M. Gallant 01/13/2003

Using CAPICOM with ASP and server-side processing can provide powerful capability, particularly to enterprises. As a simple example, an enterprise may wish to provide a centralized-service to its development community, to Authenticode-sign executable code that has already been properly reviewed. However, some server configuration is required, since ASP runs under the IIS-related IUSR_machinename account, and will by default have limited access to certificate stores in the LocalMachine location and the associated private keys required for either signature or encryption tasks. The WinHTTP Certificate Configuration Tool provides access to particular certificates in a specific certificate store by a particular accessing account.

A typical scenario for configuring IIS might be:

For example, the following command:
winhttpcertcfg -g -c LOCAL_MACHINE\My -s "My Common Name" -a IUSR_mymachine
will allow any ASP process access to the certificate private key with Certificate Name substring "My Common Name" in the My store at the LocalMachine store location. (Changing the -g to -r removes this assigned permission).
This configuration should be used with other security measures such as Authenticated Access, although it will work with the default IIS Anonymous Access setting.

With this configuration, developers can build ASP applications that can leverage access to certificate stores from IIS and CAPICOM functionality. For example the following two scripts demonstrate:

The forms are submitted to the signdatademo.asp process, which performs the following tasks:

For *Authenticode* signature capability, a file-upload process could be used from the client browser, and after the server-side Authenticode signing process, the client would typically be redirected to a signed-file download url.

Michel I. Gallant