CAPICOM and ASP/IIS

Using CAPICOM with ASP/IIS

M. Gallant 01/13/2003

Using CAPICOM with ASP and server-side processing can provide powerful capability, particularly to enterprises. As a simple example, an enterprise may wish to provide a centralized-service to its development community, to Authenticode-sign executable code that has already been properly reviewed. However, some server configuration is required, since ASP runs under the IIS-related IUSR_machinename account, and will by default have limited access to certificate stores in the LocalMachine location and the associated private keys required for either signature or encryption tasks. The WinHTTP Certificate Configuration Tool provides access to particular certificates in a specific certificate store by a particular accessing account.

A typical scenario for configuring IIS might be:

Import the certificate/keys into a selected certificate store at the Local_Machine location, say from an pkcs #12 (.pfx) file.
(Note: for access of the private key from the server process, the key must be imported without strong protection to avoid the password dialog prompt)
Use winhttpcertcfg.exe to configure the IUSR_mymachine account for authorized access to the imported certificate

For example, the following command:
winhttpcertcfg -g -c LOCAL_MACHINE\My -s "My Common Name" -a IUSR_mymachine will allow any ASP process access to the certificate private key with Certificate Name substring "My Common Name" in the My store at the LocalMachine store location. (Changing the -g to -r removes this assigned permission).
This configuration should be used with other security measures such as Authenticated Access, although it will work with the default IIS Anonymous Access setting.

With this configuration, developers can build ASP applications that can leverage access to certificate stores from IIS and CAPICOM functionality. For example the following two scripts demonstrate:

Submitting TextArea content to ASP process for PKCS #7 signing (non-functional)
Submitting entire web-page contents to ASP process for PKCS #7 signing (non-functional)

The forms are submitted to the signdatademo.asp process, which performs the following tasks:

ensures the browser is IE
limits content submitted size
saves content-submitted to a server-side file
selects a specified certificate from a certificate store
creates a BASE64-encoded pkcs #7 signature string on the submitted data
returns this string to the browser along with verification script functionality

For *Authenticode* signature capability, a file-upload process could be used from the client browser, and after the server-side Authenticode signing process, the client would typically be redirected to a signed-file download url.

Michel I. Gallant
neutron@istar.ca