We have a process where our clients sign up for X509 client certificate through CertEnroll. It works, but now one of our clients like to add one extra layer of security, so we added password to the certificate. User is asked for password when creating the certificate and then have use the password every time the certificate is being used. It works both ways in Windows 7, but in Windows 8.1 / 10 Browsers are all IE 11. In Windows 8.1 / 10 the password is asked for when user is applying for the certificate, but when the certificate then is going to be used the password is not asked for.
Hope someone have a clue what is going on here. Here is the javascript creating the certificate request.
function doSubmit() {
var PublicKeyInfo =''
var request;
request = document.forms(0)
//
// other stuff
//
try {
// Variables
var objCSP = request.Enroll.CreateObject("X509Enrollment.CCspInformation");
var objCSPs = request.Enroll.CreateObject("X509Enrollment.CCspInformations");
var objPrivateKey = request.Enroll.CreateObject("X509Enrollment.CX509PrivateKey");
var objRequest = request.Enroll.CreateObject("X509Enrollment.CX509CertificateRequestPkcs10")
var objObjectIds = request.Enroll.CreateObject("X509Enrollment.CObjectIds");
var objObjectId = request.Enroll.CreateObject("X509Enrollment.CObjectId");
var objX509ExtensionEnhancedKeyUsage = request.Enroll.CreateObject("X509Enrollment.CX509ExtensionEnhancedKeyUsage");
var objExtensionTemplate = request.Enroll.CreateObject("X509Enrollment.CX509ExtensionTemplateName")
var objDn = request.Enroll.CreateObject("X509Enrollment.CX500DistinguishedName")
var objEnroll = request.Enroll.CreateObject("X509Enrollment.CX509Enrollment")
// Initialize the csp object using the desired Cryptograhic Service Provider (CSP)
objCSP.InitializeFromName("Microsoft Enhanced Cryptographic Provider v1.0");
// Add this CSP object to the CSP collection object
objCSPs.Add(objCSP);
objPrivateKey.Length = "2048";
objPrivateKey.KeySpec = 1;
//objPrivateKey.ExportPolicy = 1; // Possible to export PrivateKey
//Force password when request for cert and password when cert is used
objPrivateKey.KeyProtection = 2; // XCN_NCRYPT_UI_FORCE_HIGH_PROTECTION_FLAG
// Provide the CSP collection object (in this case containing only 1 CSP object)
// to the private key object
objPrivateKey.CspInformations = objCSPs;
// Initialize P10 based on private key
objRequest.InitializeFromPrivateKey(1, objPrivateKey, ""); // context user = 1
// 1.3.6.1.5.5.7.3.2 Oid - Extension
objObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.2");
objObjectIds.Add(objObjectId);
objX509ExtensionEnhancedKeyUsage.InitializeEncode(objObjectIds);
objRequest.X509Extensions.Add(objX509ExtensionEnhancedKeyUsage);
objDn.Encode("CN=xxxxxx", 0); // XCN_CERT_NAME_STR_NONE = 0
objRequest.Subject = objDn;
// Enroll
objEnroll.InitializeFromRequest(objRequest);
var pkcs10 = objEnroll.CreateRequest(3); // XCN_CRYPT_STRING_BASE64REQUESTHEADER = 3
request.PublicKeyInfo.value = pkcs10
} catch (ex) {
alert( ex.description + "\n" + ex.error );
return false;
}
request.submit()
}
Problem solved. When installing the issued certificates it did not work if I installed them as "Local Computer", but if installed as "Current User" it worked for W8.1 / W10 also.