Help for ActiveX (2)

[Luca Vanuzzo]

Hi YanHong,

I was very busy in the last days with other business problems, but now I'm
ready to solve the problem about ActiveX control and the security warning on
Internet Explorer.
I followed all your instructions about the creation of the certificate and
I signed my myocx.ocx, run chktrust
correctly and import ed the certificate in the Trusted Root Certification
Authorities. In the browser I set for
the prompt for the unsigned ActiveX controls and the activation for signed
ActiveX control. In the development
PC I have already the explorer warning. I have no warning with the
activation of unsigned ActiveX control.
If I try to load the page in another PC I download automatically the
myocx.ocx and install the certificate
manually from the trusted dialog box that appear when I call the page. But I
have still the warning message.
I tried also with an installation of an Certification Autority in a windows
2000 server: I created the certificate and
installed it in the development PC and signed myocx.ox but I have still the
warning message.
I think there is a wrong operation I did. Have you some other ideas ?

Thank you,

Luca

 

[[MSFT]]

Hi Luca,

Thank you for using the community. Currently, I am looking into the
question. As I understand, you need sign the cab file which contains an
ActiveX control, and use it in IE. To achieve this, you may following these
steps:

TO CREATE PVK AND SPC FILES
===========================

1) Go to to http://<machineName>/certsrv/ (this is the home directory
specified during Certificate Server installation)

2) Select "Certificate Enrollment Tools" link

3) Select "Request a Client Authentication Certificate" link

4) On "Certificate Enrollment Form" press Advanced button

5) On Advanced Settings, specify:
- Key Spec: Signature
- Algorithm: MD5
- Properties:
. Export Private Keys to a File
. Allow keys to exported
. Create a SPC file
- Usage: Code Signing
- CSP: Microsoft Base Cryptographic Provider 1.0

6) Press OK

7) On Xenroll dialog box:

Save PVK file as: <type the path and name for the PVK file>

9) Press OK

10) It goes back to certificate Enrollment Form

11) On Certificate Enrollment Form, specify:
- Name: <the name that will appear on certificate>
- Department: <same as above, department>
- Organization: <same as above, organization>
- City: <same as above, city>
- State: <same as above, state>
- Country: <same as above, country>
- E-Mail: <same as above, email>

12) Press Submit Request button

13) On Create Private Key Password dialog box, specify:

- Path and name of the Private Key file

- Password: ******

- Confirm Password: ******

14) Press OK (or None if you intent to leave the password empty)

15) It goes to "Certificate Download page"

16) Press Download button

17) On Xenroll dialog box, specify the path and file name for the SPC file.

18) Press OK

19) If a messagebox appears asking about creating a "software publisher
certificate", answer YES.

20) The PVK and SPC files are OK now. Go to next steps:

TO SIGN CAB OR EXE FILES
========================

1) Download the Authenticode:

- Go to
http://msdn.microsoft.com/downloads/c-frame.htm?003#/downloads/tools/
- On the left pane, Tools TOC, select +Microsoft Downloads
- Select MS Authenticode (IE4)
- On the right pane, click "Download Authenticode (343K)".
- Execute the file CODESIGN.EXE to uncompress it to a folder.

2) Place the following files in an empty directory:
- chktrust.exe (verify signatures)
- signcode.exe (signing utility)
- signer.dll (dependency file)
- *.pvk (private key)
- *.spc (public key)
- all unsigned cabs/exes

3) Use the program SIGNCODE.EXE to sign files:

signcode -v private.pvk -spc publickey.spc filename.cab

After these, you can Installing the Trusted Certificates in IE.

For more informaton on this question, you may refer to:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q247257

http://msdn.microsoft.com/library/default.asp?url=/workshop/security/authcod
e/signing.asp

I also notice Yanghong had provided you some useful links, you can also
refer them:

http://www.microsoft.com/windows/ie/using/howto/digitalcert/using.asp

Regards,

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Luca Vanuzzo]

Hi Luke,

thank you for your help.
I follwed all your instruction (the link
http://msdn.microsoft.com/downloads/c-frame.htm?003#/downloads/tools/ does
not exist, however) to create the certificate and sign my OCX (not CAB or
EXE !).
I imported the certificate from IE in the root trusted authorities; I had no
errors when I sow the certificate
and when I use chktrust for my OCX. But when I load the page from the
develop PC or in another PC
after the download of the OCX I have still the warning message. It seems
that the activex control is not
safe. If I active the execution of unsafe activex I have no warning message
....
Have you got any other idea ?

Thanks,

Luca