Help for ActiveX (2)

Discussion in 'ASP .Net Security' started by Luca Vanuzzo, Mar 4, 2004.

  1. Luca Vanuzzo

    Luca Vanuzzo Guest

    Hi YanHong,

    I was very busy in the last days with other business problems, but now I'm
    ready to solve the problem about ActiveX control and the security warning on
    Internet Explorer.
    I followed all your instructions about the creation of the certificate and
    I signed my myocx.ocx, run chktrust
    correctly and import ed the certificate in the Trusted Root Certification
    Authorities. In the browser I set for
    the prompt for the unsigned ActiveX controls and the activation for signed
    ActiveX control. In the development
    PC I have already the explorer warning. I have no warning with the
    activation of unsigned ActiveX control.
    If I try to load the page in another PC I download automatically the
    myocx.ocx and install the certificate
    manually from the trusted dialog box that appear when I call the page. But I
    have still the warning message.
    I tried also with an installation of an Certification Autority in a windows
    2000 server: I created the certificate and
    installed it in the development PC and signed myocx.ox but I have still the
    warning message.
    I think there is a wrong operation I did. Have you some other ideas ?

    Thank you,

    Luca
     
    Luca Vanuzzo, Mar 4, 2004
    #1
    1. Advertising

  2. Luca Vanuzzo

    [MSFT] Guest

    Hi Luca,

    Thank you for using the community. Currently, I am looking into the
    question. As I understand, you need sign the cab file which contains an
    ActiveX control, and use it in IE. To achieve this, you may following these
    steps:

    TO CREATE PVK AND SPC FILES
    ===========================

    1) Go to to http://<machineName>/certsrv/ (this is the home directory
    specified during Certificate Server installation)

    2) Select "Certificate Enrollment Tools" link

    3) Select "Request a Client Authentication Certificate" link

    4) On "Certificate Enrollment Form" press Advanced button

    5) On Advanced Settings, specify:
    - Key Spec: Signature
    - Algorithm: MD5
    - Properties:
    . Export Private Keys to a File
    . Allow keys to exported
    . Create a SPC file
    - Usage: Code Signing
    - CSP: Microsoft Base Cryptographic Provider 1.0

    6) Press OK

    7) On Xenroll dialog box:

    Save PVK file as: <type the path and name for the PVK file>

    9) Press OK

    10) It goes back to certificate Enrollment Form

    11) On Certificate Enrollment Form, specify:
    - Name: <the name that will appear on certificate>
    - Department: <same as above, department>
    - Organization: <same as above, organization>
    - City: <same as above, city>
    - State: <same as above, state>
    - Country: <same as above, country>
    - E-Mail: <same as above, email>

    12) Press Submit Request button

    13) On Create Private Key Password dialog box, specify:

    - Path and name of the Private Key file

    - Password: ******

    - Confirm Password: ******

    14) Press OK (or None if you intent to leave the password empty)

    15) It goes to "Certificate Download page"

    16) Press Download button

    17) On Xenroll dialog box, specify the path and file name for the SPC file.

    18) Press OK

    19) If a messagebox appears asking about creating a "software publisher
    certificate", answer YES.

    20) The PVK and SPC files are OK now. Go to next steps:

    TO SIGN CAB OR EXE FILES
    ========================

    1) Download the Authenticode:

    - Go to
    http://msdn.microsoft.com/downloads/c-frame.htm?003#/downloads/tools/
    - On the left pane, Tools TOC, select +Microsoft Downloads
    - Select MS Authenticode (IE4)
    - On the right pane, click "Download Authenticode (343K)".
    - Execute the file CODESIGN.EXE to uncompress it to a folder.

    2) Place the following files in an empty directory:
    - chktrust.exe (verify signatures)
    - signcode.exe (signing utility)
    - signer.dll (dependency file)
    - *.pvk (private key)
    - *.spc (public key)
    - all unsigned cabs/exes

    3) Use the program SIGNCODE.EXE to sign files:

    signcode -v private.pvk -spc publickey.spc filename.cab

    After these, you can Installing the Trusted Certificates in IE.

    For more informaton on this question, you may refer to:

    http://support.microsoft.com/default.aspx?scid=kb;en-us;Q247257

    http://msdn.microsoft.com/library/default.asp?url=/workshop/security/authcod
    e/signing.asp

    I also notice Yanghong had provided you some useful links, you can also
    refer them:

    http://www.microsoft.com/windows/ie/using/howto/digitalcert/using.asp

    Regards,

    Luke
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
     
    [MSFT], Mar 5, 2004
    #2
    1. Advertising

  3. Luca Vanuzzo

    Luca Vanuzzo Guest

    Hi Luke,

    thank you for your help.
    I follwed all your instruction (the link
    http://msdn.microsoft.com/downloads/c-frame.htm?003#/downloads/tools/ does
    not exist, however) to create the certificate and sign my OCX (not CAB or
    EXE !).
    I imported the certificate from IE in the root trusted authorities; I had no
    errors when I sow the certificate
    and when I use chktrust for my OCX. But when I load the page from the
    develop PC or in another PC
    after the download of the OCX I have still the warning message. It seems
    that the activex control is not
    safe. If I active the execution of unsafe activex I have no warning message
    ....
    Have you got any other idea ?

    Thanks,

    Luca

    "[MSFT]" <> ha scritto nel messaggio
    news:...
    > Hi Luca,
    >
    > Thank you for using the community. Currently, I am looking into the
    > question. As I understand, you need sign the cab file which contains an
    > ActiveX control, and use it in IE. To achieve this, you may following

    these
    > steps:
    >
    > TO CREATE PVK AND SPC FILES
    > ===========================
    >
    > 1) Go to to http://<machineName>/certsrv/ (this is the home directory
    > specified during Certificate Server installation)
    >
    > 2) Select "Certificate Enrollment Tools" link
    >
    > 3) Select "Request a Client Authentication Certificate" link
    >
    > 4) On "Certificate Enrollment Form" press Advanced button
    >
    > 5) On Advanced Settings, specify:
    > - Key Spec: Signature
    > - Algorithm: MD5
    > - Properties:
    > . Export Private Keys to a File
    > . Allow keys to exported
    > . Create a SPC file
    > - Usage: Code Signing
    > - CSP: Microsoft Base Cryptographic Provider 1.0
    >
    > 6) Press OK
    >
    > 7) On Xenroll dialog box:
    >
    > Save PVK file as: <type the path and name for the PVK file>
    >
    > 9) Press OK
    >
    > 10) It goes back to certificate Enrollment Form
    >
    > 11) On Certificate Enrollment Form, specify:
    > - Name: <the name that will appear on certificate>
    > - Department: <same as above, department>
    > - Organization: <same as above, organization>
    > - City: <same as above, city>
    > - State: <same as above, state>
    > - Country: <same as above, country>
    > - E-Mail: <same as above, email>
    >
    > 12) Press Submit Request button
    >
    > 13) On Create Private Key Password dialog box, specify:
    >
    > - Path and name of the Private Key file
    >
    > - Password: ******
    >
    > - Confirm Password: ******
    >
    > 14) Press OK (or None if you intent to leave the password empty)
    >
    > 15) It goes to "Certificate Download page"
    >
    > 16) Press Download button
    >
    > 17) On Xenroll dialog box, specify the path and file name for the SPC

    file.
    >
    > 18) Press OK
    >
    > 19) If a messagebox appears asking about creating a "software publisher
    > certificate", answer YES.
    >
    > 20) The PVK and SPC files are OK now. Go to next steps:
    >
    > TO SIGN CAB OR EXE FILES
    > ========================
    >
    > 1) Download the Authenticode:
    >
    > - Go to
    > http://msdn.microsoft.com/downloads/c-frame.htm?003#/downloads/tools/
    > - On the left pane, Tools TOC, select +Microsoft Downloads
    > - Select MS Authenticode (IE4)
    > - On the right pane, click "Download Authenticode (343K)".
    > - Execute the file CODESIGN.EXE to uncompress it to a folder.
    >
    > 2) Place the following files in an empty directory:
    > - chktrust.exe (verify signatures)
    > - signcode.exe (signing utility)
    > - signer.dll (dependency file)
    > - *.pvk (private key)
    > - *.spc (public key)
    > - all unsigned cabs/exes
    >
    > 3) Use the program SIGNCODE.EXE to sign files:
    >
    > signcode -v private.pvk -spc publickey.spc filename.cab
    >
    > After these, you can Installing the Trusted Certificates in IE.
    >
    > For more informaton on this question, you may refer to:
    >
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q247257
    >
    >

    http://msdn.microsoft.com/library/default.asp?url=/workshop/security/authcod
    > e/signing.asp
    >
    > I also notice Yanghong had provided you some useful links, you can also
    > refer them:
    >
    > http://www.microsoft.com/windows/ie/using/howto/digitalcert/using.asp
    >
    > Regards,
    >
    > Luke
    > Microsoft Online Support
    >
    > Get Secure! www.microsoft.com/security
    > (This posting is provided "AS IS", with no warranties, and confers no
    > rights.)
    >
     
    Luca Vanuzzo, Mar 5, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. VB Programmer

    HELP: ActiveX Control on webform

    VB Programmer, Jul 8, 2003, in forum: ASP .Net
    Replies:
    1
    Views:
    364
    Vidar Petursson
    Jul 8, 2003
  2. Sreejumon [MVP]
    Replies:
    1
    Views:
    1,452
    VB Programmer
    Jul 9, 2003
  3. Alvin Bruney
    Replies:
    0
    Views:
    370
    Alvin Bruney
    Jul 9, 2003
  4. Replies:
    0
    Views:
    887
  5. vml
    Replies:
    0
    Views:
    1,047
Loading...

Share This Page