Is it possible to create a computer / machine cert with strong key protection
using a MS Certificate server ?
My client machines are a mix of XP SP2 and Vista. All are members of a 2003
AD environment. The CA is running on windows 2003 enterprise, and is
configured as an Enterprise CA.
Currently we use machine certs for Cisco VPN authentication. I was wondering
if its possible to do strong key protection so the user is prompted for the
private key when the Cisco client is configured for VPN logon prior to
windows logon

If the certificate used for SmartCard logon has the alternative
subject name in the form "user@domain" I can only log on to the user's
account in that domain.

However, if the domain name is missing (i.e. the alternative subject
name is in the form "user"), I can log on to any domain in which the
user exists and which trusts this certificate. This said, I may have a
card issued for the "Administrator" user and log on to multiple
domains.

Is this how smartCard logon is meant to work?

In order to avoid it, could I parse the certificate in my csp's
function CPGetKeyParam(KP_CERTIFICATE) and refuse to return the
certificate if the domain is not specified in it?

Thanks,
Marek Pawlak

Hi,

I am trying to publish a third party user certificate(encryption only)
in my AD.I am using the following command:

certutil -dsPublish c:\certificatefile.cer User

But, this does not work. it errors out with the following:

__________________________________________________________________________
C:\Program Files\Support Tools>certutil -dsPublish c:
\certificatefile.cer User

402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version

CN=USER Name,CN=UsersDC=lab,DC=com?userCertificate

429.2137.0: 0x20 (32): 0000208D: NameErr: DSID-031001CD, problem 2001
(NO_OBJECT

), data 0, best match of:

'CN=UsersDC=lab,DC=com'

429.901.0: 0x8007208d (WIN32: 8333): CN=USER
Name,CN=UsersDC=lab,DC=com

429.1262.0: 0x8007208d (WIN32: 8333)

307.4189.0: 0x8007208d (WIN32: 8333)

Hi,

Lets imagine that I have certificate issued accorting to my custom
created template. And now renewal period kicks in, client sees
certificate balloon at the task bar. And here goes the question:

is the certificate gets renewed by using the same key pair or the new
one? Where I can change this? Thanks.

I'm following the steps at
http://msdn.microsoft.com/en-us/library/aa919730.aspx for generating a
Diffie-Hellman keypair when P & G are known. I'm using the
MS_ENH_DSS_DH_PROV CSP. I don't get far:

ULONG p = 139, g = 5;

CRYPT_DATA_BLOB pblob;
pblob.cbData = sizeof( ULONG );
pblob.pbData = ( LPBYTE ) &p;

CRYPT_DATA_BLOB gblob;
gblob.cbData = sizeof( ULONG );
gblob.pbData = ( LPBYTE ) &g;

HCRYPTKEY hKey;
if ( ::CryptGenKey( m_hCryptoProvider, CALG_DH_SF,
CRYPT_PREGEN, &hKey ) )
::CryptSetKeyParam( hKey, KP_G, ( LPBYTE ) &gblob, 0 );

The call to CryptSetKeyParam fails with 'NTE_BAD_DATA'-- can anyone see what I'm missing?

--
Michael pobox.com>

Hi,

Trying to enumerate pending certificate requests using
XENROLL.enumPendingRequest but have a strange problem. Here is my code:

private XENROLLLib.CEnrollClass _enroll;
const int XEPR_HASH = 0x08;
const int XEPR_REQUESTID = 0x04;

_enroll = new CEnrollClass();
_enroll.ProviderName = providerName;
_enroll.ProviderType = 1;
_enroll.WriteCertToCSP = Convert.ToInt32 (writeToCSP);
_enroll.GenKeyFlags = (1024 << 16) | CRYPT_EXPORTABLE;
_enroll.KeySpec = CRYPT_EXPORTABLE;
_enroll.LimitExchangeKeyToEncipherment = 0;
_enroll.UseExistingKeySet = 0;
_enroll.HashAlgID = 32772;
object o = _enroll.enumPendingRequest (0, XEPR_REQUESTID);

providerName is a third party CSP but doubt it can have something to do with
it...

Anyhow - the error I'm getting on the last line is:

I am trying to retrieve all the certificates from the smart card which
works fine. After that, I want a pop-up asking the user to select the
certificate of their choice. For this, I use CertSelectCertificate.
The problem is the pop-up comes up but no certificates at all. Any
idea what is happening ? Any help/comment/suggestion is appreciated.

------------------- CODE BEGINS -----------------------------

// Get the default container.
BOOL bResult;
bResult = ::CryptGetProvParam (hCrypt, PP_ENUMCONTAINERS,
(BYTE*)pbData, &cbData, CRYPT_FIRST);
HCERTSTORE hArrCertStore[2]; // hold the two cert store handles.
PCCERT_CONTEXT pArrCertContext[2]; // hold the two cert contexts
int i = 0;

do
{
name;
name += card->szContainerName;
name += pbData;
name += TEXT ("\\");

Can anyone point me to references to assist me with developing a solution to
the below:

My organization uses digital certificates for individuals controlled by an
access card. Users are able to send/sign/encrypt with their individual
certificates and open signed/encrypted emails with the certificate assigned
to the card.

We have a program that currently reads emails sent to centralized help
folders/mailboxes. If a signed/encrypted message is sent to the central mail
box, it can not be read as the folder does not have a certificate assigned.
This program monitors multiple mail boxes.

I would like to know how to programatically choose and use a certificate
based upon the mailbox being accessed/email being sent.

The current method for encrypted emails is to have them sent to an
individual who then manually sends them to the tracking mail boxes after
opening and removing the encryption.

Any assistance in this matter is appreciated.

Thanks.

Hello everyone,

I have a web site that uses Certificate Authentication for user identity.
My CA issues certificates to the end users and the web site inspects the
certificate properties to allow users into the site.

The CA is a private CA that uses a self-signed cert at the top level. On
all non-Vista operating systems, everything works well. When Vista requests
the cert, it prompts me that it needs to add the Trusted Root Cert for the
CA.. I do this and make sure that it places the Root Cert in the Trusted
Root Cert area. Then the personal cert installs correctly. I can use the
Cert MMC to see that the root is there and that the client cert is in the
right place.

When I load the web site, I do hit it with SSL and I get the "Choose a
Digital Certificate" dialog box that I expect. Unfortunately, in the
Identification box, there are no certificates listed at all -- so the
authentication fails.

I have seen a number of other complaining about this very issue on other
sites in my search for an answer, but I have yet to see a working response.

Hi All,

I am a newbie to this Discussion group.

Does anyone have any information that would allow me to check out the
contents of an encrypted file after being encrypted from plain text.

Any information would be greatly received.