javascript 无法使用 CertEnroll 在 Windows 7 上安装证书
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3628287/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Unable to Install Certificate on Windows 7 using CertEnroll
提问by Cocowalla
We have an existing certificate issuing application (C#, ASP.NET, JavaScript) that issues certificates to Windows XP users using XenRoll in IE. I need to extend this to support Windows Vista and Windows 7 users, also using IE.
我们有一个现有的证书颁发应用程序(C#、ASP.NET、JavaScript),可以在 IE 中使用 XenRoll 向 Windows XP 用户颁发证书。我需要扩展它以支持 Windows Vista 和 Windows 7 用户,也使用 IE。
For Vista and 7, Microsoft replaced the XenRoll ActiveX controll with the new CertEnroll control. I've got this working in Vista SP2, but in 7 I get this error at the installation step:
对于 Vista 和 7,Microsoft 用新的 CertEnroll 控件替换了 XenRoll ActiveX 控件。我已在 Vista SP2 中使用此功能,但在 7 中,我在安装步骤中遇到此错误:
CertEnroll::CX509Enrollment::InstallResponse: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109 (-2146762487)
CertEnroll::CX509Enrollment::InstallResponse:证书链已处理,但在不受信任提供者信任的根证书中终止。0x800b0109 (-2146762487)
Here's a snippet of the relevant HTML & JavaScript:
以下是相关 HTML 和 JavaScript 的片段:
<object id="classFactoryObj" classid="clsid:884e2049-217d-11da-b2a4-000e7bbb2b09"></object>
<script type="text/javascript">
function InstallCert()
{
try
{
var classFactory = document.getElementById("classFactoryObj");
var objEnroll = classFactory.CreateObject("X509Enrollment.CX509Enrollment");
var signedCert = '-----BEGIN CERTIFICATE-----' +
'REMOVED FOR BREVITY' +
'-----END CERTIFICATE-----';
objEnroll.Initialize(1); // User context
objEnroll.InstallResponse(4, signedCert, 6, ""); // AllowUntrustedRoot = 4
alert('Certificate installed');
}
catch (ex)
{
alert('Unable to install certificate: ' + ex.description);
}
}
InstallCert();
</script>
Now, it's true that the root certificate is not trusted, but I'm calling InstallResponse with the first parameter set to 4, which is supposed to allow installation even if the root certificate is not trusted. This works as advertised in Vista, but doesn't seem to in Windows 7.
现在,确实不信任根证书,但我调用 InstallResponse 时将第一个参数设置为 4,即使根证书不受信任,也应该允许安装。这在 Vista 中可以正常工作,但在 Windows 7 中似乎没有。
I tested, and it does work if the root certificate is trusted. I'm sure some one will say it, so I'll pre-empt it - having the clients trust the root certificate is not really an option for us (we want to distribute client authentication certificates to customers, as a part of authenticating them on our network).
我测试过,如果根证书受信任,它确实有效。我相信有人会这么说,所以我会先发制人——让客户信任根证书对我们来说并不是一个真正的选择(我们希望将客户端身份验证证书分发给客户,作为对他们进行身份验证的一部分)在我们的网络上)。
Am I doing something wrong here? Has anyone else got this working in Windows 7?
我在这里做错了吗?有没有其他人在 Windows 7 中使用过这个?
回答by Cocowalla
The solution was to install hotfix KB 2078942.
解决方案是安装修补程序 KB 2078942。
Note that this hotfix does not claim to fix this issue, but it does! Rather annonying, or I would have come across it much earlier :-/
请注意,此修补程序并未声称可以解决此问题,但确实可以!相当烦人,否则我会更早遇到它:-/
I believe this is a regression bug from Vista, as there was a hotfixfor Vista to fix the exact problem I was experiencing.
我相信这是 Vista 的回归错误,因为 Vista 有一个修补程序来修复我遇到的确切问题。
A thankyou and upvote goes out to Bruno for spending time yesterday trying to help me resolve this.
感谢布鲁诺昨天花时间帮助我解决这个问题。
回答by Bruno
I wrote this scripta while ago for a demo (in conjunction with this page). It supports <keygen/>and replaces it with XEnrollor CertEnrollcalls on Internet Explorer. The project has evolved a bit since, but I've just tested this branchwith IE8 on Windows 7 and it worked. The CA certificate wasn't on the client machine at all. I had to lower the security settings to 'low' for it to run the ActiveX (otherwise, it wouldn't even submit the request, so even less install the certificate in the response).
不久前,我为演示编写了这个脚本(与此页面结合使用)。它支持<keygen/>并用Internet Explorer 上的XEnroll或CertEnroll调用替换它。从那以后,该项目有了一些发展,但我刚刚在 Windows 7 上用 IE8测试了这个分支,它工作正常。CA 证书根本不在客户端计算机上。我必须将安全设置降低到“低”才能运行 ActiveX(否则,它甚至不会提交请求,因此在响应中更不用安装证书)。
If that helps, I do this:
如果这有帮助,我会这样做:
try {
enrollObj.InstallResponse(4, xmlHttpRequest.responseText,
0, "");
window.alert("A certificate has been installed.");
} catch (e1) {
try {
enrollObj.InstallResponse(0,
xmlHttpRequest.responseText, 0, "");
window.alert("A certificate has been installed.");
} catch (e2) {
window
.alert("You're probably using Vista without SP1 or above, in which case you need to add the certificate of this authority as a trusted root certificate.");
}
}
I must admit I didn't test which of these two cases was used (as it's the same alert message).
我必须承认我没有测试使用了这两种情况中的哪一种(因为它是相同的警报消息)。
