On Mon, Mar 17, 2003, Moerk, Michael wrote: > I have created a self-signed certificate with OpenSSL. I would like to be > able to import the certificate into Internet Explorer without user > intervention (the client and server are the same box). Does anyone know how > to import a certificate in an automated fashion, without the user having to > push any buttons? Are there any registry settings or tools that can help me > with this? >
All the standard APIs prompt the user before adding a root CA into Windows certificate stores. This is a security measure because if you could silently add a certficate then you could genrate arbitrary certificates chained to the root CA. This would allow server impersonation and ActiveX signing which would allow an attacker to run whatever malicious code they wanted to. Naturally there *is* a way to do this because the various warnings and wizards are just software and you could theoretically do exactly what they do (bypassing the official APIs) but without the prompting. However MS, understandably, wont give details about how to do this and AFAIK no one else has either. BTW please turn word wrap on you mailer: it put that lot all on one line... Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
