1

我们有一个流程,我们的客户通过 CertEnroll 注册 X509 客户端证书。它可以工作,但现在我们的一位客户喜欢增加一层额外的安全性,所以我们在证书中添加了密码。创建证书时会要求用户输入密码,然后每次使用证书时都需要使用密码。它在 Windows 7 中双向工作,但在 Windows 8.1 / 10 中,浏览器都是 IE 11。在 Windows 8.1 / 10 中,当用户申请证书时要求输入密码,但是当证书将被使用时,密码不要求。

希望有人知道这里发生了什么。这是创建证书请求的 javascript。

function doSubmit() {
    var PublicKeyInfo =''
    var request;
    request = document.forms(0)

    //
    // other stuff
    //
       try {
        // Variables
        var objCSP = request.Enroll.CreateObject("X509Enrollment.CCspInformation");
        var objCSPs = request.Enroll.CreateObject("X509Enrollment.CCspInformations");
        var objPrivateKey = request.Enroll.CreateObject("X509Enrollment.CX509PrivateKey");
        var objRequest = request.Enroll.CreateObject("X509Enrollment.CX509CertificateRequestPkcs10")
        var objObjectIds = request.Enroll.CreateObject("X509Enrollment.CObjectIds");
        var objObjectId = request.Enroll.CreateObject("X509Enrollment.CObjectId");
        var objX509ExtensionEnhancedKeyUsage = request.Enroll.CreateObject("X509Enrollment.CX509ExtensionEnhancedKeyUsage");
        var objExtensionTemplate = request.Enroll.CreateObject("X509Enrollment.CX509ExtensionTemplateName")
        var objDn = request.Enroll.CreateObject("X509Enrollment.CX500DistinguishedName")
        var objEnroll = request.Enroll.CreateObject("X509Enrollment.CX509Enrollment")

        //  Initialize the csp object using the desired Cryptograhic Service Provider (CSP)
        objCSP.InitializeFromName("Microsoft Enhanced Cryptographic Provider v1.0");

        //  Add this CSP object to the CSP collection object
        objCSPs.Add(objCSP);

        objPrivateKey.Length = "2048"; 
        objPrivateKey.KeySpec = 1; 
        //objPrivateKey.ExportPolicy = 1; // Possible to export PrivateKey
        //Force password when request for cert and password when cert is used
        objPrivateKey.KeyProtection = 2; // XCN_NCRYPT_UI_FORCE_HIGH_PROTECTION_FLAG

        //  Provide the CSP collection object (in this case containing only 1 CSP object)
        //  to the private key object
        objPrivateKey.CspInformations = objCSPs;

        // Initialize P10 based on private key
        objRequest.InitializeFromPrivateKey(1, objPrivateKey, ""); // context user = 1

        // 1.3.6.1.5.5.7.3.2 Oid - Extension
        objObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.2");
        objObjectIds.Add(objObjectId);
        objX509ExtensionEnhancedKeyUsage.InitializeEncode(objObjectIds);
        objRequest.X509Extensions.Add(objX509ExtensionEnhancedKeyUsage);
        objDn.Encode("CN=xxxxxx", 0); // XCN_CERT_NAME_STR_NONE = 0
        objRequest.Subject = objDn;

        // Enroll
        objEnroll.InitializeFromRequest(objRequest);
        var pkcs10 = objEnroll.CreateRequest(3); // XCN_CRYPT_STRING_BASE64REQUESTHEADER = 3

        request.PublicKeyInfo.value = pkcs10
      } catch (ex) {
        alert( ex.description + "\n" + ex.error );
        return false;
      }
    request.submit()    
}
4

1 回答 1

0

问题解决了。在安装颁发的证书时,如果我将它们安装为“本地计算机”,则它不起作用,但如果安装为“当前用户”,它也适用于 W8.1 / W10。

于 2018-03-21T10:45:57.327 回答