Click here to get back home

MS Certificate Issuance to Unix
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
MS Certificate Issuance to Unix JMZø“v+ºË"¢{&‰Ê貇ír‰ 10-17-2005
Posted by JMZø“v+ºË"¢{&‰Ê貇ír‰ on October 17, 2005, 9:05 am
Please log in for more thread options
 Can I use MS Certificate Server to issue certificates directly to an external
Unix server (customer's) from an internal MS 2003 server (our's), perhaps via
a web service?

Our current infrastructure allows certificate issuance only to Microsoft OS
computers via a secure web site. The certificates are automatically
installed into the client's CurrentUser personal store where they are then
used to sign transactions for our application.

But we need to be able to issue certificates to Unix customers as well.

TIA


Posted by S. Pidgorny on October 18, 2005, 8:32 pm
Please log in for more thread options
 You can mark keys as exportable and then export the certificate with private
key to the UNIX system.
Alternatively, you can generate PKCS #7 certificate signing request on the
UNIX system, submit it using the web interface and retreive signed request
directly.
All the formats used are standard.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

> Can I use MS Certificate Server to issue certificates directly to an
external
> Unix server (customer's) from an internal MS 2003 server (our's), perhaps
via
> a web service?
>
> Our current infrastructure allows certificate issuance only to Microsoft
OS
> computers via a secure web site. The certificates are automatically
> installed into the client's CurrentUser personal store where they are then
> used to sign transactions for our application.
>
> But we need to be able to issue certificates to Unix customers as well.
>
> TIA




Posted by JMZø“v+ºË"¢{&‰Ê貇ír‰ on October 18, 2005, 5:55 am
Please log in for more thread options
Thank you for the reply. We have already found that having an exportable
private key works as a test, but our certificate policy severely frowns on
that situation. We would rather issue the certificate and non-exportable
private key directly to the Unix box.

However, in your answer, you refer to 'the web interface.' Are you speaking
of the interface our application provides (or must provide), or to a web
interface to MS Certificate Server directly?

As it is, our application cannot run on non-Windows systems because it uses
CapiCom.

Thanks.

"S. Pidgorny <MVP>" wrote:

> You can mark keys as exportable and then export the certificate with private
> key to the UNIX system.
> Alternatively, you can generate PKCS #7 certificate signing request on the
> UNIX system, submit it using the web interface and retreive signed request
> directly.
> All the formats used are standard.
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> > Can I use MS Certificate Server to issue certificates directly to an
> external
> > Unix server (customer's) from an internal MS 2003 server (our's), perhaps
> via
> > a web service?
> >
> > Our current infrastructure allows certificate issuance only to Microsoft
> OS
> > computers via a secure web site. The certificates are automatically
> > installed into the client's CurrentUser personal store where they are then
> > used to sign transactions for our application.
> >
> > But we need to be able to issue certificates to Unix customers as well.
> >
> > TIA
>
>
>


Posted by Mike Smith-Lonergan on October 18, 2005, 2:16 pm
Please log in for more thread options
In what application or API will the certificates be stored on the Unix hosts?
Dig a little deeper into the client side of the Unix systems and how they'll
consume and use the digital certificates, and that'll lead you to the means
to generate the PKCS #10 request, and how to use the PKCS #7 response (from
the MS CA).

For example, if the Unix client relies on OpenSSL, then you might use the
REQ command to generate your PKCS #10, which can then be submitted to the MS
CA's web enrollment page (i.e. paste it in) or via command line on the CA
itself (i.e. using the certutil.exe command-line tool).

http://www.openssl.org/docs/apps/req.html

Hope this helps.
--
Mike Smith-Lonergan
Independent Security Consultant
http://paranoidmike.blogspot.com

"JMZ" wrote:

> Thank you for the reply. We have already found that having an exportable
> private key works as a test, but our certificate policy severely frowns on
> that situation. We would rather issue the certificate and non-exportable
> private key directly to the Unix box.
>
> However, in your answer, you refer to 'the web interface.' Are you speaking
> of the interface our application provides (or must provide), or to a web
> interface to MS Certificate Server directly?
>
> As it is, our application cannot run on non-Windows systems because it uses
> CapiCom.
>
> Thanks.
>
> "S. Pidgorny <MVP>" wrote:
>
> > You can mark keys as exportable and then export the certificate with private
> > key to the UNIX system.
> > Alternatively, you can generate PKCS #7 certificate signing request on the
> > UNIX system, submit it using the web interface and retreive signed request
> > directly.
> > All the formats used are standard.
> >
> > --
> > Svyatoslav Pidgorny, MS MVP - Security, MCSE
> > -= F1 is the key =-
> >
> > > Can I use MS Certificate Server to issue certificates directly to an
> > external
> > > Unix server (customer's) from an internal MS 2003 server (our's), perhaps
> > via
> > > a web service?
> > >
> > > Our current infrastructure allows certificate issuance only to Microsoft
> > OS
> > > computers via a secure web site. The certificates are automatically
> > > installed into the client's CurrentUser personal store where they are then
> > > used to sign transactions for our application.
> > >
> > > But we need to be able to issue certificates to Unix customers as well.
> > >
> > > TIA


Posted by S. Pidgorny on October 19, 2005, 8:01 pm
Please log in for more thread options
I mean the Web interface to Certificate Server. Generate the CSR with the
private key on the UNIX box, submit the CSR to CertSrv using the Web form,
issue the cert, pick it up... I believe that should work on the UNIX comp as
well as on Windows client - the PKCS #7 format for CSR is the same...

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

> Thank you for the reply. We have already found that having an exportable
> private key works as a test, but our certificate policy severely frowns on
> that situation. We would rather issue the certificate and non-exportable
> private key directly to the Unix box.
>
> However, in your answer, you refer to 'the web interface.' Are you
speaking
> of the interface our application provides (or must provide), or to a web
> interface to MS Certificate Server directly?
>
> As it is, our application cannot run on non-Windows systems because it
uses
> CapiCom.
>
> Thanks.
>
> "S. Pidgorny <MVP>" wrote:
>
> > You can mark keys as exportable and then export the certificate with
private
> > key to the UNIX system.
> > Alternatively, you can generate PKCS #7 certificate signing request on
the
> > UNIX system, submit it using the web interface and retreive signed
request
> > directly.
> > All the formats used are standard.
> >
> > --
> > Svyatoslav Pidgorny, MS MVP - Security, MCSE
> > -= F1 is the key =-
> >
> > > Can I use MS Certificate Server to issue certificates directly to an
> > external
> > > Unix server (customer's) from an internal MS 2003 server (our's),
perhaps
> > via
> > > a web service?
> > >
> > > Our current infrastructure allows certificate issuance only to
Microsoft
> > OS
> > > computers via a secure web site. The certificates are automatically
> > > installed into the client's CurrentUser personal store where they are
then
> > > used to sign transactions for our application.
> > >
> > > But we need to be able to issue certificates to Unix customers as
well.
> > >
> > > TIA
> >
> >
> >




Similar ThreadsPosted
Certificate issuance problem March 23, 2007, 5:01 am
Windows equiv of UNIX "Restricted Users"?? February 19, 2007, 12:32 pm
Issuance policies in CA certificates March 24, 2008, 1:54 pm
Rather strange issuance of Kerberos tickets July 9, 2006, 6:31 pm
use of Issuance policy in capolicy.inf file January 19, 2008, 5:54 pm
"No Certificate Templates Could Be Found" Error Message When User Requests Certificate from CA Web Enrollment Pages September 21, 2006, 1:31 pm
Create Certificate Request for Windows2003 certificate authority without using website March 22, 2006, 8:07 am
Problem when requesting a certificate to IIS server (certificate web enrollment) October 4, 2005, 9:50 am
Restrict AD-User to one X509 Certificate per Certificate template? July 12, 2007, 12:18 pm
Problem when requesting a certificate with IIS (certificate web enrollment) October 4, 2005, 9:45 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap