Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Help for ActiveX

Reply
Thread Tools

Help for ActiveX

 
 
Luca Vanuzzo
Guest
Posts: n/a
 
      02-16-2004
I have created an ActiveX control for use on a web application for an
intranet. Do I still have to pay for a Certification Authority to sign my
ActiveX control for download to IE , when it is only for use on an intranet.
I want to eliminate the constant message box saying the ActiveX control is
unsafe. If this can be done using the makecert and signcode commands, what
is the proper way to use those statements to get it to work.

Thanks,

Luca


 
Reply With Quote
 
 
 
 
Yan-Hong Huang[MSFT]
Guest
Posts: n/a
 
      02-17-2004
Hello Luca,

Thanks for posting in the group.

According to the description, now you are developing an ActiveX control for
use on a web application in Intranet. You want to know
1) Is it possible to create a certifate by yourself so that you don't need
to pay commericial CAs for it?
2) If yes, how to do that?

Based on my experience, before you purchase a certificate for your
control's .cab file from a vendor, you can use the test certificate
provided by Microsoft for verification purposes. The following KB article
has detailed steps on it:
"Packaging ActiveX Controls"
http://msdn.microsoft.com/workshop/c...g.asp?frame=tr
ue#Cabinet_Files

However, when the ActiveX control passes test and is ready to be used, I
suggest you sign it with some commerical CAs such as
http://www.verisign.com/. So this control can be trusted worldwide.

I understand your concern is that this control may only be used in your
company only. If so, you can try install a certificate service in one
server of the domain. Then issue root certificate to every client machine.
After that, if you sign the control by the certificates issued by your
local certificate service, they can be trusted by client machines. For more
information on it, please refer to:

"The Microsoft Internet Security Framework: Technology for Secure
Communication, Access Control, and Commerce"
http://msdn.microsoft.com/library/en...f.asp?frame=tr
ue

"HOWTO: Set Up Test Certificates for SSL/TLS Application Development"
http://support.microsoft.com/?id=288897

"ActiveX Error Messages Using Certificate Enrollment Web Pages to Enroll a
Smart Card in Internet Explorer"
http://support.microsoft.com/default...b;EN-US;330211

"HOW TO: How to Install/Uninstall a Public Key Certificate Authority for
Windows 2000"
http://support.microsoft.com/?id=231881

Does that answer your question?

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! 每 www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

 
Reply With Quote
 
 
 
 
Luca Vanuzzo
Guest
Posts: n/a
 
      02-17-2004
Hi YanHong,

Thank you for your answer.
I installed a CA in a windows 2000 server.
I tried to create a certificate with an exportable private key. When I tried
to sign my ativex control
(I tried directly with ocx) I had the follow error:

Error: The software publishing certificate and private key do not match or
do not contain valid information.
Error: Signing Failed. Result = 80092009, (-2146885623)

What are exactly the parameters for certificate generation ? signcode tool
need to have the .spc and
the private key.

Thank you,

Luca


"Yan-Hong Huang[MSFT]" <(E-Mail Removed)> ha scritto nel
messaggio news:(E-Mail Removed)...
> Hello Luca,
>
> Thanks for posting in the group.
>
> According to the description, now you are developing an ActiveX control

for
> use on a web application in Intranet. You want to know
> 1) Is it possible to create a certifate by yourself so that you don't need
> to pay commericial CAs for it?
> 2) If yes, how to do that?
>
> Based on my experience, before you purchase a certificate for your
> control's .cab file from a vendor, you can use the test certificate
> provided by Microsoft for verification purposes. The following KB article
> has detailed steps on it:
> "Packaging ActiveX Controls"
>

http://msdn.microsoft.com/workshop/c...g.asp?frame=tr
> ue#Cabinet_Files
>
> However, when the ActiveX control passes test and is ready to be used, I
> suggest you sign it with some commerical CAs such as
> http://www.verisign.com/. So this control can be trusted worldwide.
>
> I understand your concern is that this control may only be used in your
> company only. If so, you can try install a certificate service in one
> server of the domain. Then issue root certificate to every client machine.
> After that, if you sign the control by the certificates issued by your
> local certificate service, they can be trusted by client machines. For

more
> information on it, please refer to:
>
> "The Microsoft Internet Security Framework: Technology for Secure
> Communication, Access Control, and Commerce"
>

http://msdn.microsoft.com/library/en...f.asp?frame=tr
> ue
>
> "HOWTO: Set Up Test Certificates for SSL/TLS Application Development"
> http://support.microsoft.com/?id=288897
>
> "ActiveX Error Messages Using Certificate Enrollment Web Pages to Enroll a
> Smart Card in Internet Explorer"
> http://support.microsoft.com/default...b;EN-US;330211
>
> "HOW TO: How to Install/Uninstall a Public Key Certificate Authority for
> Windows 2000"
> http://support.microsoft.com/?id=231881
>
> Does that answer your question?
>
> Best regards,
> Yanhong Huang
> Microsoft Community Support
>
> Get Secure! 每 www.microsoft.com/security
> This posting is provided "AS IS" with no warranties, and confers no

rights.
>



 
Reply With Quote
 
Yan-Hong Huang[MSFT]
Guest
Posts: n/a
 
      02-18-2004
Hello Luca,

Thanks for your update. The detailed steps of creating and signing are:

// 1. Make a self-signed certificate called sign.cer.
MakeCert -sv sign.pvk -r -n "CN=THIS IS A TEST OF MAKECTL" sign.cer
// Make an SPC file using Cert2SPC.
Cert2SPC sign.cer sign.spc

// 2. Make another self-signed certificate called test.cer.
MakeCert -sv test.pvk -r -n "CN=THIS IS MY TEST CERT" test.cer
// Make an SPC file using Cert2SPC.
Cert2SPC test.cer test.spc

// 3. Make a test.ctl from test.cer.
MakeCTL test.cer test.ctl

// 4. Sign test.ctl with the sign.pvk and sign.spc made in step 1.
SignCode -v sign.pvk -spc sign.spc test.ctl

// 5. Move test.ctl to the trust system store.
CertMgr -add -ctl test.ctl -s trust

// 6. Move sign.cer to the root system store.
CertMgr -add -c sign.cer -s root

// 7. Sign something (test.exe) with test.pvk, and test.spc.
SignCode -v test.pvk -spc test.spc test.exe

// 8. Since test.cer is in the test.ctl, ChkTrust will succeed.
ChkTrust test.exe

Please refer to this MSDN topic for details:

"Signing and Checking Code with Authenticode"
http://msdn.microsoft.com/workshop/s...asp?frame=true

"Creating, Viewing, and Managing Certificates"
http://msdn.microsoft.com/library/en...ting_viewing_a
nd_managing_certificates.asp?frame=true

Hope that helps.

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! 每 www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

 
Reply With Quote
 
Luca Vanuzzo
Guest
Posts: n/a
 
      02-18-2004
Hello Yan-Hong,

I followed all your instruction : I signed a myocx.ocx instead test.exe and
put it into a web page, but I still have
the safe warning in IE. When I use chkTrust with myocx.ocx I have a warning
that origin authenticator is not trusted.
Have you any other idea ?

Thank you,

Luca



"Yan-Hong Huang[MSFT]" <(E-Mail Removed)> ha scritto nel
messaggio news:##(E-Mail Removed)...
> Hello Luca,
>
> Thanks for your update. The detailed steps of creating and signing are:
>
> // 1. Make a self-signed certificate called sign.cer.
> MakeCert -sv sign.pvk -r -n "CN=THIS IS A TEST OF MAKECTL" sign.cer
> // Make an SPC file using Cert2SPC.
> Cert2SPC sign.cer sign.spc
>
> // 2. Make another self-signed certificate called test.cer.
> MakeCert -sv test.pvk -r -n "CN=THIS IS MY TEST CERT" test.cer
> // Make an SPC file using Cert2SPC.
> Cert2SPC test.cer test.spc
>
> // 3. Make a test.ctl from test.cer.
> MakeCTL test.cer test.ctl
>
> // 4. Sign test.ctl with the sign.pvk and sign.spc made in step 1.
> SignCode -v sign.pvk -spc sign.spc test.ctl
>
> // 5. Move test.ctl to the trust system store.
> CertMgr -add -ctl test.ctl -s trust
>
> // 6. Move sign.cer to the root system store.
> CertMgr -add -c sign.cer -s root
>
> // 7. Sign something (test.exe) with test.pvk, and test.spc.
> SignCode -v test.pvk -spc test.spc test.exe
>
> // 8. Since test.cer is in the test.ctl, ChkTrust will succeed.
> ChkTrust test.exe
>
> Please refer to this MSDN topic for details:
>
> "Signing and Checking Code with Authenticode"
>

http://msdn.microsoft.com/workshop/s...asp?frame=true
>
> "Creating, Viewing, and Managing Certificates"
>

http://msdn.microsoft.com/library/en...ting_viewing_a
> nd_managing_certificates.asp?frame=true
>
> Hope that helps.
>
> Best regards,
> Yanhong Huang
> Microsoft Community Support
>
> Get Secure! 每 www.microsoft.com/security
> This posting is provided "AS IS" with no warranties, and confers no

rights.
>



 
Reply With Quote
 
Yan-Hong Huang[MSFT]
Guest
Posts: n/a
 
      02-18-2004
Hi Luca,

Surely you need to add trust relationship to the root certificate of your
certification server.

I am not quite familar with this area. But you can try IE->Tools
menu->Options->Content tab->Certificates button->Trusted Root Certification
Authorities tab->Import.

Please let me know if it works for you. Thanks very much.

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! 每 www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

 
Reply With Quote
 
Luca Vanuzzo
Guest
Posts: n/a
 
      02-18-2004
Hi Yanhong,

thanks for your help again. I Imported the certificate in then trusted root
certification authorities.
Now I have no error from chktrust for my ocx, but I have again the error
when I load my page with the ocx.
Have you any other idea ?

Thank you very much,

Luca

"Yan-Hong Huang[MSFT]" <(E-Mail Removed)> ha scritto nel
messaggio news:(E-Mail Removed)...
> Hi Luca,
>
> Surely you need to add trust relationship to the root certificate of your
> certification server.
>
> I am not quite familar with this area. But you can try IE->Tools
> menu->Options->Content tab->Certificates button->Trusted Root

Certification
> Authorities tab->Import.
>
> Please let me know if it works for you. Thanks very much.
>
> Best regards,
> Yanhong Huang
> Microsoft Community Support
>
> Get Secure! 每 www.microsoft.com/security
> This posting is provided "AS IS" with no warranties, and confers no

rights.
>



 
Reply With Quote
 
Yan-Hong Huang[MSFT]
Guest
Posts: n/a
 
      02-19-2004
Hello Luca,

Thanks for the quick update.

What is the error messag that you got?

Also, what is the security setting of your IE? Please go to IE tools
menu->Internet Options->Security tab->ActiveX controls and plug-ins. What
is the setting of these two items? (Download signed ActiveX control,
Download unsinged ActiveX control). If it is prompt for item 1, then a
dialog box should be launched when you download this control in IE. Please
set item 1 to Enable to see if you still meet this problem. For item2, that
is for non-signed ActiveX controls, so we can just leave it there since it
is not related to this problem.

Thanks.

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! 每 www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

 
Reply With Quote
 
Luca Vanuzzo
Guest
Posts: n/a
 
      02-19-2004
Hi YanHong,

I did some test about the security configuration. I have no error only if I
active the execution of not safe
ActiveX for local intranet . It seems that myocx.ocx is not safe, but
chktrust do not give me errors now.
Have you any other suggestion ?

Thanks again,

Luca

"Yan-Hong Huang[MSFT]" <(E-Mail Removed)> ha scritto nel
messaggio news:(E-Mail Removed)...
> Hello Luca,
>
> Thanks for the quick update.
>
> What is the error messag that you got?
>
> Also, what is the security setting of your IE? Please go to IE tools
> menu->Internet Options->Security tab->ActiveX controls and plug-ins. What
> is the setting of these two items? (Download signed ActiveX control,
> Download unsinged ActiveX control). If it is prompt for item 1, then a
> dialog box should be launched when you download this control in IE. Please
> set item 1 to Enable to see if you still meet this problem. For item2,

that
> is for non-signed ActiveX controls, so we can just leave it there since it
> is not related to this problem.
>
> Thanks.
>
> Best regards,
> Yanhong Huang
> Microsoft Community Support
>
> Get Secure! 每 www.microsoft.com/security
> This posting is provided "AS IS" with no warranties, and confers no

rights.
>



 
Reply With Quote
 
Yan-Hong Huang[MSFT]
Guest
Posts: n/a
 
      02-20-2004
Hi Luca,

In the article "Using Digital Certificates",
http://www.microsoft.com/windows/ie/...cert/using.asp

we can see one part named "Adding Trusted Publishers and Credentials
Agencies", please add your certificate to this tab in IE settings. Active
content that is digitally signed by trusted publishers or credentials
agencies with a valid certificate will download without user intervention,
unless downloading active content is disabled in the settings for a
specific security zone.

For detailed steps, we may also refer to KB article:
"How to Sign IEAK Files Using Microsoft Certificate Server"
http://support.microsoft.com/?id=193038

Thanks.

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! 每 www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ActiveX control in python vs ActiveX control in vb 6 (piece of code) vml Python 0 08-22-2007 09:57 AM
ActiveX apologetic Larry Seltzer... "Sun paid for malicious ActiveX code, and Firefox is bad, bad bad baad. please use ActiveX, it's secure and nice!" (ok, the last part is irony on my part) fernando.cassia@gmail.com Java 0 04-16-2005 10:05 PM
Why is help control ActiveX does not work prash MCSD 0 09-27-2003 08:54 PM
PLS HELP: ActiveX control / apartment threading error Sreejumon [MVP] ASP .Net 1 07-09-2003 11:40 AM
HELP: ActiveX Control on webform VB Programmer ASP .Net 1 07-08-2003 01:27 PM



Advertisments