Help for ActiveX

Discussion in 'ASP .Net Security' started by Luca Vanuzzo, Feb 16, 2004.

  1. Luca Vanuzzo

    Luca Vanuzzo Guest

    I have created an ActiveX control for use on a web application for an
    intranet. Do I still have to pay for a Certification Authority to sign my
    ActiveX control for download to IE , when it is only for use on an intranet.
    I want to eliminate the constant message box saying the ActiveX control is
    unsafe. If this can be done using the makecert and signcode commands, what
    is the proper way to use those statements to get it to work.

    Thanks,

    Luca
    Luca Vanuzzo, Feb 16, 2004
    #1
    1. Advertising

  2. Hello Luca,

    Thanks for posting in the group.

    According to the description, now you are developing an ActiveX control for
    use on a web application in Intranet. You want to know
    1) Is it possible to create a certifate by yourself so that you don't need
    to pay commericial CAs for it?
    2) If yes, how to do that?

    Based on my experience, before you purchase a certificate for your
    control's .cab file from a vendor, you can use the test certificate
    provided by Microsoft for verification purposes. The following KB article
    has detailed steps on it:
    "Packaging ActiveX Controls"
    http://msdn.microsoft.com/workshop/components/activex/packaging.asp?frame=tr
    ue#Cabinet_Files

    However, when the ActiveX control passes test and is ready to be used, I
    suggest you sign it with some commerical CAs such as
    http://www.verisign.com/. So this control can be trusted worldwide.

    I understand your concern is that this control may only be used in your
    company only. If so, you can try install a certificate service in one
    server of the domain. Then issue root certificate to every client machine.
    After that, if you sign the control by the certificates issued by your
    local certificate service, they can be trusted by client machines. For more
    information on it, please refer to:

    "The Microsoft Internet Security Framework: Technology for Secure
    Communication, Access Control, and Commerce"
    http://msdn.microsoft.com/library/en-us/dnsecure/html/msdn_misf.asp?frame=tr
    ue

    "HOWTO: Set Up Test Certificates for SSL/TLS Application Development"
    http://support.microsoft.com/?id=288897

    "ActiveX Error Messages Using Certificate Enrollment Web Pages to Enroll a
    Smart Card in Internet Explorer"
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;330211

    "HOW TO: How to Install/Uninstall a Public Key Certificate Authority for
    Windows 2000"
    http://support.microsoft.com/?id=231881

    Does that answer your question?

    Best regards,
    Yanhong Huang
    Microsoft Community Support

    Get Secure! ¨C www.microsoft.com/security
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Yan-Hong Huang[MSFT], Feb 17, 2004
    #2
    1. Advertising

  3. Luca Vanuzzo

    Luca Vanuzzo Guest

    Hi YanHong,

    Thank you for your answer.
    I installed a CA in a windows 2000 server.
    I tried to create a certificate with an exportable private key. When I tried
    to sign my ativex control
    (I tried directly with ocx) I had the follow error:

    Error: The software publishing certificate and private key do not match or
    do not contain valid information.
    Error: Signing Failed. Result = 80092009, (-2146885623)

    What are exactly the parameters for certificate generation ? signcode tool
    need to have the .spc and
    the private key.

    Thank you,

    Luca


    "Yan-Hong Huang[MSFT]" <> ha scritto nel
    messaggio news:...
    > Hello Luca,
    >
    > Thanks for posting in the group.
    >
    > According to the description, now you are developing an ActiveX control

    for
    > use on a web application in Intranet. You want to know
    > 1) Is it possible to create a certifate by yourself so that you don't need
    > to pay commericial CAs for it?
    > 2) If yes, how to do that?
    >
    > Based on my experience, before you purchase a certificate for your
    > control's .cab file from a vendor, you can use the test certificate
    > provided by Microsoft for verification purposes. The following KB article
    > has detailed steps on it:
    > "Packaging ActiveX Controls"
    >

    http://msdn.microsoft.com/workshop/components/activex/packaging.asp?frame=tr
    > ue#Cabinet_Files
    >
    > However, when the ActiveX control passes test and is ready to be used, I
    > suggest you sign it with some commerical CAs such as
    > http://www.verisign.com/. So this control can be trusted worldwide.
    >
    > I understand your concern is that this control may only be used in your
    > company only. If so, you can try install a certificate service in one
    > server of the domain. Then issue root certificate to every client machine.
    > After that, if you sign the control by the certificates issued by your
    > local certificate service, they can be trusted by client machines. For

    more
    > information on it, please refer to:
    >
    > "The Microsoft Internet Security Framework: Technology for Secure
    > Communication, Access Control, and Commerce"
    >

    http://msdn.microsoft.com/library/en-us/dnsecure/html/msdn_misf.asp?frame=tr
    > ue
    >
    > "HOWTO: Set Up Test Certificates for SSL/TLS Application Development"
    > http://support.microsoft.com/?id=288897
    >
    > "ActiveX Error Messages Using Certificate Enrollment Web Pages to Enroll a
    > Smart Card in Internet Explorer"
    > http://support.microsoft.com/default.aspx?scid=kb;EN-US;330211
    >
    > "HOW TO: How to Install/Uninstall a Public Key Certificate Authority for
    > Windows 2000"
    > http://support.microsoft.com/?id=231881
    >
    > Does that answer your question?
    >
    > Best regards,
    > Yanhong Huang
    > Microsoft Community Support
    >
    > Get Secure! ¨C www.microsoft.com/security
    > This posting is provided "AS IS" with no warranties, and confers no

    rights.
    >
    Luca Vanuzzo, Feb 17, 2004
    #3
  4. Hello Luca,

    Thanks for your update. The detailed steps of creating and signing are:

    // 1. Make a self-signed certificate called sign.cer.
    MakeCert -sv sign.pvk -r -n "CN=THIS IS A TEST OF MAKECTL" sign.cer
    // Make an SPC file using Cert2SPC.
    Cert2SPC sign.cer sign.spc

    // 2. Make another self-signed certificate called test.cer.
    MakeCert -sv test.pvk -r -n "CN=THIS IS MY TEST CERT" test.cer
    // Make an SPC file using Cert2SPC.
    Cert2SPC test.cer test.spc

    // 3. Make a test.ctl from test.cer.
    MakeCTL test.cer test.ctl

    // 4. Sign test.ctl with the sign.pvk and sign.spc made in step 1.
    SignCode -v sign.pvk -spc sign.spc test.ctl

    // 5. Move test.ctl to the trust system store.
    CertMgr -add -ctl test.ctl -s trust

    // 6. Move sign.cer to the root system store.
    CertMgr -add -c sign.cer -s root

    // 7. Sign something (test.exe) with test.pvk, and test.spc.
    SignCode -v test.pvk -spc test.spc test.exe

    // 8. Since test.cer is in the test.ctl, ChkTrust will succeed.
    ChkTrust test.exe

    Please refer to this MSDN topic for details:

    "Signing and Checking Code with Authenticode"
    http://msdn.microsoft.com/workshop/security/authcode/signing.asp?frame=true

    "Creating, Viewing, and Managing Certificates"
    http://msdn.microsoft.com/library/en-us/security/Security/creating_viewing_a
    nd_managing_certificates.asp?frame=true

    Hope that helps.

    Best regards,
    Yanhong Huang
    Microsoft Community Support

    Get Secure! ¨C www.microsoft.com/security
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Yan-Hong Huang[MSFT], Feb 18, 2004
    #4
  5. Luca Vanuzzo

    Luca Vanuzzo Guest

    Hello Yan-Hong,

    I followed all your instruction : I signed a myocx.ocx instead test.exe and
    put it into a web page, but I still have
    the safe warning in IE. When I use chkTrust with myocx.ocx I have a warning
    that origin authenticator is not trusted.
    Have you any other idea ?

    Thank you,

    Luca



    "Yan-Hong Huang[MSFT]" <> ha scritto nel
    messaggio news:##...
    > Hello Luca,
    >
    > Thanks for your update. The detailed steps of creating and signing are:
    >
    > // 1. Make a self-signed certificate called sign.cer.
    > MakeCert -sv sign.pvk -r -n "CN=THIS IS A TEST OF MAKECTL" sign.cer
    > // Make an SPC file using Cert2SPC.
    > Cert2SPC sign.cer sign.spc
    >
    > // 2. Make another self-signed certificate called test.cer.
    > MakeCert -sv test.pvk -r -n "CN=THIS IS MY TEST CERT" test.cer
    > // Make an SPC file using Cert2SPC.
    > Cert2SPC test.cer test.spc
    >
    > // 3. Make a test.ctl from test.cer.
    > MakeCTL test.cer test.ctl
    >
    > // 4. Sign test.ctl with the sign.pvk and sign.spc made in step 1.
    > SignCode -v sign.pvk -spc sign.spc test.ctl
    >
    > // 5. Move test.ctl to the trust system store.
    > CertMgr -add -ctl test.ctl -s trust
    >
    > // 6. Move sign.cer to the root system store.
    > CertMgr -add -c sign.cer -s root
    >
    > // 7. Sign something (test.exe) with test.pvk, and test.spc.
    > SignCode -v test.pvk -spc test.spc test.exe
    >
    > // 8. Since test.cer is in the test.ctl, ChkTrust will succeed.
    > ChkTrust test.exe
    >
    > Please refer to this MSDN topic for details:
    >
    > "Signing and Checking Code with Authenticode"
    >

    http://msdn.microsoft.com/workshop/security/authcode/signing.asp?frame=true
    >
    > "Creating, Viewing, and Managing Certificates"
    >

    http://msdn.microsoft.com/library/en-us/security/Security/creating_viewing_a
    > nd_managing_certificates.asp?frame=true
    >
    > Hope that helps.
    >
    > Best regards,
    > Yanhong Huang
    > Microsoft Community Support
    >
    > Get Secure! ¨C www.microsoft.com/security
    > This posting is provided "AS IS" with no warranties, and confers no

    rights.
    >
    Luca Vanuzzo, Feb 18, 2004
    #5
  6. Hi Luca,

    Surely you need to add trust relationship to the root certificate of your
    certification server.

    I am not quite familar with this area. But you can try IE->Tools
    menu->Options->Content tab->Certificates button->Trusted Root Certification
    Authorities tab->Import.

    Please let me know if it works for you. Thanks very much.

    Best regards,
    Yanhong Huang
    Microsoft Community Support

    Get Secure! ¨C www.microsoft.com/security
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Yan-Hong Huang[MSFT], Feb 18, 2004
    #6
  7. Luca Vanuzzo

    Luca Vanuzzo Guest

    Hi Yanhong,

    thanks for your help again. I Imported the certificate in then trusted root
    certification authorities.
    Now I have no error from chktrust for my ocx, but I have again the error
    when I load my page with the ocx.
    Have you any other idea ?

    Thank you very much,

    Luca

    "Yan-Hong Huang[MSFT]" <> ha scritto nel
    messaggio news:...
    > Hi Luca,
    >
    > Surely you need to add trust relationship to the root certificate of your
    > certification server.
    >
    > I am not quite familar with this area. But you can try IE->Tools
    > menu->Options->Content tab->Certificates button->Trusted Root

    Certification
    > Authorities tab->Import.
    >
    > Please let me know if it works for you. Thanks very much.
    >
    > Best regards,
    > Yanhong Huang
    > Microsoft Community Support
    >
    > Get Secure! ¨C www.microsoft.com/security
    > This posting is provided "AS IS" with no warranties, and confers no

    rights.
    >
    Luca Vanuzzo, Feb 18, 2004
    #7
  8. Hello Luca,

    Thanks for the quick update.

    What is the error messag that you got?

    Also, what is the security setting of your IE? Please go to IE tools
    menu->Internet Options->Security tab->ActiveX controls and plug-ins. What
    is the setting of these two items? (Download signed ActiveX control,
    Download unsinged ActiveX control). If it is prompt for item 1, then a
    dialog box should be launched when you download this control in IE. Please
    set item 1 to Enable to see if you still meet this problem. For item2, that
    is for non-signed ActiveX controls, so we can just leave it there since it
    is not related to this problem.

    Thanks.

    Best regards,
    Yanhong Huang
    Microsoft Community Support

    Get Secure! ¨C www.microsoft.com/security
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Yan-Hong Huang[MSFT], Feb 19, 2004
    #8
  9. Luca Vanuzzo

    Luca Vanuzzo Guest

    Hi YanHong,

    I did some test about the security configuration. I have no error only if I
    active the execution of not safe
    ActiveX for local intranet . It seems that myocx.ocx is not safe, but
    chktrust do not give me errors now.
    Have you any other suggestion ?

    Thanks again,

    Luca

    "Yan-Hong Huang[MSFT]" <> ha scritto nel
    messaggio news:...
    > Hello Luca,
    >
    > Thanks for the quick update.
    >
    > What is the error messag that you got?
    >
    > Also, what is the security setting of your IE? Please go to IE tools
    > menu->Internet Options->Security tab->ActiveX controls and plug-ins. What
    > is the setting of these two items? (Download signed ActiveX control,
    > Download unsinged ActiveX control). If it is prompt for item 1, then a
    > dialog box should be launched when you download this control in IE. Please
    > set item 1 to Enable to see if you still meet this problem. For item2,

    that
    > is for non-signed ActiveX controls, so we can just leave it there since it
    > is not related to this problem.
    >
    > Thanks.
    >
    > Best regards,
    > Yanhong Huang
    > Microsoft Community Support
    >
    > Get Secure! ¨C www.microsoft.com/security
    > This posting is provided "AS IS" with no warranties, and confers no

    rights.
    >
    Luca Vanuzzo, Feb 19, 2004
    #9
  10. Hi Luca,

    In the article "Using Digital Certificates",
    http://www.microsoft.com/windows/ie/using/howto/digitalcert/using.asp

    we can see one part named "Adding Trusted Publishers and Credentials
    Agencies", please add your certificate to this tab in IE settings. Active
    content that is digitally signed by trusted publishers or credentials
    agencies with a valid certificate will download without user intervention,
    unless downloading active content is disabled in the settings for a
    specific security zone.

    For detailed steps, we may also refer to KB article:
    "How to Sign IEAK Files Using Microsoft Certificate Server"
    http://support.microsoft.com/?id=193038

    Thanks.

    Best regards,
    Yanhong Huang
    Microsoft Community Support

    Get Secure! ¨C www.microsoft.com/security
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Yan-Hong Huang[MSFT], Feb 20, 2004
    #10
  11. Hello Luca,

    Is the problem resolved? Have you successfully invoke ActiveX control
    without the warning message box? If there is any more question, please feel
    free to post here.

    Best regards,
    Yanhong Huang
    Microsoft Community Support

    Get Secure! ¨C www.microsoft.com/security
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Yan-Hong Huang[MSFT], Feb 24, 2004
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. VB Programmer

    HELP: ActiveX Control on webform

    VB Programmer, Jul 8, 2003, in forum: ASP .Net
    Replies:
    1
    Views:
    361
    Vidar Petursson
    Jul 8, 2003
  2. Sreejumon [MVP]
    Replies:
    1
    Views:
    1,448
    VB Programmer
    Jul 9, 2003
  3. Alvin Bruney
    Replies:
    0
    Views:
    365
    Alvin Bruney
    Jul 9, 2003
  4. Replies:
    0
    Views:
    860
  5. vml
    Replies:
    0
    Views:
    1,030
Loading...

Share This Page