Certificates on your machine are kept in certificate stores in the system registry.
There are four stores of interest: personal (MY), other people (AddressBook),
intermediate CA (CA) and root CA (ROOT).
The certificate stores are created for each interactive user as well as the local machine as a whole.
AspEncrypt represents a certificate store via the CryptoStore object.
An instance of this object is created via CryptoManager's OpenStore method, as follows:
VBScript |
Set Store = CM.OpenStore( "MY", True ) |
C# |
ICryptoStore objStore = objCM.OpenStore( "MY", true ); |
The first argument to OpenStore is the name of the store. The valid values are "MY" for the personal
store, "AddressBook" for the other people store, "CA" for the intermediary CA store,
and "ROOT" for the Root CA store. The 2nd argument specifies whether
the store to be opened belongs to the current user (if set to False) or the local machine
(if set to True.)
In an ASP/ASP.NET environment, if anonymous access is enabled,
an attempt to open a store will probably result in an Access is denied error.
To avoid this error, impersonation of an admin account should be used with the method LogonUser,
as follows:
VBScript |
CM.LogonUser "domain", "account", "password"
Set Store = CM.OpenStore( "MY", True ) |
C# |
objCM.LogonUser( "domain", "account", "password", Missing.Value );
ICryptoStore objStore = objCM.OpenStore( "MY", true ); |
To obtain a list of all certificates residing in a store, the Certificates
property of the CryptoStore object should be used. This property returns an instance of CryptoCerts,
a collection of CryptoCert objects each representing a certificate in this store.
CryptoCert's various properties return the certificate's attributes such as its subject,
issuer, issue and expiration dates and other information.
The following code snippet displays the subject and issuer information of all certificates
residing in the MY store of the current user (the one being impersonated by the LogonUser method:)
VBScript |
Set CM = Server.CreateObject("Persits.CryptoManager")
CM.LogonUser "domain", "account", "xxxxxx"
Set Store = CM.OpenStore( "MY", false )
For Each Cert in Store.Certificates
Response.Write Cert.Subject & "---" & Cert.Issuer & "<BR>"
Next |
C# |
ICryptoManager objCM = new CryptoManager();
objCM.LogonUser( "domain", "account", "xxxxxx", Missing.Value );
ICryptoStore objStore = objCM.OpenStore( "MY", false );
foreach( ICryptoCert objCert in objStore.Certificates )
{
txtResult.Text +=
objCert.Subject[Missing.Value] + "---" +
objCert.Issuer[Missing.Value];
} |
The CryptoCert properties Subject and Issuer deserve special attention.
These properties return CryptoName objects containing detailed information about
the entity to whom the certificate is issued, and
the issuing authority, respectively.
The CryptoName object has a default Item property which accepts an optional string index argument.
For our personal certificate shown above,
the expression Cert.Issuer (VB Script) or Cert.Issuer[Missing.Value] (C#)
returns the following CR/LF-separated string:
E=info@persits.com
C=US
S=NY
L=New York
CN=Persits Software Demo CA New York
The expression Cert.Subject returns the string
E=peter@persits.com
CN=Peter
You can see that a certificate's Subject and Issuer properties consist of several
tagged components separated by a CR/LF sequence.
The most common ones are CN (common name), E (email),
O (organization), OU (organizational unit),
L (locale), S (state), and C (country).
The CryptoName object allows you to obtain the individual components of a name by specifying
the appropriate tag as Item's argument. For example, the expression Cert.Issuer("CN") (VB Script)
or Cert.Issuer["CN"] (C#) returns the string
Persits Software Demo CA New York
The CryptoName object also provides the property Name,
which looks for the components CN, OU, O, and E in this order and returns the first non-empty value found.
The CryptoStore.Certificates collection allows you to obtain a particular certificate by 1-based index,
and also by serial number. A certificate's serial number, as well as all other properties
can be viewed on the Details tab of the Certificate dialog in IE:
The serial number can be copied from this dialog box and pasted directly into your script as the index argument
to Store.Certificates(...), as follows:
VBScript |
Set Cert = Store.Certificates("d5 b9 c8 38 8f fb 41 b0 43 d6 47 2b b9 58 44 5e") |
C# |
ICryptoCert objCert = objStore.Certificates["d5 b9 c8 38 8f fb 41 b0 43 d6 47 2b b9 58 44 5e"]; |
The spaces in the index value are ignored, so the expression
Set Cert = Store.Certificates("d5b9c8388ffb41b043d6472bb958445e")
is also valid.
In addition to the Subject and Issuer properties covered above, the CryptoCert object
also offers properties corresponding to the certificate property dialog shown above,
and several others unrelated to that dialog. These properties
are:
BasicConstraints
IssuerCert
KeyUsage
NotAfter
NotBefore
SerialNumber
Sha1Hash
SignatureAlgID
SignatureAlgorithm
StoreName
PrivateKeyContext
PrivateKeyExists
PublicKey
PublicKeyLength
Version
For details, see the CryptoCert object reference.
The following code sample allows you to browse all current-user and local-machine certificates
on your machine and view their properties. Before running this code sample, you must
replace "generic" arguments to the LogonUser method
with your own valid domain, username and password
in the files 04_certlist.asp/aspx and 04_cert.asp/aspx.
Click the links below to run this code sample:
http://localhost/aspencrypt/manual_04/04_certlist.asp
http://localhost/aspencrypt/manual_04/04_certlist.aspx