| Author |
Message |
JMZ
Guest
|
 Posted:
Mon Oct 17, 2005 4:51 pm Post subject:
MS Certificate Issuance to Unix |
|
|
Can I use MS Certificate Server to issue certificates directly to an external
Unix server (customer's) from an internal MS 2003 server (our's), perhaps via
a web service?
Our current infrastructure allows certificate issuance only to Microsoft OS
computers via a secure web site. The certificates are automatically
installed into the client's CurrentUser personal store where they are then
used to sign transactions for our application.
But we need to be able to issue certificates to Unix customers as well.
TIA |
|
| Back to top |
|
 |
S. Pidgorny
Guest
|
| Posted:
Tue Oct 18, 2005 12:50 pm Post subject:
Re: MS Certificate Issuance to Unix |
|
|
You can mark keys as exportable and then export the certificate with private
key to the UNIX system.
Alternatively, you can generate PKCS #7 certificate signing request on the
UNIX system, submit it using the web interface and retreive signed request
directly.
All the formats used are standard.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
"JMZ" <JMZ@discussions.microsoft.com> wrote in message
news:6C9CB01E-5414-4CB1-B942-F6AC6C6AD6FA@microsoft.com...
| Quote: | Can I use MS Certificate Server to issue certificates directly to an
external
Unix server (customer's) from an internal MS 2003 server (our's), perhaps
via
a web service?
Our current infrastructure allows certificate issuance only to Microsoft
OS
computers via a secure web site. The certificates are automatically
installed into the client's CurrentUser personal store where they are then
used to sign transactions for our application.
But we need to be able to issue certificates to Unix customers as well.
TIA |
|
|
| Back to top |
|
|
JMZ
Guest
|
| Posted:
Tue Oct 18, 2005 4:51 pm Post subject:
Re: MS Certificate Issuance to Unix |
|
|
Thank you for the reply. We have already found that having an exportable
private key works as a test, but our certificate policy severely frowns on
that situation. We would rather issue the certificate and non-exportable
private key directly to the Unix box.
However, in your answer, you refer to 'the web interface.' Are you speaking
of the interface our application provides (or must provide), or to a web
interface to MS Certificate Server directly?
As it is, our application cannot run on non-Windows systems because it uses
CapiCom.
Thanks.
"S. Pidgorny <MVP>" wrote:
| Quote: | You can mark keys as exportable and then export the certificate with private
key to the UNIX system.
Alternatively, you can generate PKCS #7 certificate signing request on the
UNIX system, submit it using the web interface and retreive signed request
directly.
All the formats used are standard.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
"JMZ" <JMZ@discussions.microsoft.com> wrote in message
news:6C9CB01E-5414-4CB1-B942-F6AC6C6AD6FA@microsoft.com...
Can I use MS Certificate Server to issue certificates directly to an
external
Unix server (customer's) from an internal MS 2003 server (our's), perhaps
via
a web service?
Our current infrastructure allows certificate issuance only to Microsoft
OS
computers via a secure web site. The certificates are automatically
installed into the client's CurrentUser personal store where they are then
used to sign transactions for our application.
But we need to be able to issue certificates to Unix customers as well.
TIA
|
|
|
| Back to top |
|
|
Mike Smith-Lonergan
Guest
|
| Posted:
Wed Oct 19, 2005 12:50 am Post subject:
Re: MS Certificate Issuance to Unix |
|
|
In what application or API will the certificates be stored on the Unix hosts?
Dig a little deeper into the client side of the Unix systems and how they'll
consume and use the digital certificates, and that'll lead you to the means
to generate the PKCS #10 request, and how to use the PKCS #7 response (from
the MS CA).
For example, if the Unix client relies on OpenSSL, then you might use the
REQ command to generate your PKCS #10, which can then be submitted to the MS
CA's web enrollment page (i.e. paste it in) or via command line on the CA
itself (i.e. using the certutil.exe command-line tool).
http://www.openssl.org/docs/apps/req.html
Hope this helps.
--
Mike Smith-Lonergan
Independent Security Consultant
http://paranoidmike.blogspot.com
"JMZ" wrote:
| Quote: | Thank you for the reply. We have already found that having an exportable
private key works as a test, but our certificate policy severely frowns on
that situation. We would rather issue the certificate and non-exportable
private key directly to the Unix box.
However, in your answer, you refer to 'the web interface.' Are you speaking
of the interface our application provides (or must provide), or to a web
interface to MS Certificate Server directly?
As it is, our application cannot run on non-Windows systems because it uses
CapiCom.
Thanks.
"S. Pidgorny <MVP>" wrote:
You can mark keys as exportable and then export the certificate with private
key to the UNIX system.
Alternatively, you can generate PKCS #7 certificate signing request on the
UNIX system, submit it using the web interface and retreive signed request
directly.
All the formats used are standard.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
"JMZ" <JMZ@discussions.microsoft.com> wrote in message
news:6C9CB01E-5414-4CB1-B942-F6AC6C6AD6FA@microsoft.com...
Can I use MS Certificate Server to issue certificates directly to an
external
Unix server (customer's) from an internal MS 2003 server (our's), perhaps
via
a web service?
Our current infrastructure allows certificate issuance only to Microsoft
OS
computers via a secure web site. The certificates are automatically
installed into the client's CurrentUser personal store where they are then
used to sign transactions for our application.
But we need to be able to issue certificates to Unix customers as well.
TIA |
|
|
| Back to top |
|
|
S. Pidgorny
Guest
|
| Posted:
Wed Oct 19, 2005 12:50 pm Post subject:
Re: MS Certificate Issuance to Unix |
|
|
I mean the Web interface to Certificate Server. Generate the CSR with the
private key on the UNIX box, submit the CSR to CertSrv using the Web form,
issue the cert, pick it up... I believe that should work on the UNIX comp as
well as on Windows client - the PKCS #7 format for CSR is the same...
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
"JMZ" <JMZ@discussions.microsoft.com> wrote in message
news:8838015B-C5D1-4D9E-8A29-6507C7BBBC39@microsoft.com...
| Quote: | Thank you for the reply. We have already found that having an exportable
private key works as a test, but our certificate policy severely frowns on
that situation. We would rather issue the certificate and non-exportable
private key directly to the Unix box.
However, in your answer, you refer to 'the web interface.' Are you
speaking
of the interface our application provides (or must provide), or to a web
interface to MS Certificate Server directly?
As it is, our application cannot run on non-Windows systems because it
uses
CapiCom.
Thanks.
"S. Pidgorny <MVP>" wrote:
You can mark keys as exportable and then export the certificate with
private
key to the UNIX system.
Alternatively, you can generate PKCS #7 certificate signing request on
the
UNIX system, submit it using the web interface and retreive signed
request
directly.
All the formats used are standard.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
"JMZ" <JMZ@discussions.microsoft.com> wrote in message
news:6C9CB01E-5414-4CB1-B942-F6AC6C6AD6FA@microsoft.com...
Can I use MS Certificate Server to issue certificates directly to an
external
Unix server (customer's) from an internal MS 2003 server (our's),
perhaps
via
a web service?
Our current infrastructure allows certificate issuance only to
Microsoft
OS
computers via a secure web site. The certificates are automatically
installed into the client's CurrentUser personal store where they are
then
used to sign transactions for our application.
But we need to be able to issue certificates to Unix customers as
well.
TIA
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in