like this...
>
> (code converted to .Net)
>
> str += "challenge: provePequalsNP" + vbNewLine
> str += "country:" + Trim(dr("country")) + vbNewLine
> str += "state:" + Trim(dr("state")) + vbNewLine
> str += "locality:" + Trim(dr("city")) + vbNewLine
> str += "org:" + Trim(dr("organization")) + vbNewLine
> str += "orgunit:" + Trim(dr("organizational_unit")) + vbNewLine
> str += "email:" + Trim(email.Text) + vbNewLine
> str += "commonname:" + Trim(user_name) + vbNewLine
> str += "CertificateTemplate: Workstation" + vbNewLine
> str += "UserAgentString:" + Request.ServerVariables("HTTP_USER_AGENT")
> + vbNewLine
> * I am pulling some things from the database hence the datareader
>
> Now that we have both the CertificateRequest (coming from <KeyGen>)
> and the Attributes (str that later becomes Request("sAttributes"))
> they are passed to the Enroll object as so:
>
> disposition = certRequest.Submit(CR_IN_KEYGEN Or CR_IN_BASE64,
> Request("CertRequest"), Request("sAttributes"), "*****")
> *note CR_IN_KEYGEN is specified for Mozilla
>
> basically the same thing as it is with IE except that with IE the
> request string was the only thing required, and now we are also
> passing attributes.
>
> All this said, I end up getting disposition 2 error from the server
> stating:
> The request subject name is invalid or too long. 0x80094001
> (-2146877439)
>
> The good news that it indeed picks up the template (because if I
> remove that from the attributes list it complains) and it also picks
> up the challange (which again if I remove it says key is invalid).
> But it looks like it doesn't agree with the rest of my attributes. I
> tried removing some, changing things around and nothing helped. I made
> sure they are all short (2 letters) and that did nothing. Perhaps my
> format is wrong or something?
>
> I also noticed that the Microsoft Certificate Server uses a com object
> and references CertificateAuthority.Request that is installed when you
> install the server (I assume) where I reference
> CERTCLIENTLib.CCertRequest in CERTCLIENTLib.DLL
> I am not sure if there is a difference between the two, they look the
> same to me.
>
> Any help would be greatly appreciated!
>
> - Alex Litvak
Well I managed to solve the problem. Turns out there is no problem
with the code. Microsoft Certificate Server (on win2k3) turns off
attribute parsing by default (which prohibits mozilla based requests).
Here is how you turn it on:
from command line on the server:
certutil -setreg ca\CRLFlags +CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
