How to configure private key settings for Internet Explorer on Microsoft Vista
2 years ago
Originally Published: 2007-08-01
Article Number
000059865
Applies To
RSA Certificate Manager 6.7
Microsoft Windows Vista
Microsoft Internet Explorer
Issue
How to configure private key settings for Internet Explorer on Microsoft Vista
Resolution
Note: You must first have the correct RSA Certificate Manager (RCM) build for Microsoft Vista Support.  See the solution titled Does RSA Certificate Manager work with Internet Explorer 7 on Microsoft Vista?

Here are the steps for protecting Private Key from enrollment page:

End-Entity Enrollment:
==============

1. Go to the file <INSTALL-DIR>/WebServer/enroll-server/request-msie.xuda and uncomment the following lines by removing <!-- and --> . When you uncomment the following lines you will get the listbox to Protect Private Key from enrollment page.

     <!--
         <TR>
         <TD BGCOLOR="#D0D0D0" ALIGN="right">Protect private key <FONT SIZE="-2">(2)</FONT>:</TD>
         <TD BGCOLOR="#E0E0E0"><SELECT NAME="USERPROTECT"><OPTION VALUE="1">Yes</OPTION><OPTION VALUE="0" SELECTED>No</OPTION></SELECT></TD>
     </TR>
     -->

     <!--
         <P><FONT SIZE="-2">Note (2): If this option is checked, the private key will be additionally protected. The precise behavior of this additional protection depends on the Cryptographic service provider you've chosen.</FONT></P>
     -->

2. Now go to file <INSTALL-DIR>/WebServer/enroll-server/icontrol.vbs and uncomment the following lines by removing Rem.

  2a) For Enrollment from Internet Explorer on Microsoft Windows Vista:

        ' Added for private key export and protection
        Rem Err.clear
        Rem Set presence = document.ReqForm.USERPROTECT

        Rem If Err.Number = 0 Then
        Rem     If presence.value = 1 Then
        Rem             objPrivateKey.KeyProtection = 1
        Rem     Else
                                If productTag = "OneStep" Then
                                        objPrivateKey.ExportPolicy = 1
                                Else
                                        objPrivateKey.ExportPolicy = 1
        i = document.all.RequestKeySize.options.selectedIndex
        objPrivateKey.Length = document.all.RequestKeySize.options(i).value
                                End If
        Rem     End If
        Rem End If

  2b) For Enrollment from Internet Explorer on non Microsoft Windows Vista:

        Rem Err.Clear
        Rem Set presence = document.ReqForm.USERPROTECT
        Rem If Err.Number = 0 Then
                Rem If presence.value = 1 Then
                        Rem IControl.GenKeyFlags = 2
                Rem Else
                        If productTag = "OneStep" Then
                                        IControl.GenKeyFlags = 1
                                Else
         i = document.all.RequestKeySize.options.selectedIndex
                  If document.all.RequestKeySize.options(i).value = 1024 Then
                                        IControl.GenKeyFlags = &H4000000 + 1
                                Else
                                        IControl.GenKeyFlags = &H8000000 + 1
                                        End If
                                End If
                Rem End If
        Rem End If

These are all the lines of code which need to be uncommented so that the Protect Private Key option will be visible for End-Entity enrollment.


One-Step Enrollment:
==============

Go to file <INSTALL-DIR>/WebServer/OneStep/htmldocs/icontrol.vbs and uncomment the following lines by removing Rem.

1. For Enrollment from Internet Explorer on Microsoft Windows Vista:

        ' Added for private key export and protection
        Rem Err.clear
        Rem Set presence = document.ReqForm.USERPROTECT

        Rem If Err.Number = 0 Then
        Rem     If presence.value = 1 Then
        Rem             objPrivateKey.KeyProtection = 1
        Rem     Else
                                If productTag = "OneStep" Then
                                        objPrivateKey.ExportPolicy = 1
                                Else
                                        objPrivateKey.ExportPolicy = 1
            i = document.all.RequestKeySize.options.selectedIndex
            objPrivateKey.Length = document.all.RequestKeySize.options(i).value
                                End If
        Rem     End If
        Rem End If

2. For Enrollment from Internet Explorer on non Microsoft Windows Vista:

        Rem Err.Clear
        Rem Set presence = document.ReqForm.USERPROTECT
        Rem If Err.Number = 0 Then
                Rem If presence.value = 1 Then
                        Rem IControl.GenKeyFlags = 2
                Rem Else
                        If productTag = "OneStep" Then
                                        IControl.GenKeyFlags = 1
                                Else
          i = document.all.RequestKeySize.options.selectedIndex
                If document.all.RequestKeySize.options(i).value = 1024 Then
                                        IControl.GenKeyFlags = &H4000000 + 1
                                Else
                                        IControl.GenKeyFlags = &H8000000 + 1
                                        End If
                                End If
                Rem End If
        Rem End If

These are all the lines of code which need to be uncommented for protecting Private Key in One-Step enrollment.
Notes
Note:

For exportable and prompt for high level security for all juridictions, change the code in icontrol.vbs as IControl.GenKeyFlags = &H4000000 + 3

CERTMGR-3722
CERTMGR-3800

Related Articles

Trending Articles

Don't see what you're looking for?