Andrew Brady wrote:
>
> I am settting up a Certificate Enrollment web page
> that allows MS IE (an netscape) users to request and
> obtain a certificate automatically.
>
> I have to include the uid in the DN to support
> some applications that already exist here.
>
> The Microsoft Certificate Enrollment Control
> creates a PKCS10 object using CreatePKCS10
> which takes as arguments DN and an OID.
>
> This quite happily accepts arguments when the
> DN is constructed of attributes that are acceptable
> to it, but if I use uid, it fails with an error.
> The xenroll documentation specifies that the DN must
> be a valid X500 name (I have looked and I cannot find
> anything that tells me if uid is valid).
> <snip>
MY WORK AROUND
==============
I have decided, unless anyone can give me a strong reason
why not, to, for MSIE certificates, to place the uid in
the CN attribute. e.g.:
C=EU, O=ECMWF, CN=Andy Brady (myuid)[EMAIL PROTECTED]
This will force any local app programmers to write code
specifically to parse the uid out of the CN, if the
uid attribute does not exist. If at a future date
I can include uid, no app code needs to change.
NEXT PROBLEM
============
So I now have an SSL client cert that works in Netscape (4.7)
and MSIE5 but does not work in MSIE4.
MSIE4 appears to accept the certificate and places it in
the certificate database. Unfortunately it does not show
it in it's list under View->Internet Options->Content->Personal.
The certificate is there though as certmgr sees it.
If I try to connect to a suitable SSL site that expects client
auth, I get an empty listbox from which MSIE4 expects me
to pick a certificate to use. This works fine from Netscape
and MSIE5. The SSL server is providing the correct acceptable
CA list. Is there something wrong with the certificate that
MSIE4 gets? Is it missing some vital ingredient so that it
can be used as an ssl client cert.
An x509 example cert and dummy CA is attached.
Any hints would be most welcome.
Andy
PS Thanks to Stephen Henson. Your site is very useful.
--
Andy Brady Email : [EMAIL PROTECTED]
Web Services Group Tel : +44(0)118 9499252
E.C.M.W.F. Fax : +44(0)118 9869450
Shinfield Park, Reading, RG2 9AX Web : http://www.ecmwf.int
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 25 (0x19)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=EU, O=ECMWF, CN=Test [EMAIL PROTECTED]
Validity
Not Before: Nov 18 17:54:58 1999 GMT
Not After : Nov 28 17:54:58 1999 GMT
Subject: C=EU, O=ECMWF, CN=Andrew Brady (syb)[EMAIL PROTECTED]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00:cb:58:14:8d:47:1c:01:b8:79:51:01:65:c3:ef:
e6:e0:3e:70:5a:aa:8f:72:b9:62:e5:02:ce:f3:ea:
fe:71:6c:90:08:9b:54:85:66:2e:4c:69:86:a2:76:
23:6d:45:12:fd:59:9e:be:c3:40:51:a9:84:60:08:
b2:83:59:6f:dd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Key Identifier:
E3:E3:B8:AB:12:68:FD:20:CE:8D:DB:EB:EB:CC:6D:EB:51:F3:F8:0C
X509v3 Authority Key Identifier:
keyid:2E:AF:C0:67:E5:2A:5E:47:8A:32:FC:00:5E:C2:99:EF:A2:97:33:D2
DirName:/C=EU/O=ECMWF/CN=Test [EMAIL PROTECTED]
serial:00
Netscape CA Revocation Url:
https://w3cert.ecmwf.int/CA/ecmwf-crl.pem
Netscape Base Url:
https://w3cert.ecmwf.int/CA/
Netscape Revocation Url:
https://w3cert.ecmwf.int/CA/ecmwf-crl.pem
Netscape Renewal Url:
https://w3cert.ecmwf.int/CA/renewal.html
Netscape CA Policy Url:
https://w3cert.ecmwf.int/CA/policy.html
Netscape Comment:
OpenSSL Generated Certificate, Signed by ECMWF root Certificate
Authority, https://w3cert.ecmwf.int/
Signature Algorithm: md5WithRSAEncryption
33:80:52:09:a7:73:33:82:6c:a3:c5:72:1a:4d:61:63:01:42:
4c:1e:a2:3a:bb:59:3b:6b:82:e0:e8:7c:18:77:fb:27:a5:dd:
b8:e3:ce:42:46:8c:57:92:fd:64:aa:96:20:84:44:3b:02:13:
d9:04:17:b8:02:94:03:ff:29:28
-----BEGIN CERTIFICATE-----
MIID7TCCA5egAwIBAgIBGTANBgkqhkiG9w0BAQQFADBNMQswCQYDVQQGEwJFVTEO
MAwGA1UEChMFRUNNV0YxEDAOBgNVBAMTB1Rlc3QgQ0ExHDAaBgkqhkiG9w0BCQEW
DXN5YkBlY213Zi5pbnQwHhcNOTkxMTE4MTc1NDU4WhcNOTkxMTI4MTc1NDU4WjBh
MQswCQYDVQQGEwJFVTEOMAwGA1UEChMFRUNNV0YxGzAZBgNVBAMTEkFuZHJldyBC
cmFkeSAoc3liKTElMCMGCSqGSIb3DQEJARYWQW5kcmV3LkJyYWR5QGVjbXdmLmlu
dDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDLWBSNRxwBuHlRAWXD7+bgPnBaqo9y
uWLlAs7z6v5xbJAIm1SFZi5MaYaidiNtRRL9WZ6+w0BRqYRgCLKDWW/dAgMBAAGj
ggJMMIICSDAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIHgDALBgNVHQ8EBAMC
BeAwHQYDVR0OBBYEFOPjuKsSaP0gzo3b6+vMbetR8/gMMHUGA1UdIwRuMGyAFC6v
wGflKl5HijL8AF7Cme+ilzPSoVGkTzBNMQswCQYDVQQGEwJFVTEOMAwGA1UEChMF
RUNNV0YxEDAOBgNVBAMTB1Rlc3QgQ0ExHDAaBgkqhkiG9w0BCQEWDXN5YkBlY213
Zi5pbnSCAQAwOAYJYIZIAYb4QgEEBCsWKWh0dHBzOi8vdzNjZXJ0LmVjbXdmLmlu
dC9DQS9lY213Zi1jcmwucGVtMCsGCWCGSAGG+EIBAgQeFhxodHRwczovL3czY2Vy
dC5lY213Zi5pbnQvQ0EvMDgGCWCGSAGG+EIBAwQrFilodHRwczovL3czY2VydC5l
Y213Zi5pbnQvQ0EvZWNtd2YtY3JsLnBlbTA3BglghkgBhvhCAQcEKhYoaHR0cHM6
Ly93M2NlcnQuZWNtd2YuaW50L0NBL3JlbmV3YWwuaHRtbDA2BglghkgBhvhCAQgE
KRYnaHR0cHM6Ly93M2NlcnQuZWNtd2YuaW50L0NBL3BvbGljeS5odG1sMHMGCWCG
SAGG+EIBDQRmFmRPcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZSwgU2lnbmVk
IGJ5IEVDTVdGIHJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5LCBodHRwczovL3cz
Y2VydC5lY213Zi5pbnQvMA0GCSqGSIb3DQEBBAUAA0EAM4BSCadzM4Jso8VyGk1h
YwFCTB6iOrtZO2uC4Oh8GHf7J6XduOPOQkaMV5L9ZKqWIIREOwIT2QQXuAKUA/8p
KA==
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=EU, O=ECMWF, CN=Test [EMAIL PROTECTED]
Validity
Not Before: Nov 11 13:07:29 1999 GMT
Not After : Dec 11 13:07:29 1999 GMT
Subject: C=EU, O=ECMWF, CN=Test [EMAIL PROTECTED]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00:d4:74:31:3a:b5:84:68:1d:af:9b:f6:7b:66:36:
b2:d9:d7:ba:e2:50:db:6f:d6:ff:1d:73:e9:e1:30:
b9:9e:be:76:db:8d:2c:1b:44:2f:c3:05:e9:20:74:
33:b5:cc:14:f4:7d:16:08:7d:68:de:3c:18:a8:ab:
0d:ea:97:c2:69
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
2E:AF:C0:67:E5:2A:5E:47:8A:32:FC:00:5E:C2:99:EF:A2:97:33:D2
X509v3 Authority Key Identifier:
keyid:2E:AF:C0:67:E5:2A:5E:47:8A:32:FC:00:5E:C2:99:EF:A2:97:33:D2
DirName:/C=EU/O=ECMWF/CN=Test [EMAIL PROTECTED]
serial:00
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
0e:8d:c5:ca:19:5b:2e:43:d8:ed:71:24:f1:7b:2f:ac:ae:69:
3e:e5:6a:51:1f:44:24:06:34:15:16:e4:42:60:f6:94:ff:22:
6a:8c:aa:e0:78:7c:36:75:0b:8f:53:e3:1e:5b:54:fc:e9:7c:
40:d7:97:4f:11:c8:3f:a6:6f:96
-----BEGIN CERTIFICATE-----
MIICMzCCAd2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBNMQswCQYDVQQGEwJFVTEO
MAwGA1UEChMFRUNNV0YxEDAOBgNVBAMTB1Rlc3QgQ0ExHDAaBgkqhkiG9w0BCQEW
DXN5YkBlY213Zi5pbnQwHhcNOTkxMTExMTMwNzI5WhcNOTkxMjExMTMwNzI5WjBN
MQswCQYDVQQGEwJFVTEOMAwGA1UEChMFRUNNV0YxEDAOBgNVBAMTB1Rlc3QgQ0Ex
HDAaBgkqhkiG9w0BCQEWDXN5YkBlY213Zi5pbnQwXDANBgkqhkiG9w0BAQEFAANL
ADBIAkEA1HQxOrWEaB2vm/Z7Zjay2de64lDbb9b/HXPp4TC5nr52240sG0QvwwXp
IHQztcwU9H0WCH1o3jwYqKsN6pfCaQIDAQABo4GnMIGkMB0GA1UdDgQWBBQur8Bn
5SpeR4oy/ABewpnvopcz0jB1BgNVHSMEbjBsgBQur8Bn5SpeR4oy/ABewpnvopcz
0qFRpE8wTTELMAkGA1UEBhMCRVUxDjAMBgNVBAoTBUVDTVdGMRAwDgYDVQQDEwdU
ZXN0IENBMRwwGgYJKoZIhvcNAQkBFg1zeWJAZWNtd2YuaW50ggEAMAwGA1UdEwQF
MAMBAf8wDQYJKoZIhvcNAQEEBQADQQAOjcXKGVsuQ9jtcSTxey+srmk+5WpRH0Qk
BjQVFuRCYPaU/yJqjKrgeHw2dQuPU+MeW1T86XxA15dPEcg/pm+W
-----END CERTIFICATE-----
S/MIME Cryptographic Signature
