The tasks described here include:
makecert -sk "ssldemo" -pe -r -e "06/01/2004" -sky Exchange -sy 12 -sp "Microsoft RSA SChannel Cryptographic Provider" -n "CN=localhost,OU=foounit,O=foodev" -ss MY -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2This command generates a self-signed (-r) certificate with exportable (-pe) private key. An AT_KEYEXCHANGE 1024 bit RSA keypair is created in keycontainer "ssldemo". The keypair uses the RSA SCHANNEL provider type (-sy 12) and associated provider (-sp ..) The SubjectName is assigned Common Name "localhost" for local web-test purposes. The certificate is generated in the current user MY store. The ExtendedKeyUsages are specified as:
Server Authentication (1.3.6.1.5.5.7.3.1) Client Authentication (1.3.6.1.5.5.7.3.2)For other options, see the makecert.exe documentation.
Default Web Site | Properties | Directory Security | EditFor details, see:
tlbimp capicom.dll /namespace:CAPICOM /out:Interop.CAPICOM.dllwhere capicom.dll is the native CAPICOM COM library. This command creates the interop assembly Interop.CAPICOM.dll with namespace "CAPICOM". To use the interop assembly from an ASP.NET application in the IIS environment, it should be deployed to the "bin" subdirectory to the virtual directory containing the ASP.NET (.aspx) application source code. Also, the ASP.NET code must reference the assembly for proper access. The interop assembly need NOT be Strong Name signed.
To properly reference the CAPICOM interop assembly, to use its namespace
and also to use P/Invoke services, the following ASP.NET directives are required in
the source code:
CAPICOM 2 has excellent support for accessing almost all useful properties of standard X509 v3 certificates. To use CAPICOM capability via .NET-COM interop from ASP.NET, we need to instantiate a CAPICOM certificate from the raw client certificate binary data available from .NET native classes.
ClientCert.aspx retrieves the client-submitted certificate in binary DER form into a byte array using the System.Web.HttpContext.Request.ClientCertificate.Certificate property. Since CAPICOM does not currently support instantiating a certificate directly from binary data, we need to either base64 encode the raw certificate into a string and use CAPICOM.Certificate.Import, or alternatively use P/Invoke to acquire a certificate context handle and instantiate a CAPICOM certificate using this handle. The latter approach is used here. We acquire a certificate context handle, pcertcntxt, using P/Invoke to CertCreateCertificateContext() passing in the raw certificate byte array. A CAPICOM certificate instance is initialized using the CAPICOM.Certificate.CertCntxt property. Now we can use all the properties and methods available within CAPICOM from ASP.NET.
Clientcert.aspx simply uses the CAPICOM Certificate methods Extensions() and ExtendedProperties() to retrieve enumerable collections of the standard certificate "Extensions" and CryptoAPI-specific "Extended Properties" and displays the results.
Finally, we must release the created certificate context by P/Invoke to CertFreeCertificateContext().
Michel I. Gallant
neutron@istar.ca