当前位置: 文江博客 话题详情

无法使用 CertEnroll 在 Windows 7 上安装证书

发布于 2024-09-17 18:55:37 字数 1621 浏览 6 评论 0 原文

我们有一个现有的证书颁发应用程序(C#、ASP.NET、JavaScript),可以在 IE 中使用 XenRoll 向 Windows XP 用户颁发证书。我需要扩展它以支持 Windows Vista 和 Windows 7 用户,也使用 IE。

对于 Vista 和 7,Microsoft 使用新的 CertEnroll 控件替换了 XenRoll ActiveX 控件。我在 Vista SP2 中可以正常工作,但在 7 中,我在安装步骤中收到此错误:

CertEnroll::CX509Enrollment::InstallResponse: 已处理证书链,但是 终止于根证书 不被信任提供者信任。 0x800b0109 (-2146762487)

这是相关 HTML 和 0x800b0109 (-2146762487) 的片段JavaScript:

<object id="classFactoryObj" classid="clsid:884e2049-217d-11da-b2a4-000e7bbb2b09"></object>

<script type="text/javascript">
    function InstallCert() 
    {  
        try
        {
            var classFactory = document.getElementById("classFactoryObj");
            var objEnroll = classFactory.CreateObject("X509Enrollment.CX509Enrollment");

            var signedCert = '-----BEGIN CERTIFICATE-----' + 
                'REMOVED FOR BREVITY' + 
                '-----END CERTIFICATE-----';

            objEnroll.Initialize(1); // User context
            objEnroll.InstallResponse(4, signedCert, 6, ""); // AllowUntrustedRoot = 4

            alert('Certificate installed');
        }
        catch (ex)
        {
            alert('Unable to install certificate: ' + ex.description);
        }
     }

    InstallCert();
</script>

现在,根证书确实不受信任,但我正在调用 InstallResponse,并将第一个参数设置为 4,即使根证书不受信任,该参数也应该允许安装。这在 Vista 中可以正常工作,但在 Windows 7 中似乎不起作用。

我测试过,如果根证书受信任,它确实可以工作。我确信有人会这么说,所以我会先发制人 - 让客户信任根证书对我们来说并不是一个真正的选择(我们希望将客户端身份验证证书分发给客户,作为对他们进行身份验证的一部分)在我们的网络上)。

我在这里做错了什么吗?有其他人在 Windows 7 中实现此功能吗?

原文

We have an existing certificate issuing application (C#, ASP.NET, JavaScript) that issues certificates to Windows XP users using XenRoll in IE. I need to extend this to support Windows Vista and Windows 7 users, also using IE.

For Vista and 7, Microsoft replaced the XenRoll ActiveX controll with the new CertEnroll control. I've got this working in Vista SP2, but in 7 I get this error at the installation step:

CertEnroll::CX509Enrollment::InstallResponse:
A certificate chain processed, but
terminated in a root certificate which
is not trusted by the trust provider.
0x800b0109 (-2146762487)

Here's a snippet of the relevant HTML & JavaScript:

<object id="classFactoryObj" classid="clsid:884e2049-217d-11da-b2a4-000e7bbb2b09"></object>

<script type="text/javascript">
    function InstallCert() 
    {  
        try
        {
            var classFactory = document.getElementById("classFactoryObj");
            var objEnroll = classFactory.CreateObject("X509Enrollment.CX509Enrollment");

            var signedCert = '-----BEGIN CERTIFICATE-----' + 
                'REMOVED FOR BREVITY' + 
                '-----END CERTIFICATE-----';

            objEnroll.Initialize(1); // User context
            objEnroll.InstallResponse(4, signedCert, 6, ""); // AllowUntrustedRoot = 4

            alert('Certificate installed');
        }
        catch (ex)
        {
            alert('Unable to install certificate: ' + ex.description);
        }
     }

    InstallCert();
</script>

Now, it's true that the root certificate is not trusted, but I'm calling InstallResponse with the first parameter set to 4, which is supposed to allow installation even if the root certificate is not trusted. This works as advertised in Vista, but doesn't seem to in Windows 7.

I tested, and it does work if the root certificate is trusted. I'm sure some one will say it, so I'll pre-empt it - having the clients trust the root certificate is not really an option for us (we want to distribute client authentication certificates to customers, as a part of authenticating them on our network).

Am I doing something wrong here? Has anyone else got this working in Windows 7?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

错々过的事 2024-09-24 18:55:37

解决方案是安装修补程序 KB 2078942

请注意,此修补程序并不声称可以解决此问题,但它确实解决了!相当烦人,否则我会更早遇到它:-/

我相信这是 Vista 的回归错误,因为有一个 可解决我遇到的具体问题。

感谢布鲁诺昨天花时间试图帮助我解决这个问题。

The solution was to install hotfix KB 2078942.

Note that this hotfix does not claim to fix this issue, but it does! Rather annonying, or I would have come across it much earlier :-/

I believe this is a regression bug from Vista, as there was a hotfix for Vista to fix the exact problem I was experiencing.

A thankyou and upvote goes out to Bruno for spending time yesterday trying to help me resolve this.

回复 原文
清秋悲枫 2024-09-24 18:55:37

我写了这个脚本一段时间之前进行演示(与 此页面结合使用)。它支持 并将其替换为 Internet Explorer 上的 XEnrollCertEnroll 调用。此后该项目发生了一些变化,但我刚刚使用 IE8 测试了此分支在 Windows 7 上并且它有效。 CA 证书根本不在客户端计算机上。我必须将安全设置降低到“低”才能运行 ActiveX(否则,它甚至不会提交请求,因此更少在响应中安装证书)。

如果这有帮助,我会这样做:

try {
    enrollObj.InstallResponse(4, xmlHttpRequest.responseText,
            0, "");
    window.alert("A certificate has been installed.");
} catch (e1) {
    try {
        enrollObj.InstallResponse(0,
                xmlHttpRequest.responseText, 0, "");
        window.alert("A certificate has been installed.");
    } catch (e2) {
        window
                .alert("You're probably using Vista without SP1 or above, in which case you need to add the certificate of this authority as a trusted root certificate.");
    }
}

我必须承认我没有测试使用了这两种情况中的哪一种(因为它是相同的警报消息)。

I wrote this script a while ago for a demo (in conjunction with this page). It supports <keygen/> and replaces it with XEnroll or CertEnroll calls on Internet Explorer. The project has evolved a bit since, but I've just tested this branch with IE8 on Windows 7 and it worked. The CA certificate wasn't on the client machine at all. I had to lower the security settings to 'low' for it to run the ActiveX (otherwise, it wouldn't even submit the request, so even less install the certificate in the response).

If that helps, I do this:

try {
    enrollObj.InstallResponse(4, xmlHttpRequest.responseText,
            0, "");
    window.alert("A certificate has been installed.");
} catch (e1) {
    try {
        enrollObj.InstallResponse(0,
                xmlHttpRequest.responseText, 0, "");
        window.alert("A certificate has been installed.");
    } catch (e2) {
        window
                .alert("You're probably using Vista without SP1 or above, in which case you need to add the certificate of this authority as a trusted root certificate.");
    }
}

I must admit I didn't test which of these two cases was used (as it's the same alert message).

回复 原文
~没有更多了~

关于作者

椒妓

暂无简介

0 文章
0 评论
22 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

内心激荡

文章 0 评论 0

JSmiles

文章 0 评论 0

赏烟花じ飞满天

文章 0 评论 0

左秋

文章 0 评论 0

迪街小绵羊

文章 0 评论 0

瞳孔里扚悲伤

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文