在W8 W10中使用客户端证书时,CertEnroll 509PrivateKey KeyProtection密码无效

时间:2018-03-21 07:42:29

标签: x509certificate certenroll

我们有一个流程,客户通过CertEnroll注册X509客户端证书。 它有效,但现在我们的一个客户喜欢添加一个额外的安全层,因此我们在证书中添加了密码。 创建证书时要求用户输入密码,然后在每次使用证书时使用密码。 它适用于Windows 7,但在Windows 8.1 / 10中 浏览器都是IE 11。 在Windows 8.1 / 10中,系统会询问用户申请证书的密码,但是当要使用证书时,不会要求输入密码。

希望有人知道这里发生了什么。 这是创建证书请求的JavaScript。

function doSubmit() {
    var PublicKeyInfo =''
    var request;
    request = document.forms(0)

    //
    // other stuff
    //
       try {
        // Variables
        var objCSP = request.Enroll.CreateObject("X509Enrollment.CCspInformation");
        var objCSPs = request.Enroll.CreateObject("X509Enrollment.CCspInformations");
        var objPrivateKey = request.Enroll.CreateObject("X509Enrollment.CX509PrivateKey");
        var objRequest = request.Enroll.CreateObject("X509Enrollment.CX509CertificateRequestPkcs10")
        var objObjectIds = request.Enroll.CreateObject("X509Enrollment.CObjectIds");
        var objObjectId = request.Enroll.CreateObject("X509Enrollment.CObjectId");
        var objX509ExtensionEnhancedKeyUsage = request.Enroll.CreateObject("X509Enrollment.CX509ExtensionEnhancedKeyUsage");
        var objExtensionTemplate = request.Enroll.CreateObject("X509Enrollment.CX509ExtensionTemplateName")
        var objDn = request.Enroll.CreateObject("X509Enrollment.CX500DistinguishedName")
        var objEnroll = request.Enroll.CreateObject("X509Enrollment.CX509Enrollment")

        //  Initialize the csp object using the desired Cryptograhic Service Provider (CSP)
        objCSP.InitializeFromName("Microsoft Enhanced Cryptographic Provider v1.0");

        //  Add this CSP object to the CSP collection object
        objCSPs.Add(objCSP);

        objPrivateKey.Length = "2048"; 
        objPrivateKey.KeySpec = 1; 
        //objPrivateKey.ExportPolicy = 1; // Possible to export PrivateKey
        //Force password when request for cert and password when cert is used
        objPrivateKey.KeyProtection = 2; // XCN_NCRYPT_UI_FORCE_HIGH_PROTECTION_FLAG

        //  Provide the CSP collection object (in this case containing only 1 CSP object)
        //  to the private key object
        objPrivateKey.CspInformations = objCSPs;

        // Initialize P10 based on private key
        objRequest.InitializeFromPrivateKey(1, objPrivateKey, ""); // context user = 1

        // 1.3.6.1.5.5.7.3.2 Oid - Extension
        objObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.2");
        objObjectIds.Add(objObjectId);
        objX509ExtensionEnhancedKeyUsage.InitializeEncode(objObjectIds);
        objRequest.X509Extensions.Add(objX509ExtensionEnhancedKeyUsage);
        objDn.Encode("CN=xxxxxx", 0); // XCN_CERT_NAME_STR_NONE = 0
        objRequest.Subject = objDn;

        // Enroll
        objEnroll.InitializeFromRequest(objRequest);
        var pkcs10 = objEnroll.CreateRequest(3); // XCN_CRYPT_STRING_BASE64REQUESTHEADER = 3

        request.PublicKeyInfo.value = pkcs10
      } catch (ex) {
        alert( ex.description + "\n" + ex.error );
        return false;
      }
    request.submit()    
}

1 个答案:

答案 0 :(得分:0)

问题解决了。 安装已颁发的证书时,如果我将它们安装为"本地计算机",但如果安装为"当前用户"它也适用于W8.1 / W10。

相关问题
最新问题