Help for ActiveX

[Luca Vanuzzo]

I have created an ActiveX control for use on a web application for an
intranet. Do I still have to pay for a Certification Authority to sign my
ActiveX control for download to IE , when it is only for use on an intranet.
I want to eliminate the constant message box saying the ActiveX control is
unsafe. If this can be done using the makecert and signcode commands, what
is the proper way to use those statements to get it to work.

Thanks,

Luca

 

[Yan-Hong Huang[MSFT]]

Hello Luca,

Thanks for posting in the group.

According to the description, now you are developing an ActiveX control for
use on a web application in Intranet. You want to know
1) Is it possible to create a certifate by yourself so that you don't need
to pay commericial CAs for it?
2) If yes, how to do that?

Based on my experience, before you purchase a certificate for your
control's .cab file from a vendor, you can use the test certificate
provided by Microsoft for verification purposes. The following KB article
has detailed steps on it:
"Packaging ActiveX Controls"
http://msdn.microsoft.com/workshop/components/activex/packaging.asp?frame=tr
ue#Cabinet_Files

However, when the ActiveX control passes test and is ready to be used, I
suggest you sign it with some commerical CAs such as
http://www.verisign.com/. So this control can be trusted worldwide.

I understand your concern is that this control may only be used in your
company only. If so, you can try install a certificate service in one
server of the domain. Then issue root certificate to every client machine.
After that, if you sign the control by the certificates issued by your
local certificate service, they can be trusted by client machines. For more
information on it, please refer to:

"The Microsoft Internet Security Framework: Technology for Secure
Communication, Access Control, and Commerce"
http://msdn.microsoft.com/library/en-us/dnsecure/html/msdn_misf.asp?frame=tr
ue

"HOWTO: Set Up Test Certificates for SSL/TLS Application Development"
http://support.microsoft.com/?id=288897

"ActiveX Error Messages Using Certificate Enrollment Web Pages to Enroll a
Smart Card in Internet Explorer"
http://support.microsoft.com/default.aspx?scid=kb;EN-US;330211

"HOW TO: How to Install/Uninstall a Public Key Certificate Authority for
Windows 2000"
http://support.microsoft.com/?id=231881

Does that answer your question?

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! ¨C www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Luca Vanuzzo]

Hi YanHong,

Thank you for your answer.
I installed a CA in a windows 2000 server.
I tried to create a certificate with an exportable private key. When I tried
to sign my ativex control
(I tried directly with ocx) I had the follow error:

Error: The software publishing certificate and private key do not match or
do not contain valid information.
Error: Signing Failed. Result = 80092009, (-2146885623)

What are exactly the parameters for certificate generation ? signcode tool
need to have the .spc and
the private key.

Thank you,

Luca

 

[Yan-Hong Huang[MSFT]]

Hello Luca,

Thanks for your update. The detailed steps of creating and signing are:

// 1. Make a self-signed certificate called sign.cer.
MakeCert -sv sign.pvk -r -n "CN=THIS IS A TEST OF MAKECTL" sign.cer
// Make an SPC file using Cert2SPC.
Cert2SPC sign.cer sign.spc

// 2. Make another self-signed certificate called test.cer.
MakeCert -sv test.pvk -r -n "CN=THIS IS MY TEST CERT" test.cer
// Make an SPC file using Cert2SPC.
Cert2SPC test.cer test.spc

// 3. Make a test.ctl from test.cer.
MakeCTL test.cer test.ctl

// 4. Sign test.ctl with the sign.pvk and sign.spc made in step 1.
SignCode -v sign.pvk -spc sign.spc test.ctl

// 5. Move test.ctl to the trust system store.
CertMgr -add -ctl test.ctl -s trust

// 6. Move sign.cer to the root system store.
CertMgr -add -c sign.cer -s root

// 7. Sign something (test.exe) with test.pvk, and test.spc.
SignCode -v test.pvk -spc test.spc test.exe

// 8. Since test.cer is in the test.ctl, ChkTrust will succeed.
ChkTrust test.exe

Please refer to this MSDN topic for details:

"Signing and Checking Code with Authenticode"
http://msdn.microsoft.com/workshop/security/authcode/signing.asp?frame=true

"Creating, Viewing, and Managing Certificates"
http://msdn.microsoft.com/library/en-us/security/Security/creating_viewing_a
nd_managing_certificates.asp?frame=true

Hope that helps.

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! ¨C www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Luca Vanuzzo]

Hello Yan-Hong,

I followed all your instruction : I signed a myocx.ocx instead test.exe and
put it into a web page, but I still have
the safe warning in IE. When I use chkTrust with myocx.ocx I have a warning
that origin authenticator is not trusted.
Have you any other idea ?

Thank you,

Luca

 

[Yan-Hong Huang[MSFT]]

Hi Luca,

Surely you need to add trust relationship to the root certificate of your
certification server.

I am not quite familar with this area. But you can try IE->Tools
menu->Options->Content tab->Certificates button->Trusted Root Certification
Authorities tab->Import.

Please let me know if it works for you. Thanks very much.

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! ¨C www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Luca Vanuzzo]

Hi Yanhong,

thanks for your help again. I Imported the certificate in then trusted root
certification authorities.
Now I have no error from chktrust for my ocx, but I have again the error
when I load my page with the ocx.
Have you any other idea ?

Thank you very much,

Luca

 

[Yan-Hong Huang[MSFT]]

Hello Luca,

Thanks for the quick update.

What is the error messag that you got?

Also, what is the security setting of your IE? Please go to IE tools
menu->Internet Options->Security tab->ActiveX controls and plug-ins. What
is the setting of these two items? (Download signed ActiveX control,
Download unsinged ActiveX control). If it is prompt for item 1, then a
dialog box should be launched when you download this control in IE. Please
set item 1 to Enable to see if you still meet this problem. For item2, that
is for non-signed ActiveX controls, so we can just leave it there since it
is not related to this problem.

Thanks.

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! ¨C www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Luca Vanuzzo]

Hi YanHong,

I did some test about the security configuration. I have no error only if I
active the execution of not safe
ActiveX for local intranet . It seems that myocx.ocx is not safe, but
chktrust do not give me errors now.
Have you any other suggestion ?

Thanks again,

Luca

 

[Yan-Hong Huang[MSFT]]

Hi Luca,

In the article "Using Digital Certificates",
http://www.microsoft.com/windows/ie/using/howto/digitalcert/using.asp

we can see one part named "Adding Trusted Publishers and Credentials
Agencies", please add your certificate to this tab in IE settings. Active
content that is digitally signed by trusted publishers or credentials
agencies with a valid certificate will download without user intervention,
unless downloading active content is disabled in the settings for a
specific security zone.

For detailed steps, we may also refer to KB article:
"How to Sign IEAK Files Using Microsoft Certificate Server"
http://support.microsoft.com/?id=193038

Thanks.

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! ¨C www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Yan-Hong Huang[MSFT]]

Hello Luca,

Is the problem resolved? Have you successfully invoke ActiveX control
without the warning message box? If there is any more question, please feel
free to post here.

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! ¨C www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.