How to interface to Certificate Authority from C#

Hi,

I am looking for suggestions / best practices for creating a C# client
application that can communicate with a Microsoft Certificate Authority
running on a windows 2003 server. The application would like to submit
PKCS#10 certificate signing requests and recover the issued certifiates in
PKCS#7 format.

Thank you in advance for any suggestions.

Richard

there is a COM component called xenroll.dll - this is what the Windows CA
asp pages use. Not the nicest interface - but thats "the" way of doing it.

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Quote:

Hi,

I am looking for suggestions / best practices for creating a C# client
application that can communicate with a Microsoft Certificate
Authority running on a windows 2003 server. The application would like
to submit PKCS#10 certificate signing requests and recover the issued
certifiates in PKCS#7 format.

Thank you in advance for any suggestions.

Richard

Dear Dominick Baier.

Thank you very much for taking the time to suggest xenroll. My initial
question was not clear, so let me elaborate a little more.

I am looking for suggestions on how to submit the PKCS#10 string returned
from Xenroll's "ICEnroll4::createPKCS10" method to a Microsoft CA and
retrieve the PKCS#7 result. We alos need to retrieve CRLs from the CA, get a
list of issued Cetrs, etc...

We use xenroll on the client machine to generate the PKCS#10 request as a
string response and to import the PKCS#7 returned from a CA.

This client PC where Xenroll runs has no direct network connectivity to the
Microsoft Server hosting the CA. Rather, the PKCS#10 request is communicated
via a message queue to a remote Registration Authority (RA) who is expected
to submit the PKCS#10 to a CA via a network connection local to the RA. The
RA must then return the PKCS#7 response from the RA back via the messages
queues where it would be installed on the client using xenroll.

I suspect that I need to use the following interfaces,
ICertRequest2::GetCACertificate and and memebers from ICertAdmin2

Header Declared in Certcli.h; include Certsrv.h.
Library Use Certidl.lib.
DLL Requires Certcli.dll.
IID IID_ICertRequest2 is defined as A4772988-4A85-4FA9-824E-B5CF5C16405A.

Was wondering if anyone else has tried this or someing similar.

Regards
Richard

Well -

i don't know exactly how it works - but i would have a look how the CA webpage
does it when you use the "send PKCS#10 request" option.

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Quote:

Dear Dominick Baier.

Thank you very much for taking the time to suggest xenroll. My initial
question was not clear, so let me elaborate a little more.

I am looking for suggestions on how to submit the PKCS#10 string
returned from Xenroll's "ICEnroll4::createPKCS10" method to a
Microsoft CA and retrieve the PKCS#7 result. We alos need to retrieve
CRLs from the CA, get a list of issued Cetrs, etc...

We use xenroll on the client machine to generate the PKCS#10 request
as a string response and to import the PKCS#7 returned from a CA.

This client PC where Xenroll runs has no direct network connectivity
to the Microsoft Server hosting the CA. Rather, the PKCS#10 request is
communicated via a message queue to a remote Registration Authority
(RA) who is expected to submit the PKCS#10 to a CA via a network
connection local to the RA. The RA must then return the PKCS#7
response from the RA back via the messages queues where it would be
installed on the client using xenroll.

I suspect that I need to use the following interfaces,
ICertRequest2::GetCACertificate and and memebers from ICertAdmin2

Header Declared in Certcli.h; include Certsrv.h.
Library Use Certidl.lib.
DLL Requires Certcli.dll.
IID IID_ICertRequest2 is defined as
A4772988-4A85-4FA9-824E-B5CF5C16405A.
Was wondering if anyone else has tried this or someing similar.

Regards
Richard