Discussion:
How to interface to Certificate Authority from C#
(too old to reply)
Redpay
2007-11-29 10:44:01 UTC
Permalink
Hi,

I am looking for suggestions / best practices for creating a C# client
application that can communicate with a Microsoft Certificate Authority
running on a windows 2003 server. The application would like to submit
PKCS#10 certificate signing requests and recover the issued certifiates in
PKCS#7 format.

Thank you in advance for any suggestions.

Richard
Dominick Baier
2007-11-29 10:55:56 UTC
Permalink
there is a COM component called xenroll.dll - this is what the Windows CA
asp pages use. Not the nicest interface - but thats "the" way of doing it.

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
Post by Redpay
Hi,
I am looking for suggestions / best practices for creating a C# client
application that can communicate with a Microsoft Certificate
Authority running on a windows 2003 server. The application would like
to submit PKCS#10 certificate signing requests and recover the issued
certifiates in PKCS#7 format.
Thank you in advance for any suggestions.
Richard
Redpay
2007-11-29 12:36:03 UTC
Permalink
Dear Dominick Baier.

Thank you very much for taking the time to suggest xenroll. My initial
question was not clear, so let me elaborate a little more.

I am looking for suggestions on how to submit the PKCS#10 string returned
from Xenroll's "ICEnroll4::createPKCS10" method to a Microsoft CA and
retrieve the PKCS#7 result. We alos need to retrieve CRLs from the CA, get a
list of issued Cetrs, etc...

We use xenroll on the client machine to generate the PKCS#10 request as a
string response and to import the PKCS#7 returned from a CA.

This client PC where Xenroll runs has no direct network connectivity to the
Microsoft Server hosting the CA. Rather, the PKCS#10 request is communicated
via a message queue to a remote Registration Authority (RA) who is expected
to submit the PKCS#10 to a CA via a network connection local to the RA. The
RA must then return the PKCS#7 response from the RA back via the messages
queues where it would be installed on the client using xenroll.

I suspect that I need to use the following interfaces,
ICertRequest2::GetCACertificate and and memebers from ICertAdmin2

Header Declared in Certcli.h; include Certsrv.h.
Library Use Certidl.lib.
DLL Requires Certcli.dll.
IID IID_ICertRequest2 is defined as A4772988-4A85-4FA9-824E-B5CF5C16405A.

Was wondering if anyone else has tried this or someing similar.

Regards
Richard
Dominick Baier
2007-11-29 13:32:40 UTC
Permalink
Well -

i don't know exactly how it works - but i would have a look how the CA webpage
does it when you use the "send PKCS#10 request" option.

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
Post by Redpay
Dear Dominick Baier.
Thank you very much for taking the time to suggest xenroll. My initial
question was not clear, so let me elaborate a little more.
I am looking for suggestions on how to submit the PKCS#10 string
returned from Xenroll's "ICEnroll4::createPKCS10" method to a
Microsoft CA and retrieve the PKCS#7 result. We alos need to retrieve
CRLs from the CA, get a list of issued Cetrs, etc...
We use xenroll on the client machine to generate the PKCS#10 request
as a string response and to import the PKCS#7 returned from a CA.
This client PC where Xenroll runs has no direct network connectivity
to the Microsoft Server hosting the CA. Rather, the PKCS#10 request is
communicated via a message queue to a remote Registration Authority
(RA) who is expected to submit the PKCS#10 to a CA via a network
connection local to the RA. The RA must then return the PKCS#7
response from the RA back via the messages queues where it would be
installed on the client using xenroll.
I suspect that I need to use the following interfaces,
ICertRequest2::GetCACertificate and and memebers from ICertAdmin2
Header Declared in Certcli.h; include Certsrv.h.
Library Use Certidl.lib.
DLL Requires Certcli.dll.
IID IID_ICertRequest2 is defined as
A4772988-4A85-4FA9-824E-B5CF5C16405A.
Was wondering if anyone else has tried this or someing similar.
Regards
Richard
Loading...