[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ms-cryptoapi
Subject:    Re: IIS CGI's and new CA's
From:       Nick Wagner <nickw () FRONTIERTECH ! COM>
Date:       1998-08-31 18:26:53
[Download RAW message or body]


>I'm hoping that somebody has run into this problem before. We are using
>IIS 4.0 and have a CGI that attempts to  verify a digital signature using
>the CryptoAPI. Unfortunately, Verisign has issued a new root CA and the CGI
>cannot get access to the new CA's. What I tried was installing the new root
>CA under a user that I can log into the console as, and then changing the
>user that the CGI was run under to match the logged in user. The CGI now
>recognizes the new CA. However, if I log out of the console, then the CGI
>starts failing again, even though IIS is running as a service and shouldn't
>be operating within the same context as the logged in user. In fact, IIS
>and my CGI run just fine when there is no logged in user, it just can't
>access the CA store. I constantly get the error "Keyset not found".
>So my question is: Does anyone know why a CGI under IIS can only use the
>root CA's of the logged in user?


Your problem is that the keys/certificates you are trying to access are in
the stores associated with HKEY_CURRENT_USER.  You could either set
something up that uses the HKLM stores, or make the CGI always run in the
particular user context that you need (say a generic user or, within severe
limits, administrator).  I've never tried the latter for CGIs, but this
method works quite well for ASP pages.

----------------------------------------------------------------
Users Guide http://www.microsoft.com/workshop/essentials/mail.asp
contains important info including how to unsubscribe.  Save time, search
the archives at http://discuss.microsoft.com/archives/index.html



[prev in list] [next in list] [prev in thread] [next in thread]