CAPICOM, getting issuer certificate

TheMSsForum.com: The Microsoft Software Forum

Hello everyone,

I have the following problem - I'm receiving a message signed/encrypted with
a certificate on the client, which does not have the certificate's issuer in
the local machine trusted root CA store.

I would like the user to decide whether to accept a message signed by an
untrusted certificate, but I need to add the issuer of this certificate to
the trusted root CA store to get the message processed.

How can I get the issuer of a certificate on the client? Would I have to
download it from the server instead?

Any suggestions are appreciated.

Kiril
Top

Re: CAPICOM, getting issuer certificate by Jerry

Jerry
Tue Jun 08 12:12:18 CDT 2004

Hi Kiril,

I'm adding the new crypto newsgroup to the post as it is the best place for
this type of question.
--
Regards,

Jerry Bryant - MCSE, MCDBA
Microsoft IT Communities

Get Secure! www.microsoft.com/security


This posting is provided "AS IS" with no warranties, and confers no rights.
"Kiril" <none@a.com> wrote in message
news:uT8t16TTEHA.1544@TK2MSFTNGP09.phx.gbl...
> Hello everyone,
>
> I have the following problem - I'm receiving a message signed/encrypted
with
> a certificate on the client, which does not have the certificate's issuer
in
> the local machine trusted root CA store.
>
> I would like the user to decide whether to accept a message signed by an
> untrusted certificate, but I need to add the issuer of this certificate to
> the trusted root CA store to get the message processed.
>
> How can I get the issuer of a certificate on the client? Would I have to
> download it from the server instead?
>
> Any suggestions are appreciated.
>
> Kiril
>
>


Top

Re: CAPICOM, getting issuer certificate by Shawn

Shawn
Mon Jun 14 13:19:35 CDT 2004

For signed messages when using the SignedData.Verify method pass in
CAPICOM_VERIFY_SIGNATURE_ONLY as the VerifyFlag to bypass the Certificate
validity checks. For encrypted messages the user should already trust the
root as it issued a cert that they have in thier store. Only a machine admin
can add certs to the trusted root store on the machine so unless the certs
were pushed down by group policy or the user was a local admin then ignoring
the validity check is the best way to do this. A good solution may be to run
the Verify with the cert validity check first and if it fails then ask if
the user want to trust the cert anyway and run it again without the check.

--
Thanks,
Shawn

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


"Jerry Bryant [MSFT]" <jbryant@online.microsoft.com> wrote in message
news:OlurFvXTEHA.2988@TK2MSFTNGP09.phx.gbl...
> Hi Kiril,
>
> I'm adding the new crypto newsgroup to the post as it is the best place
for
> this type of question.
> --
> Regards,
>
> Jerry Bryant - MCSE, MCDBA
> Microsoft IT Communities
>
> Get Secure! www.microsoft.com/security
>
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> "Kiril" <none@a.com> wrote in message
> news:uT8t16TTEHA.1544@TK2MSFTNGP09.phx.gbl...
> > Hello everyone,
> >
> > I have the following problem - I'm receiving a message signed/encrypted
> with
> > a certificate on the client, which does not have the certificate's
issuer
> in
> > the local machine trusted root CA store.
> >
> > I would like the user to decide whether to accept a message signed by an
> > untrusted certificate, but I need to add the issuer of this certificate
to
> > the trusted root CA store to get the message processed.
> >
> > How can I get the issuer of a certificate on the client? Would I have to
> > download it from the server instead?
> >
> > Any suggestions are appreciated.
> >
> > Kiril
> >
> >
>
>


Top