Help for ActiveX

[Luca Vanuzzo]

I have created an ActiveX control for use on a web application for an
intranet. Do I still have to pay for a Certification Authority to sign my
ActiveX control for download to IE , when it is only for use on an intranet.
I want to eliminate the constant message box saying the ActiveX control is
unsafe. If this can be done using the makecert and signcode commands, what
is the proper way to use those statements to get it to work.

Thanks,

Luca

[Yan-Hong Huang[MSFT]]

Hello Luca,

Thanks for posting in the group.

According to the description, now you are developing an ActiveX control for
use on a web application in Intranet. You want to know
1) Is it possible to create a certifate by yourself so that you don't need
to pay commericial CAs for it?
2) If yes, how to do that?

Based on my experience, before you purchase a certificate for your
control's .cab file from a vendor, you can use the test certificate
provided by Microsoft for verification purposes. The following KB article
has detailed steps on it:
"Packaging ActiveX Controls"
[url]http://msdn.microsoft.com/workshop/components/activex/packaging.asp?frame=tr[/url]
ue#Cabinet_Files

However, when the ActiveX control passes test and is ready to be used, I
suggest you sign it with some commerical CAs such as
[url]http://www.verisign.com/[/url]. So this control can be trusted worldwide.

I understand your concern is that this control may only be used in your
company only. If so, you can try install a certificate service in one
server of the domain. Then issue root certificate to every client machine.
After that, if you sign the control by the certificates issued by your
local certificate service, they can be trusted by client machines. For more
information on it, please refer to:

"The Microsoft Internet Security Framework: Technology for Secure
Communication, Access Control, and Commerce"
[url]http://msdn.microsoft.com/library/en-us/dnsecure/html/msdn_misf.asp?frame=tr[/url]
ue

"HOWTO: Set Up Test Certificates for SSL/TLS Application Development"
[url]http://support.microsoft.com/?id=288897[/url]

"ActiveX Error Messages Using Certificate Enrollment Web Pages to Enroll a
Smart Card in Internet Explorer"
[url]http://support.microsoft.com/default.aspx?scid=kb;EN-US;330211[/url]

"HOW TO: How to Install/Uninstall a Public Key Certificate Authority for
Windows 2000"
[url]http://support.microsoft.com/?id=231881[/url]

Does that answer your question?

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! ¨C [url]www.microsoft.com/security[/url]
This posting is provided "AS IS" with no warranties, and confers no rights.

[Luca Vanuzzo]

Hi YanHong,

Thank you for your answer.
I installed a CA in a windows 2000 server.
I tried to create a certificate with an exportable private key. When I tried
to sign my ativex control
(I tried directly with ocx) I had the follow error:

Error: The software publishing certificate and private key do not match or
do not contain valid information.
Error: Signing Failed. Result = 80092009, (-2146885623)

What are exactly the parameters for certificate generation ? signcode tool
need to have the .spc and
the private key.

Thank you,

Luca


"Yan-Hong Huang[MSFT]" <yhhuang@online.microsoft.com> ha scritto nel
messaggio news:LEzfaxR9DHA.2100@cpmsftngxa07.phx.gbl...

> Hello Luca,
>
> Thanks for posting in the group.
>
> According to the description, now you are developing an ActiveX control

for

> use on a web application in Intranet. You want to know
> 1) Is it possible to create a certifate by yourself so that you don't need
> to pay commericial CAs for it?
> 2) If yes, how to do that?
>
> Based on my experience, before you purchase a certificate for your
> control's .cab file from a vendor, you can use the test certificate
> provided by Microsoft for verification purposes. The following KB article
> has detailed steps on it:
> "Packaging ActiveX Controls"
>

[url]http://msdn.microsoft.com/workshop/components/activex/packaging.asp?frame=tr[/url]

> ue#Cabinet_Files
>
> However, when the ActiveX control passes test and is ready to be used, I
> suggest you sign it with some commerical CAs such as
> [url]http://www.verisign.com/[/url]. So this control can be trusted worldwide.
>
> I understand your concern is that this control may only be used in your
> company only. If so, you can try install a certificate service in one
> server of the domain. Then issue root certificate to every client machine.
> After that, if you sign the control by the certificates issued by your
> local certificate service, they can be trusted by client machines. For

more

> information on it, please refer to:
>
> "The Microsoft Internet Security Framework: Technology for Secure
> Communication, Access Control, and Commerce"
>

[url]http://msdn.microsoft.com/library/en-us/dnsecure/html/msdn_misf.asp?frame=tr[/url]

> ue
>
> "HOWTO: Set Up Test Certificates for SSL/TLS Application Development"
> [url]http://support.microsoft.com/?id=288897[/url]
>
> "ActiveX Error Messages Using Certificate Enrollment Web Pages to Enroll a
> Smart Card in Internet Explorer"
> [url]http://support.microsoft.com/default.aspx?scid=kb;EN-US;330211[/url]
>
> "HOW TO: How to Install/Uninstall a Public Key Certificate Authority for
> Windows 2000"
> [url]http://support.microsoft.com/?id=231881[/url]
>
> Does that answer your question?
>
> Best regards,
> Yanhong Huang
> Microsoft Community Support
>
> Get Secure! ¨C [url]www.microsoft.com/security[/url]
> This posting is provided "AS IS" with no warranties, and confers no

rights.

>

[Yan-Hong Huang[MSFT]]

Hello Luca,

Thanks for your update. The detailed steps of creating and signing are:

// 1. Make a self-signed certificate called sign.cer.
MakeCert -sv sign.pvk -r -n "CN=THIS IS A TEST OF MAKECTL" sign.cer
// Make an SPC file using Cert2SPC.
Cert2SPC sign.cer sign.spc

// 2. Make another self-signed certificate called test.cer.
MakeCert -sv test.pvk -r -n "CN=THIS IS MY TEST CERT" test.cer
// Make an SPC file using Cert2SPC.
Cert2SPC test.cer test.spc

// 3. Make a test.ctl from test.cer.
MakeCTL test.cer test.ctl

// 4. Sign test.ctl with the sign.pvk and sign.spc made in step 1.
SignCode -v sign.pvk -spc sign.spc test.ctl

// 5. Move test.ctl to the trust system store.
CertMgr -add -ctl test.ctl -s trust

// 6. Move sign.cer to the root system store.
CertMgr -add -c sign.cer -s root

// 7. Sign something (test.exe) with test.pvk, and test.spc.
SignCode -v test.pvk -spc test.spc test.exe

// 8. Since test.cer is in the test.ctl, ChkTrust will succeed.
ChkTrust test.exe

Please refer to this MSDN topic for details:

"Signing and Checking Code with Authenticode"
[url]http://msdn.microsoft.com/workshop/security/authcode/signing.asp?frame=true[/url]

"Creating, Viewing, and Managing Certificates"
[url]http://msdn.microsoft.com/library/en-us/security/Security/creating_viewing_a[/url]
nd_managing_certificates.asp?frame=true

Hope that helps.

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! ¨C [url]www.microsoft.com/security[/url]
This posting is provided "AS IS" with no warranties, and confers no rights.

[Luca Vanuzzo]

Hello Yan-Hong,

I followed all your instruction : I signed a myocx.ocx instead test.exe and
put it into a web page, but I still have
the safe warning in IE. When I use chkTrust with myocx.ocx I have a warning
that origin authenticator is not trusted.
Have you any other idea ?

Thank you,

Luca



"Yan-Hong Huang[MSFT]" <yhhuang@online.microsoft.com> ha scritto nel
messaggio news:##64D2d9DHA.2052@cpmsftngxa07.phx.gbl...

> Hello Luca,
>
> Thanks for your update. The detailed steps of creating and signing are:
>
> // 1. Make a self-signed certificate called sign.cer.
> MakeCert -sv sign.pvk -r -n "CN=THIS IS A TEST OF MAKECTL" sign.cer
> // Make an SPC file using Cert2SPC.
> Cert2SPC sign.cer sign.spc
>
> // 2. Make another self-signed certificate called test.cer.
> MakeCert -sv test.pvk -r -n "CN=THIS IS MY TEST CERT" test.cer
> // Make an SPC file using Cert2SPC.
> Cert2SPC test.cer test.spc
>
> // 3. Make a test.ctl from test.cer.
> MakeCTL test.cer test.ctl
>
> // 4. Sign test.ctl with the sign.pvk and sign.spc made in step 1.
> SignCode -v sign.pvk -spc sign.spc test.ctl
>
> // 5. Move test.ctl to the trust system store.
> CertMgr -add -ctl test.ctl -s trust
>
> // 6. Move sign.cer to the root system store.
> CertMgr -add -c sign.cer -s root
>
> // 7. Sign something (test.exe) with test.pvk, and test.spc.
> SignCode -v test.pvk -spc test.spc test.exe
>
> // 8. Since test.cer is in the test.ctl, ChkTrust will succeed.
> ChkTrust test.exe
>
> Please refer to this MSDN topic for details:
>
> "Signing and Checking Code with Authenticode"
>

[url]http://msdn.microsoft.com/workshop/security/authcode/signing.asp?frame=true[/url]

>
> "Creating, Viewing, and Managing Certificates"
>

[url]http://msdn.microsoft.com/library/en-us/security/Security/creating_viewing_a[/url]

> nd_managing_certificates.asp?frame=true
>
> Hope that helps.
>
> Best regards,
> Yanhong Huang
> Microsoft Community Support
>
> Get Secure! ¨C [url]www.microsoft.com/security[/url]
> This posting is provided "AS IS" with no warranties, and confers no

rights.

>

[Yan-Hong Huang[MSFT]]

Hi Luca,

Surely you need to add trust relationship to the root certificate of your
certification server.

I am not quite familar with this area. But you can try IE->Tools
menu->Options->Content tab->Certificates button->Trusted Root Certification
Authorities tab->Import.

Please let me know if it works for you. Thanks very much.

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! ¨C [url]www.microsoft.com/security[/url]
This posting is provided "AS IS" with no warranties, and confers no rights.

[Luca Vanuzzo]

Hi Yanhong,

thanks for your help again. I Imported the certificate in then trusted root
certification authorities.
Now I have no error from chktrust for my ocx, but I have again the error
when I load my page with the ocx.
Have you any other idea ?

Thank you very much,

Luca

"Yan-Hong Huang[MSFT]" <yhhuang@online.microsoft.com> ha scritto nel
messaggio news:Tckw9bg9DHA.3860@cpmsftngxa07.phx.gbl...

> Hi Luca,
>
> Surely you need to add trust relationship to the root certificate of your
> certification server.
>
> I am not quite familar with this area. But you can try IE->Tools
> menu->Options->Content tab->Certificates button->Trusted Root

Certification

> Authorities tab->Import.
>
> Please let me know if it works for you. Thanks very much.
>
> Best regards,
> Yanhong Huang
> Microsoft Community Support
>
> Get Secure! ¨C [url]www.microsoft.com/security[/url]
> This posting is provided "AS IS" with no warranties, and confers no

rights.

>

[Yan-Hong Huang[MSFT]]

Hello Luca,

Thanks for the quick update.

What is the error messag that you got?

Also, what is the security setting of your IE? Please go to IE tools
menu->Internet Options->Security tab->ActiveX controls and plug-ins. What
is the setting of these two items? (Download signed ActiveX control,
Download unsinged ActiveX control). If it is prompt for item 1, then a
dialog box should be launched when you download this control in IE. Please
set item 1 to Enable to see if you still meet this problem. For item2, that
is for non-signed ActiveX controls, so we can just leave it there since it
is not related to this problem.

Thanks.

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! ¨C [url]www.microsoft.com/security[/url]
This posting is provided "AS IS" with no warranties, and confers no rights.

[Luca Vanuzzo]

Hi YanHong,

I did some test about the security configuration. I have no error only if I
active the execution of not safe
ActiveX for local intranet . It seems that myocx.ocx is not safe, but
chktrust do not give me errors now.
Have you any other suggestion ?

Thanks again,

Luca

"Yan-Hong Huang[MSFT]" <yhhuang@online.microsoft.com> ha scritto nel
messaggio news:UeAOjUp9DHA.3024@cpmsftngxa07.phx.gbl...

> Hello Luca,
>
> Thanks for the quick update.
>
> What is the error messag that you got?
>
> Also, what is the security setting of your IE? Please go to IE tools
> menu->Internet Options->Security tab->ActiveX controls and plug-ins. What
> is the setting of these two items? (Download signed ActiveX control,
> Download unsinged ActiveX control). If it is prompt for item 1, then a
> dialog box should be launched when you download this control in IE. Please
> set item 1 to Enable to see if you still meet this problem. For item2,

that

> is for non-signed ActiveX controls, so we can just leave it there since it
> is not related to this problem.
>
> Thanks.
>
> Best regards,
> Yanhong Huang
> Microsoft Community Support
>
> Get Secure! ¨C [url]www.microsoft.com/security[/url]
> This posting is provided "AS IS" with no warranties, and confers no

rights.

>

[Yan-Hong Huang[MSFT]]

Hi Luca,

In the article "Using Digital Certificates",
[url]http://www.microsoft.com/windows/ie/using/howto/digitalcert/using.asp[/url]

we can see one part named "Adding Trusted Publishers and Credentials
Agencies", please add your certificate to this tab in IE settings. Active
content that is digitally signed by trusted publishers or credentials
agencies with a valid certificate will download without user intervention,
unless downloading active content is disabled in the settings for a
specific security zone.

For detailed steps, we may also refer to KB article:
"How to Sign IEAK Files Using Microsoft Certificate Server"
[url]http://support.microsoft.com/?id=193038[/url]

Thanks.

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! ¨C [url]www.microsoft.com/security[/url]
This posting is provided "AS IS" with no warranties, and confers no rights.

[Yan-Hong Huang[MSFT]]

Hello Luca,

Is the problem resolved? Have you successfully invoke ActiveX control
without the warning message box? If there is any more question, please feel
free to post here.

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! ¨C [url]www.microsoft.com/security[/url]
This posting is provided "AS IS" with no warranties, and confers no rights.