> > But the problem is that certificates, CA-signed and installed are marked in
> > IE5 as fit for everything EXCEPT email and client-identification.
> >
> > They are marked for servers, code signing, encryped file systems, all kinds
> > of stuff I have never heard of!
Won't the certificate usage in IE also depend on the KEY properties?
xenroll control has KeySpec property that you can specity
before CreatePKCS10():
xenroll.KeySpec = 1 ' AT_KEYEXCHANGE
xenroll.KeySpec = 2 ' AT_SIGNATURE
As I understand, this should change allowable key usages and might
give the effects that you see? Just a guess - but play with this
property and see if it has any effects.
quote from Xenroll help file:
"KEYSPEC
The KeySpec property is used to specify the key type to be generated.
For the Microsoft Base Cryptographic Provider, this will have a value
of AT_KEYEXCHANGE for exchange keys, or AT_SIGNATURE for signature keys.
However, this parameter is specific to the provider being used and may be
any value that makes sense to the provider. The default for Microsoft Base
Cryptographic Provider is AT_SIGNATURE. For information on the other
Microsoft Cryptographic Service Providers, see Microsoft Cryptographic
Service Providers in the CryptoAPI 2.0 documentation."
Kaur
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
