出家如初,成佛有余

IE中自动安装根数字证书

Posted in Uncategorized by chuanliang on 2010/02/11

基本思路:

1、在XP、Windows 2003的IE上,通过XEnroll.dll控件来完成根数字证书的自动安装。

2、在Vista,Windows 2008,Windows 7 的IE上,需要使用CertEnroll.dll来自动完成根数字证书的自动安装。

3、XEnroll.InstallPKCS7只适用于自动安装根证书。XEnroll.acceptPKCS7 用于安装用户数字证书,但需要配合CSR(Certificate signing request)才能够使用。要实现自动安装用户证书:

在IE中:需要配合Enroll.createPKCS10CSR来生成CSR(Certificate signing request)

在Firefox中:需要配合使用html的keygen标签来生成CSR

4、如果只需要能够下载证书并安装,而不要在IE浏览器中完成证书注销、证书申请等功能,可以采用下载证书文件的方式,MIME Type可以采用

application/x-pkcs12、application/pkcs-12

几个与PKI证书相关的MIME Type:

application/x-x509-ca-cert、application/x-x509-user-cert、application/pkcs10、application/x-pkcs10、application/pkcs-12、

application/x-pkcs12、application/x-pkcs7-signature、application/pkcs7-mime、application/x-pkcs7-mime、

application/pkcs7-mime、application/x-pkcs7-mime、application/x-pkcs7-certreqresp、application/pkcs7-signature

  测试代码:

<%@ page language="java" import="java.util.*" pageEncoding="GBK"%>
<%@ page import="java.lang.*,java.io.*" %>
<html>
<head>
<title>IE中自动安装数字证书测试</title>
</head>

<body>
IE中使用XEnroll.InstallPKCS7自动安装根数字证书<br/>
 备注:这里测试的根证书采用Base64编码 X.509格式(CER)<br/>
<%

StringBuffer server_cert =new StringBuffer();
try {
    String realPath = this.getClass().getClassLoader().getResource("liangchuan.cer").getPath();
    File file = new File(realPath);
    if (!file.exists()) {
        out.println("<HTML><BODY><P>");
        out.println("<h2>根证书文件不存在</h2> <br/>");
        out.println("</P></BODY></HTML>");
        out.flush();
        out.close();
    }else{
        BufferedReader bf=new BufferedReader(new FileReader(file));
        String line=null;
        while((line=bf.readLine())!=null)
            server_cert.append(line);

        bf.close();

    }
}catch(Exception e){
    out.println("<HTML><BODY><P>");
    out.println("<h2>读取证书文件出错</h2> <br/>");
    out.println(e.toString());
    out.println("</P></BODY></HTML>");
    out.flush();
    out.close();
}

String Agent = request.getHeader("User-Agent");
StringTokenizer st = new StringTokenizer(Agent,";");
st.nextToken();
String userBrowser = st.nextToken();
String userOS = st.nextToken();
out.println("你的操作系统为:");
out.println(userOS);
String activexLib="XEnroll";

//检查是否是Windows Vista,Windows 2008,Windows 7,在Vista,Windows 2008,Windows 7上,需要使用 CertEnroll.dll
//Windows 2008 Server, IE7 User-Agent header: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2;...
//Windows Vista, IE7 User-Agent header: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;...
//Windows 7,IE8 User-Agent header: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1;...

if(userOS.equals("Windows NT 6.0") || userOS.equals("Windows NT 6.1")|| userOS.equals("Windows NT 5.2"))
    activexLib="CertEnroll";

String sPKCS7=server_cert.toString();
%>

<% if(activexLib.equals("XEnroll"))
{ %>
    <object id="XEnroll" classid="clsid:127698e4-e730-4e5c-a2b1-21490a70c8a1" codebase="xenroll.dll"></object>
    <SCRIPT language="VBSCRIPT">
        ON ERROR resume next
        sPKCS7 = "<%= sPKCS7 %>"
        //XEnroll.InstallPKCS7用于安装根证书。
        XEnroll.InstallPKCS7(sPKCS7)

        if err.Number <> 0 then
            if err.number = -2146885628 then
                MsgBox "Keyset does not exist"
            else
                MsgBox "证书下载时出错,错误号="&err.description
            end if
        else
            MsgBox "证书已成功装入"
        end if
</script>
<% } else {%>

//方法来源:
//http://blogs.msdn.com/alejacma/archive/2009/01/28/how-to-create-a-certificate-request-with-certenroll-javascript.aspx
//Vista下由于暂时没有测试环境,方法尚待验证

    <object id="objCertEnrollClassFactory" classid="clsid:884e2049-217d-11da-b2a4-000e7bbb2b09"></object>
    <script language="javascript">
    function InstallCert()
    {
        document.write("<br>Installing certificate...");
        try {
            // Variables
            var objEnroll = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509Enrollment")
            var sPKCS7 = "<%= sPKCS7 %>"
            objEnroll.Initialize(1); // ContextUser
            objEnroll.InstallResponse(0, sPKCS7, 6, ""); // AllowNone = 0, XCN_CRYPT_STRING_BASE64_ANY = 6
        }
        catch (ex) {
            document.write("<br>" + ex.description);
            return false;
        }

    return true;
    }

    InstallCert();

    </script>

<% } %>
<%
/*
out.println("用下载方式下载p12格式的文件下载后安装"); 
ClassLoader cl = this.getClass().getClassLoader();
try {
    InputStream is = cl.getResourceAsStream("liangchuan.p12");
    //response.setContentType("application/x-x509-ca-cert");
    response.setContentType("application/x-pkcs12");
    response.addHeader("Content-Disposition", "attachment; filename=liangchuan.p12");
    OutputStream os = response.getOutputStream();
    //InputStream is = new FileInputStream(fileName);
    while (is.available() > 0) {
        char c = (char) is.read();
        os.write(c);
    }
    os.flush();
    is.close(); 
} catch (Exception e) { 

    out.println("<HTML><BODY><P>");
    out.println("<h2>下载证书文件出错</h2> <br/>");
    out.println(e.toString());
    out.println("</P></BODY></HTML>");
    out.flush();
    out.close(); 

}
*/
%>
</body>
</html>

参考资料:

How to create a certificate request with CertEnroll (JavaScript)

Certificate-Related Changes for Windows Vista

How to use Certificate Services Web enrollment pages together with Windows Vista or Windows Server 2008

Advertisements

No Responses Yet

Subscribe to comments with RSS.

  1. […]     此处安装用户数字证书时候并没有自动安装根证书,根证书自动安装的实现方式可以参考:IE中自动安装根数字证书 […]

  2. adad said, on 2010/04/14 at 16:09

    怎么样自动删除根证书呢
    我用store.remove(Certificate)删除 就报异常了
    帮我解决下好吗


发表评论

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / 更改 )

Twitter picture

You are commenting using your Twitter account. Log Out / 更改 )

Facebook photo

You are commenting using your Facebook account. Log Out / 更改 )

Google+ photo

You are commenting using your Google+ account. Log Out / 更改 )

Connecting to %s

%d 博主赞过: