Using CAPICOM with ASP/IIS
M. Gallant 01/13/2003
Using CAPICOM with ASP and server-side processing can provide powerful
capability, particularly to enterprises. As a simple example, an enterprise
may wish to provide a centralized-service to its development community, to Authenticode-sign
executable code that has already been properly reviewed.
However, some server configuration is required, since ASP runs under the
IIS-related IUSR_machinename account, and will by default have limited
access to certificate stores in the LocalMachine location and the associated private
keys required for either signature or encryption tasks.
WinHTTP Certificate Configuration Tool
provides access to particular certificates in a specific certificate store by a particular accessing
A typical scenario for configuring IIS might be:
For example, the following command:
- Import the certificate/keys into a selected certificate store at the Local_Machine location, say from
an pkcs #12 (.pfx) file.
(Note: for access of the private key from the server process, the key must be imported without strong
protection to avoid the password dialog prompt)
- Use winhttpcertcfg.exe to configure the IUSR_mymachine account for authorized access to the imported certificate
winhttpcertcfg -g -c LOCAL_MACHINE\My -s "My Common Name" -a IUSR_mymachine
will allow any ASP process access to the certificate private key with
Certificate Name substring "My Common Name" in the My store at the
LocalMachine store location. (Changing the -g to -r removes this assigned permission).
This configuration should be used with other security measures such as
Authenticated Access, although it will work with the default
IIS Anonymous Access setting.
With this configuration, developers can build ASP applications that can
leverage access to certificate stores from IIS and CAPICOM functionality.
For example the following two scripts demonstrate:
The forms are submitted to the signdatademo.asp process, which
performs the following tasks:
- ensures the browser is IE
- limits content submitted size
- saves content-submitted to a server-side file
- selects a specified certificate from a certificate store
- creates a BASE64-encoded pkcs #7 signature string on the submitted data
- returns this string to the browser along with verification script functionality
For *Authenticode* signature capability, a file-upload process could be used from the client
browser, and after the server-side Authenticode signing process, the client would typically be redirected
to a signed-file download url.
Michel I. Gallant