|
A certificate must be issued by a certification authority (CA) that
everyone trusts. There are several companies out there that issue
certificates, such as VeriSign
or Thawte. In an enterprise
environment, however, you may choose to set up your own certification
authority to issue certificates that will be used internally by your
company employees. If you decide to go down this path, you have at least two choices:
- Use Microsoft Certificate Server.
- Develop your own Web-based application using AspEncrypt.
The second approach requires more effort on your part but gives you much
more flexibility.
AspEncrypt creates certificates using the methods Context.CreateCertificate
and Context.CreateCertificateFromRequest. The former accepts a person's
information in the form of a list of tagged values (as shown below). The latter
accepts a Certificate Request File in the PKCS#10 format as the input. Both methods
accept a signer context as the first argument.
To construct a hierarchy of certification authorities you must start by
creating a self-signed certificate which will become the root of the
hierarchy. The following code snippet (also found in the file Samples\issue_certs\RootCert.asp of the installation)
creates a self-signed certificate and
places it in the ROOT store. Note that you must not attempt
to add a certificate to the HKEY_CURRENT_USER-based ROOT store in an ASP environment
as this may hang up your web server (see Manage Certificates and Certificate Stores
for details).
<%
Set CM = Server.CreateObject("Persits.CryptoManager")
Set Context = CM.OpenContext("RootContainer", True )
' Subject is a CR/LF separated list of tagged values
Subject = "CN=Acme Software Root CA" & chr(13) & chr(10)
Subject = Subject & "C=US" & chr(13) & chr(10)
Subject = Subject & "L=Arlington" & chr(13) & chr(10)
Subject = Subject & "S=VA" & chr(13) & chr(10)
' Create self-signed certificate valid for 1 year starting now
' The last argument specifies that the private key must be included when saved.
Set Cert = Context.CreateCertificate(Nothing, Subject, Now(), Now() + 365, True)
' Save to HKEY_LOCAL_MACHINE-based ROOT store.
CM.LogonUser "mydomain", "administrator", "xxx"
Set Store = CM.OpenStore( "ROOT", True ) ' DO NOT TRY False!
Store.AddCertificate Cert
%>
|
Notice that we specified Nothing as the first argument. This instructs
the CreateCertificate method to create a self-signed certificate. The third
and fourth arguments specify the validity period for this certificate (in this
case 365 days starting now.) The last argument specifies whether
the certificate's private key should be bundled with the certificate when
the latter is saved in a store.
A self-signed certificate created by the code above can be used to
sign individual client certificates directly. You may instead
use this certificate to sign other certificates that would serve as
sub-authorities in your certificate authority hierarchy. For example,
you may set up sub-authorities for each of your organization's departments.
The following code snippet (also found in the file Samples\issue_certs\SignedCert.asp
of the installation) creates a certificate signed by a previously issued
root certificate.
Notice that this time the first argument of the CreateCertificate method
is set to the signer certificate's private key context obtained via the
Cert.PrivateKeyContext property.
<%
Set CM = Server.CreateObject("Persits.CryptoManager")
' Obtain the root certificate by serial number
CM.LogonUser "mydomain", "administrator", "xxxx"
Set Store = CM.OpenStore( "ROOT", True )
Set RootCert = Store.Certificates("03804327900075BF11D3596C62FA556F")
Set Context = CM.OpenContext("SubContainer", True )
' Subject is a CR/LF separated list of tagged values
Subject = "OU=Acme Software R&D CA" & chr(13) & chr(10)
Subject = Subject & "C=US" & chr(13) & chr(10)
Subject = Subject & "L=Arlington" & chr(13) & chr(10)
Subject = Subject & "S=VA" & chr(13) & chr(10)
' Create certificate valid for 180 days starting now
' The last argument specifies that the private key must be included when saved.
Set Cert = Context.CreateCertificate(RootCert.PrivateKeyContext, Subject, _
Now(), Now() + 180, True)
' Save to HKEY_LOCAL_MACHINE-based ROOT store
Store.AddCertificate Cert
%>
|
Once your hierarchy of certificates is built you must distribute the
certificates to client machines. To export a certificate to a file together with
all the certificates in the certification path, you should use the method
Cert.ExportToFilePKCS7, as follows:
<%
Set CM = Server.CreateObject("Persits.CryptoManager")
CM.LogonUser "mydomain", "administrator", "xxx"
Set Store = CM.OpenStore("ROOT", True)
Set Cert = Store.Certificates("03804327900075BF11D3596C62FA5573")
Cert.ExportToFilePKCS7 "d:\acme.spc", True
%>
|
The last argument specifies that all certificates in the certification path
should be included. A .spc file generated by this code can be installed on a client machine by simply clicking
on the file from Windows Explorer. This will invoke the Certificate Manager Import
wizard which will copy the certificates contained in the file to the current user's CA and ROOT stores.
For a user to get a personal certificate (digital ID) over the Web,
the following steps must be taken:
- Generate a key pair on the client's machine.
- Create a Certificate Request (PKCS#10) from the client's personal information such as
company name, email address, locale, etc.
- Send the Certificate Request to the Certification Authority for verification.
- The CA verifies the information contained in the Certificate Request
and generates a certificate signed with the CA's private key.
- The certificate is installed on the client's machine and connected
to the appropriate key pair.
All steps except for Step 4 (certificate generation) take place on the client's machine.
We would need a client-side ActiveX control to perform these tasks. Fortunately,
such a control already exists and is included with
Microsoft Internet Explorer 4.0. It is called XEnroll.
The XEnroll control provides two useful methods: CreatePKCS10which
creates a key pair and generats the corresponding PKCS#10 Certificate Request,
and AcceptPKCS7 which accepts the generated certificate, copies it
to the current user's MY certificate store and connects it with the
private key generated earlier.
The files GenRequest.asp and GenCertFromRequest.asp found in the directory
\Samples\issue_certs of the installation demonstrate how to
use the first and second functions of XEnroll, respectively.
For the sake of simplicity, the file GenCertFromRequest.asp does not perform any
validation. It simply grabs a certificate request file generated by GenRequest.asp,
passes it to AspEncrypt's Context.CreateCertificateFromRequest method,
saves the resulting certificate chain in the PKCS#7 format to a file, converts it into
Base64-encoding and displays it to the user. The user is then offered to
click a button to install the certificate on his/her machine.
In real life generating a certificate and enabling a user to install it on his/her machine
should be performed in two separate steps to allow a CA to validate
the data in the certificate request and make sure the public key
really belongs to the person whose personal information is provided with the request.
|
|
|
|
|