[prev in list] [next in list] [prev in thread] [next in thread]
List: ms-cryptoapi
Subject: Re: IIS CGI's and new CA's
From: Nick Wagner <nickw () FRONTIERTECH ! COM>
Date: 1998-08-31 18:26:53
[Download RAW message or body]
>I'm hoping that somebody has run into this problem before. We are using
>IIS 4.0 and have a CGI that attempts to verify a digital signature using
>the CryptoAPI. Unfortunately, Verisign has issued a new root CA and the CGI
>cannot get access to the new CA's. What I tried was installing the new root
>CA under a user that I can log into the console as, and then changing the
>user that the CGI was run under to match the logged in user. The CGI now
>recognizes the new CA. However, if I log out of the console, then the CGI
>starts failing again, even though IIS is running as a service and shouldn't
>be operating within the same context as the logged in user. In fact, IIS
>and my CGI run just fine when there is no logged in user, it just can't
>access the CA store. I constantly get the error "Keyset not found".
>So my question is: Does anyone know why a CGI under IIS can only use the
>root CA's of the logged in user?
Your problem is that the keys/certificates you are trying to access are in
the stores associated with HKEY_CURRENT_USER. You could either set
something up that uses the HKLM stores, or make the CGI always run in the
particular user context that you need (say a generic user or, within severe
limits, administrator). I've never tried the latter for CGIs, but this
method works quite well for ASP pages.
----------------------------------------------------------------
Users Guide http://www.microsoft.com/workshop/essentials/mail.asp
contains important info including how to unsubscribe. Save time, search
the archives at http://discuss.microsoft.com/archives/index.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic