10 апреля 2012

ICEnroll4::addExtensionToRequest or problem widely known to fiew people SOLVED

Sometimes it's needed to create a Certificate Signing Request (SAR), using Internet Explorer and ActiveX technology. There is a very good manual how to create a certificate request with CertEnroll for Windows Vista and newer (Windows 7, 2008, 8). There's also a manual in MSDN for CEnroll (Windows XP, 2003), and it works fine until you try to create a request with specific X.509 extensions (for example, Subject Alternative Name - SAN). Many programmers complain that addExtensionToRequest method doesn't work. If you look for addExtensionToRequest in Google, you'll see that most of links lead to discussions of this problem and I've found no one with working solution. Some of them even claim that there is no solution for script languages at all. But solution exists!

Typical problem

Typically problematic code looks like this:

var enroll = CreateActiveXObject("CEnroll.CEnroll");
enroll.addExtensionToRequest(0, "", strExtensionBase64);
strPKCS10 = enroll.CreatePKCS10(strDN, strEKU);

* This source code was highlighted with Source Code Highlighter.

This block of code runs without any errors, and generates a valid PKCS#10 request, but the problem is that generated request doesn't contain desired extension (in this sample that used to assign SAN).


Actually problem is not in ICEnroll4::addExtensionToRequest method. It runs correctly and adds extension to Enrollment Control. Problem is in obsolete method  ICEnroll::CreatePKCS10, that generates request in an obsolete PKCS#10 format version, that doesn't support X.509 extension, passed to Enrollment Control. You should use ICEnroll4::createRequest method instead, and demand it to produce PKCS#10 v2.0 format (pass Flags = XECR_PKCS10_V20 = 1 in parameters). Thus, request generation instruction should look like this:
strPKCS10 = enroll.createRequest(1, strDN, strEKU);
It's a blame on MS developers, who wrote two methods with names, making mess up and didn't describe them in MSDN properly. It's so logically, clear an obvious to call CreatePKCS10 method to create PKCS#10 request instead of calling createRequest and pass to it parameter, istructing to create request in the same format, yah?

Комментариев нет: