7.5.1 Personal Certificate Enrollment
For a user to obtain a personal certificate over the Web, the following steps must be taken:
All steps except for Step 4 (certificate generation) take place on the client's machine.
We would need a client-side ActiveX control to perform these tasks. Fortunately, such controls have been
provided by Microsoft Windows.
- Generate a key pair on the client's machine.
- Create a Certificate Request (PKCS#10) from the client's public key and personal information such as company name, email address, locale, etc.
- Send the Certificate Request to the Certification Authority for verification.
- The CA verifies the information contained in the Certificate Request and generates a certificate signed with the CA's private key.
- The certificate is installed on the client's machine and connected to the appropriate key pair.
On Windows NT, 2000 and XP, the name of the ActiveX control is XEnroll.
It provides two useful methods: CreatePKCS10 which creates a key pair and generates
the corresponding PKCS#10 Certificate Request, and AcceptPKCS7 which accepts
the generated certificate, copies it to the current user's MY certificate store and connects
it with the private key generated earlier.
On Windows Vista, 7 and onward, Microsoft has retired XEnroll and replaced it with CertEnroll,
a new control with a more complex object model. CertEnroll refuses
to run unless the page hosting it is executed under SSL or the browser is configured to allow ActiveX controls
not marked safe for scripting.
To generate a certificate from a certificate request, AspEncrypt provides the CryptoContext
method CreateCertificateFromRequest which accepts the signer's private key context, certificate request
string and From/To validity dates as arguments.
Click on the following link to run our Personal CA Live Demo and download its source code:
7.5.2 Server SSL Certificate Enrollment
AspEncrypt can be used to issue SSL certificates as well. The server-side code is almost identical
to the Personal CA version: the method CreateCertificateFromRequest is used again.
The client-side code is actually much simpler since it does not require any ActiveX controls.
The certificate request is generated by IIS Manager and the certificate is installed
by it also.
Click on the following link to run our Server SSL CA Live Demo and download its source code: