see sharp RSS 2.0
# Tuesday, 26 May 2009

Alejandro Campos Magencio has written a nice post on how to import a certificate without user interaction:

http://blogs.msdn.com/alejacma/archive/2008/01/31/how-to-import-a-certificate-without-user-interaction-c-c.aspx

It is built around CryptUIWizImport which is described here: http://msdn.microsoft.com/en-us/library/aa380598.aspx

Be sure to check all flags available:

 

Value Meaning
CRYPTUI_WIZ_NO_UI
0x0001

This function will perform the import based on the information in the CRYPTUI_WIZ_IMPORT_SRC_INFO structure pointed to by pImportSrc into the store specified by hDestCertStore without displaying any user interface. If this flag is not specified, this function will display a wizard to guide the user through the import process.

CRYPTUI_WIZ_IGNORE_NO_UI_FLAG_FOR_CSPS
0x0002

Suppress all user interfaces generated by cryptographic service providers (CSPs). This option can be overridden by the CRYPTUI_WIZ_NO_UI_EXCEPT_CSP option.

CRYPTUI_WIZ_NO_UI_EXCEPT_CSP
0x0003

Suppress all user interfaces except those generated by CSPs. This option overrides the CRYPTUI_WIZ_IGNORE_NO_UI_FLAG_FOR_CSPS option.

CRYPTUI_WIZ_IMPORT_ALLOW_CERT
0x00020000

Allow certificates to be imported.

CRYPTUI_WIZ_IMPORT_ALLOW_CRL
0x00040000

Allow CRLs to be imported.

CRYPTUI_WIZ_IMPORT_ALLOW_CTL
0x00080000

Allow CTLs to be imported.

CRYPTUI_WIZ_IMPORT_NO_CHANGE_DEST_STORE
0x00010000

Do not allow the user to change the destination certificate store represented by the hDestCertStore parameter.

CRYPTUI_WIZ_IMPORT_TO_LOCALMACHINE
0x00100000

Import the object to the certificate store for the local computer. This applies only to Personal Information Exchange (PFX) imports.

CRYPTUI_WIZ_IMPORT_TO_CURRENTUSER
0x00200000

Import the object to the certificate store for the current user. This applies only to PFX imports.

CRYPTUI_WIZ_IMPORT_REMOTE_DEST_STORE
0x00400000

Import the object to a remote certificate store. Set this flag if the hDestCertStore parameter represents a remote certificate store.


Tuesday, 26 May 2009 20:04:39 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -
C# | CAPI | Certificates
# Friday, 15 May 2009

First you need to enable the CA to accept SAN requests by changing the registry:

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

An nice description on how to enable SAN's on a MS CA can be found here.

http://support.microsoft.com/kb/931351/en-us

I used that as a base to request WebServer certificates with certreq, but I had to remove the EncipherOnly line and I changed the Exportable flag to true in the INF file:

[Version]
Signature="$Windows NT$

[NewRequest]
Subject = "CN=corpdc1.fabrikam.com"   
; must be the FQDN of domain controller
; EncipherOnly = FALSE
Exportable = TRUE         
; TRUE = Private key is exportable
KeyLength = 1024          
; Common key sizes: 512, 1024, 2048, 4096, 8192, 16384
KeySpec = 1               ; Key Exchange
KeyUsage = 0xA0          
; Digital Signature, Key Encipherment
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = CMC

; Omit entire section if CA is an enterprise CA
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication

[RequestAttributes]
CertificateTemplate = WebServer
;Omit  line if CA is a stand-alone CA
SAN="dns=.fabrikam.com&dns=ldap.fabrikam.com&dns=localhost"

 

The complete INF file syntax used by certreq can be found here: http://technet.microsoft.com/en-us/library/cc736326(WS.10).aspx

EncipherOnly seems not to work in my 2008 environment or some other flags made that invalid.

 

In addition on creating the request, I specified the CA on the certreq commandline:

certreq -new request.inf certnew.req
certreq -config mycaserver\myca -submit certnew.req certnew.cer

the last line outputs the requestid needed for the next certreq command. Then, on the ca, issue the certificate if it is not automatically issued (depends on the template used).
after that you can retrieve & accept the the certificate:

certreq -config mycaserver\myca -retrieve myidreturendfromsubmitcommand certnew.cer
certreq -accept certnew.cer

After that, you have a certificate with multiple SAN's in your computers machine store (we specified MachineKeySet) which can be used in IIS.


Just to mention:

It's easy to add multiple Websites to IIS using hostheaders, but if you want to use SSL on those sites you have to add the SSL binding. The easiest i found was using the commandline. the commands depend on the version of your IIS.

IIS6:

cscript.exe c:\inetpub\adminscripts\adsutil.vbs set /w3svc/mysiteid/SecureBindings ":443:myhostheader"

The hostheader is pretty obvious, and the mysiteid can be found when you click on the WebSites node in the IIS manager (Its the Identifier column).

IIS7:

appcmd set site /site.name:"mysite" /+bindings.[protocol='https',bindingInformation='*:443:myhostheader]
 

Friday, 15 May 2009 10:00:26 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -
Authentication | Certificates | IIS
# Saturday, 09 May 2009
Ever wanted to test your Anti-Virus program?
 
Use the Anti-Virus Test File from the European Institute for Computer Antivirus Research (Eicar).
 
Saturday, 09 May 2009 19:35:52 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -
anything else
# Thursday, 07 May 2009
If you need to zip a file or files you can use the java zip utilities supplied with VS.
All you have to do is to add vjslib.dll and vjslibcws.dll .net assemblies as project references.
They are present whe you install Visual J#. It can easily handle multiple files.
 
// ZIP Test
string inputFileName = @"C:\test.txt";
string zipFileName = Path.ChangeExtension(inputFileName, "ZIP"
);
string zipEntryName = Path
.GetFileName(inputFileName);
java.io.
FileOutputStream fileStream = new java.io.FileOutputStream
(zipFileName);
java.util.zip.
ZipOutputStream outputStream = new java.util.zip.ZipOutputStream
(fileStream);
java.io.
FileInputStream inputStream = new java.io.FileInputStream
(inputFileName);
java.util.zip.
ZipEntry zipEntry = new java.util.zip.ZipEntry
(
zipEntryName);
outputStream.putNextEntry(zipEntry);
sbyte[] buffer = new sbyte
[2048];
int
bytes = 0;
while
((bytes = inputStream.read(buffer, 0, buffer.Length)) > 0)
{
   outputStream.write(buffer, 0, bytes);
}
outputStream.closeEntry();
inputStream.close();
outputStream.close();

 
This was a nice try, but J# has been removed from VS2008.
To enable your application for ZIPs use dotnetzip: http://dotnetzip.codeplex.com/.
... or you may want to look at the OPC packaging API at http://msdn.microsoft.com/en-us/library/system.io.packaging.package.aspx
Thursday, 07 May 2009 19:29:30 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -
C# | OPC
# Wednesday, 06 May 2009

dasBlog is great, but it uses an older version of the nice freeTextbox to edit the posts.

This little editor provides great enhancments for editing and formatting, and IE8 is known from Version 3.2.0, but thats not the version we are using in dasBlog.
Luckily IE8 has a 'Compatibility View' setting, which defines a list of websites that will receive the old (IE7) user-agent string.

 


Image: Tools->Compatibility View Settings

If you own the website, you can set the compat mode using a meta-tag:

<meta http-equiv="X-UA-Compatible" content="IE=7" />

Wednesday, 06 May 2009 12:38:58 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -
anything else
# Sunday, 03 May 2009
So, this weekend I completed the move from simpleBlog to dasBlog, changing technology from PHP (which was good) to ASP.NET which is more suitable.
The content has to be migrated too, which will follow on one of the next weekends.

Sunday, 03 May 2009 10:07:55 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -
anything else
# Saturday, 02 May 2009
Coding conventions are for whimps :-)
 
I like that:
It's written for JAVA :-), but it matches other languages like C# too.
 
Brad Adams writes on how to make it better >http://blogs.msdn.com/brada/pages/361363.aspx<
 
Saturday, 02 May 2009 19:26:56 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -
anything else
# Thursday, 30 April 2009
Thursday, 30 April 2009 18:40:13 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -
anything else
# Wednesday, 29 April 2009
You can increase the logging level of the Certificate service in the event log for troubleshooting.
This causes Certificate services to log more frequent and verbose Application Event log entries.
To increase the logging level of the Certificate service, run the command:

certutil -setreg ca\loglevel logginglevel

where logginglevel is the level you want to use, and then restart the service.

The following ranges are available:

0 CERTLOG_MINIMAL
1 CERTLOG_TERSE
2 CERTLOG_ERROR
3 CERTLOG_WARNING (Default)
4 CERTLOG_VERBOSE

taken from http://support.microsoft.com/kb/305018

and don't forget to restart the certificate services :-)

If you use CLM you may also want to set the loglevel for the Policy and Exit modules:

Policy module
Add a string value named Microsoft.Clm.PolicyModule to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CAName\PolicyModules\Clm.Policy
 
Exit module
Add a string value named Microsoft.Clm.ExitModule in the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CAName\ExitModules\Clm.Exit

Set the string value to the desired logging level (Info, Warning, Error or verbose), and then restart the CLM Service to apply the trace logging settings.

Policy module plugins
If you need logging for the CLM policy module plugins, you must create a config file.
Enabling trace logging for the policy module plug-ins causes CLM 2007 to write the error output to the system debug stream, viewable using DebugView.

To enable trace logging, you must create a config file for certsrv.exe file in the C:\WINDOWS\system32 folder.
Create a new text document and name it certsrv.exe.config;
open the new file and copy/paste the following configuration information (It's standard .NET tracing):

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <system.diagnostics>
  <trace autoflush="true" indentsize="2" />
  <switches>
    <add name="Microsoft.Clm.PolicyModulePlugins" value="4" />
  </switches>
</system.diagnostics>
</configuration>

Wednesday, 29 April 2009 18:48:59 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -
CLM | Tracing
# Saturday, 25 April 2009
Saturday, 25 April 2009 19:32:22 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -
anything else | C#
Archive
<2009 May>
SunMonTueWedThuFriSat
262728293012
3456789
10111213141516
17181920212223
24252627282930
31123456
About the author/Disclaimer

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.
Any link on this site may lead to an external website that is not under my control and that external website might show an opinion that is not mine.

© Copyright 2017
Hannes Köhler
Sign In
Statistics
Total Posts: 39
This Year: 0
This Month: 0
This Week: 0
Comments: 1
All Content © 2017, Hannes Köhler
DasBlog theme 'Business' created by Christoph De Baene (delarou)