Persits Software, Inc. Web Site
Main Menu:  Home |  News |  Manual |  Tasks |  Object Reference |  Crypto 101 |  FAQ |  Download & Buy |  Clients |  Live Demo |  Contact
 Navigator:  Home |  Tasks |  Issue Certificates
Use AspEncrypt as a Client-side ActiveX Control Send Secure Mail
  Issue Certificates
A certificate must be issued by a certification authority (CA) that everyone trusts. There are several companies out there that issue certificates, such as VeriSign or Thawte. In an enterprise environment, however, you may choose to set up your own certification authority to issue certificates that will be used internally by your company employees. If you decide to go down this path, you have at least two choices:
  • Use Microsoft Certificate Server.
  • Develop your own Web-based application using AspEncrypt.

The second approach requires more effort on your part but gives you much more flexibility.

  Setting up a Certification Authority Hierarchy
AspEncrypt creates certificates using the methods Context.CreateCertificate and Context.CreateCertificateFromRequest. The former accepts a person's information in the form of a list of tagged values (as shown below). The latter accepts a Certificate Request File in the PKCS#10 format as the input. Both methods accept a signer context as the first argument.

To construct a hierarchy of certification authorities you must start by creating a self-signed certificate which will become the root of the hierarchy. The following code snippet (also found in the file Samples\issue_certs\RootCert.asp of the installation) creates a self-signed certificate and places it in the ROOT store. Note that you must not attempt to add a certificate to the HKEY_CURRENT_USER-based ROOT store in an ASP environment as this may hang up your web server (see Manage Certificates and Certificate Stores for details).

<%
Set CM = Server.CreateObject("Persits.CryptoManager")
Set Context = CM.OpenContext("RootContainer", True )

' Subject is a CR/LF separated list of tagged values
Subject = "CN=Acme Software Root CA" & chr(13) & chr(10)
Subject = Subject & "C=US" & chr(13) & chr(10)
Subject = Subject & "L=Arlington" & chr(13) & chr(10)
Subject = Subject & "S=VA" & chr(13) & chr(10)

' Create self-signed certificate valid for 1 year starting now
' The last argument specifies that the private key must be included when saved.
Set Cert = Context.CreateCertificate(Nothing, Subject, Now(), Now() + 365, True)

' Save to HKEY_LOCAL_MACHINE-based ROOT store.
CM.LogonUser "mydomain", "administrator", "xxx"
Set Store = CM.OpenStore( "ROOT", True )
' DO NOT TRY False!
Store.AddCertificate Cert
%>

Notice that we specified Nothing as the first argument. This instructs the CreateCertificate method to create a self-signed certificate. The third and fourth arguments specify the validity period for this certificate (in this case 365 days starting now.) The last argument specifies whether the certificate's private key should be bundled with the certificate when the latter is saved in a store.

  Creating a CA-signed Certificate

A self-signed certificate created by the code above can be used to sign individual client certificates directly. You may instead use this certificate to sign other certificates that would serve as sub-authorities in your certificate authority hierarchy. For example, you may set up sub-authorities for each of your organization's departments.

The following code snippet (also found in the file Samples\issue_certs\SignedCert.asp of the installation) creates a certificate signed by a previously issued root certificate.

Notice that this time the first argument of the CreateCertificate method is set to the signer certificate's private key context obtained via the Cert.PrivateKeyContext property.

<%
Set CM = Server.CreateObject("Persits.CryptoManager")

' Obtain the root certificate by serial number
CM.LogonUser "mydomain", "administrator", "xxxx"
Set Store = CM.OpenStore( "ROOT", True )
Set RootCert = Store.Certificates("03804327900075BF11D3596C62FA556F")

Set Context = CM.OpenContext("SubContainer", True )

' Subject is a CR/LF separated list of tagged values
Subject = "OU=Acme Software R&D CA" & chr(13) & chr(10)
Subject = Subject & "C=US" & chr(13) & chr(10)
Subject = Subject & "L=Arlington" & chr(13) & chr(10)
Subject = Subject & "S=VA" & chr(13) & chr(10)

' Create certificate valid for 180 days starting now
' The last argument specifies that the private key must be included when saved.
Set Cert = Context.CreateCertificate(RootCert.PrivateKeyContext, Subject, _
      Now(), Now() + 180, True)

' Save to HKEY_LOCAL_MACHINE-based ROOT store
Store.AddCertificate Cert
%>

  Exporting Certificates to a File

Once your hierarchy of certificates is built you must distribute the certificates to client machines. To export a certificate to a file together with all the certificates in the certification path, you should use the method Cert.ExportToFilePKCS7, as follows:

<%
Set CM = Server.CreateObject("Persits.CryptoManager")
CM.LogonUser "mydomain", "administrator", "xxx"

Set Store = CM.OpenStore("ROOT", True)
Set Cert = Store.Certificates("03804327900075BF11D3596C62FA5573")
Cert.ExportToFilePKCS7 "d:\acme.spc", True
%>

The last argument specifies that all certificates in the certification path should be included. A .spc file generated by this code can be installed on a client machine by simply clicking on the file from Windows Explorer. This will invoke the Certificate Manager Import wizard which will copy the certificates contained in the file to the current user's CA and ROOT stores.

  Client Certificate Enrollment

For a user to get a personal certificate (digital ID) over the Web, the following steps must be taken:
  • Generate a key pair on the client's machine.
  • Create a Certificate Request (PKCS#10) from the client's personal information such as company name, email address, locale, etc.
  • Send the Certificate Request to the Certification Authority for verification.
  • The CA verifies the information contained in the Certificate Request and generates a certificate signed with the CA's private key.
  • The certificate is installed on the client's machine and connected to the appropriate key pair.

All steps except for Step 4 (certificate generation) take place on the client's machine. We would need a client-side ActiveX control to perform these tasks. Fortunately, such a control already exists and is included with Microsoft Internet Explorer 4.0. It is called XEnroll.

The XEnroll control provides two useful methods: CreatePKCS10which creates a key pair and generats the corresponding PKCS#10 Certificate Request, and AcceptPKCS7 which accepts the generated certificate, copies it to the current user's MY certificate store and connects it with the private key generated earlier.

The files GenRequest.asp and GenCertFromRequest.asp found in the directory \Samples\issue_certs of the installation demonstrate how to use the first and second functions of XEnroll, respectively.

For the sake of simplicity, the file GenCertFromRequest.asp does not perform any validation. It simply grabs a certificate request file generated by GenRequest.asp, passes it to AspEncrypt's Context.CreateCertificateFromRequest method, saves the resulting certificate chain in the PKCS#7 format to a file, converts it into Base64-encoding and displays it to the user. The user is then offered to click a button to install the certificate on his/her machine.

In real life generating a certificate and enabling a user to install it on his/her machine should be performed in two separate steps to allow a CA to validate the data in the certificate request and make sure the public key really belongs to the person whose personal information is provided with the request.

Send Secure Mail Use AspEncrypt as a Client-side ActiveX Control

Search this Site
  This site is owned and maintained by Persits Software, Inc. Copyright © 2000 - 2010. All Rights Reserved.