Platform SDK: Certificate Enrollment Control

Receiving the Returned Certificate

When the certification authority has verified the information and is satisfied that the requester is the owner of the private key and that the data about that requester is accurate, the CA constructs an X.509 certificate, signs it, packages it with any other needed certificates (such as the CA's own certificate) in a PKCS # 7 message, and sends the message to the requester.

The receiving application passes the PKCS # 7 message to the Certificate Enrollment Control. The Certificate Enrollment Control then opens the message and extracts the certificates, putting any self-signed certificates in the "Root" store. The rest (except for the requester's certificate) is placed in the "CA" store. The Certificate Enrollment Control then places the requester's certificate in the certificate store specified by the requester in the MyStoreName property.

The following code is a simple example of how to use Visual Basic Script and HTML in a Web page to receive and store the returned certificates.

<HTML>
<TITLE>Certificate Enrollment Acceptance HTML Page</TITLE>
<BODY>

<OBJECT
    classid="clsid:43F8F289-7A20-11D0-8F06-00C04FC295E1"
    CODEBASE="xenroll.dll"
    id=IControl
    >
</OBJECT>

<FORM NAME="result" ENCTYPE=x-www-form-encoded METHOD=POST>
    <INPUT TYPE="HIDDEN" NAME="result">
    <TD ALIGN=center><INPUT TYPE="BUTTON" _
        NAME="Accept" value="Accept" onClick="AcceptCertSub" 
        language="VBScript">
    <TD ALIGN=center><INPUT TYPE="BUTTON" 
        NAME="No" value="No" onClick="NoAcceptCertSub" 
        language="VBScript">

<SCRIPT LANGUAGE="VBSCRIPT">

    '-----------------------------------------------------------------
    'Accept the certificate subroutine.
    '-----------------------------------------------------------------
    Sub AcceptCertSub

    On Error Resume Next

    '--------------------------------------------------------------
    ' Get the issued certificate.
    ' The following value, "PKCS7", represents the received message. 
    ' Actually, this value must be supplied through the design of
    ' the receiving application.
    ' A possible implementation is as follows: after using 
    ' ICertRequest.Submit to submit the PKCS #10, call 
    ' ICertRequest.GetLastStatus to confirm successful certificate 
    ' creation, and then call ICertRequest.GetCertificate to retrieve 
    ' the certificate.
    ' -------------------------------------------------------------
    document.result.result.value = "PKCS7"

    Call IControl.AcceptPKCS7(document.result.result.value)

    If err.Number = 0 Then
        navigate "..\done.htm"
    Else
        Alert "Error: " & Hex(err)
    End If

    End sub

    '-----------------------------------------------------------------
    ' Decline the certificate sub-routine.
    '-----------------------------------------------------------------
    Sub NoAcceptCertSub
    navigate "..\notdone.htm"
    End sub

</SCRIPT>
</BODY>
</HTML>