Automatically add trusted publisher to client store

  • Thread starter Thread starter Steven Tang
  • Start date Start date
S

Steven Tang

I want to download pfx from my asp.net server, add the pfx to client's
X509Store as
a trusted publisher, Is it possible? my func in aspx is like this:

void InstallCertification()
{
try{
WebClient web = new WebClient();
string url = "http:/myaspserver/mydir/mykey_2008.pfx";
byte [] b = web.DownloadData(url);
X509Certificate2 cert = new X509Certificate2(b, "password");
X509Store store = new X509Store(StoreName.AuthRoot,
StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadWrite);
store.Add(cert);
store.Close();
store = new X509Store(StoreName.TrustedPublisher,
StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadWrite);
store.Add(cert);
store.Close();
msg.Text = "Certification installed";
}
catch(Exception e)
{
//MessageBox( e.ToString());
msg.Text = e.ToString();
}

but the page will load pretty much longer time and show the error of
System.net.webexception that unable to connect to remote server
(Actually myaspserver is working, the aspx and the pfx url is correct).

Best Regards
Steven
 
where is this code running? if its in the codebehind, then the server is
downloading a cert from itself, and trying to install it to itself. if this
is what you are trying to do, then try localhost, so thats it a loopback, as
it common to have outgoing port 80 blocked on a webserver.


-- bruce (sqlwork.com)
 
Thank you for response, actually this piece of code suppose to run @ client
computer and I'm trying to install the trust certification to the client
computer
who visit our aspx page which contains this piece of this code.

Best Regards

=======================
Steven Tang
SYWWUYU)
**:)


bruce barker said:
where is this code running? if its in the codebehind, then the server is
downloading a cert from itself, and trying to install it to itself. if this
is what you are trying to do, then try localhost, so thats it a loopback, as
it common to have outgoing port 80 blocked on a webserver.


-- bruce (sqlwork.com)


Steven Tang said:
I want to download pfx from my asp.net server, add the pfx to client's
X509Store as
a trusted publisher, Is it possible? my func in aspx is like this:

void InstallCertification()
{
try{
WebClient web = new WebClient();
string url = "http:/myaspserver/mydir/mykey_2008.pfx";
byte [] b = web.DownloadData(url);
X509Certificate2 cert = new X509Certificate2(b, "password");
X509Store store = new X509Store(StoreName.AuthRoot,
StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadWrite);
store.Add(cert);
store.Close();
store = new X509Store(StoreName.TrustedPublisher,
StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadWrite);
store.Add(cert);
store.Close();
msg.Text = "Certification installed";
}
catch(Exception e)
{
//MessageBox( e.ToString());
msg.Text = e.ToString();
}

but the page will load pretty much longer time and show the error of
System.net.webexception that unable to connect to remote server
(Actually myaspserver is working, the aspx and the pfx url is correct).

Best Regards
Steven
--
=======================
Steven Tang
SYWWUYU)
**:)
 
Hi Steven,

If you put a txt file in the same virtual directory where the pfx file
locates and access it in the browser via http://myaspserver/mydir/test.txt
can you see the content of the file? If you can, can you download it via
the following code?

WebClient web = new WebClient();
string url = "http://myaspserver/mydir/test.txt";
byte[] b = web.DownloadData(url);

If you can from your description the following code does not work? (Please
confirm it)

WebClient web = new WebClient();
string url = "http://myaspserver/mydir/ mykey_2008.pfx";
byte[] b = web.DownloadData(url);

Please test it and tell me the result. It can help to narrow down this
issue. BTW, does your client machine need a proxy to access network
resources? In addition please check the Firewall settings on both server
side and client side as Bruce mentioned.

Regards,
Allen Chen
Microsoft Online Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

Note: MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 2 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions. Issues of this
nature are best handled working with a dedicated Microsoft Support Engineer
by contacting Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| Thread-Topic: Automatically add trusted publisher to client store
| thread-index: AclEKSJkghW7rZuGRE2zq6l2ncbgow==
| X-WBNR-Posting-Host: 207.46.193.207
| From: =?Utf-8?B?U3RldmVuIFRhbmc=?= <[email protected]>
| References: <[email protected]>
<[email protected]>
| Subject: RE: Automatically add trusted publisher to client store
| Date: Tue, 11 Nov 2008 10:13:01 -0800
| Lines: 67
| Message-ID: <[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3168
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.dotnet.framework.aspnet:79668
| NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| Thank you for response, actually this piece of code suppose to run @
client
| computer and I'm trying to install the trust certification to the client
| computer
| who visit our aspx page which contains this piece of this code.
|
| Best Regards
|
| =======================
| Steven Tang
| SYWWUYU)
| **:)
|
|
| "bruce barker" wrote:
|
| > where is this code running? if its in the codebehind, then the server
is
| > downloading a cert from itself, and trying to install it to itself. if
this
| > is what you are trying to do, then try localhost, so thats it a
loopback, as
| > it common to have outgoing port 80 blocked on a webserver.
| >
| >
| > -- bruce (sqlwork.com)
| >
| >
| > "Steven Tang" wrote:
| >
| > >
| > > I want to download pfx from my asp.net server, add the pfx to
client's
| > > X509Store as
| > > a trusted publisher, Is it possible? my func in aspx is like this:
| > >
| > > void InstallCertification()
| > > {
| > > try{
| > > WebClient web = new WebClient();
| > > string url = "http:/myaspserver/mydir/mykey_2008.pfx";
| > > byte [] b = web.DownloadData(url);
| > > X509Certificate2 cert = new X509Certificate2(b, "password");
| > > X509Store store = new X509Store(StoreName.AuthRoot,
| > > StoreLocation.LocalMachine);
| > > store.Open(OpenFlags.ReadWrite);
| > > store.Add(cert);
| > > store.Close();
| > > store = new X509Store(StoreName.TrustedPublisher,
| > > StoreLocation.LocalMachine);
| > > store.Open(OpenFlags.ReadWrite);
| > > store.Add(cert);
| > > store.Close();
| > > msg.Text = "Certification installed";
| > > }
| > > catch(Exception e)
| > > {
| > > //MessageBox( e.ToString());
| > > msg.Text = e.ToString();
| > > }
| > >
| > > but the page will load pretty much longer time and show the error of
| > > System.net.webexception that unable to connect to remote server
| > > (Actually myaspserver is working, the aspx and the pfx url is
correct).
| > >
| > > Best Regards
| > > Steven
| > > --
| > > =======================
| > > Steven Tang
| > > SYWWUYU)
| > > **:)
|
 
Hello Allen,
I created a simple WPF app tested follow. see embedded content>

Allen Chen said:
Hi Steven,

If you put a txt file in the same virtual directory where the pfx file
locates and access it in the browser via http://myaspserver/mydir/test.txt

Yes, the browser will show the content.
can you see the content of the file? If you can, can you download it via
the following code?

WebClient web = new WebClient();
string url = "http://myaspserver/mydir/test.txt";
byte[] b = web.DownloadData(url);

Yes, it is downloadable.
If you can from your description the following code does not work? (Please
confirm it)

WebClient web = new WebClient();
string url = "http://myaspserver/mydir/ mykey_2008.pfx";
byte[] b = web.DownloadData(url);

This is also download able in the wpf test app.
Please test it and tell me the result. It can help to narrow down this
issue. BTW, does your client machine need a proxy to access network
resources? In addition please check the Firewall settings on both server
side and client side as Bruce mentioned.

Regards,
Allen Chen
Microsoft Online Support

If WPF testapp work, in general aspx shall work, both of them call .net
am I right? but it seems that the aspx would not work.

Best Regards
Steven
 
Hi Steven,

I remember the proxy detection of ASP.NET applications is different from
that of desktop applications. Could you try to explicitly specify the proxy
to see if it works?


WebClient web = new WebClient();
web.Proxy = WebProxy.GetDefaultProxy();
string url = "http://myaspserver/mydir/ mykey_2008.pfx";
byte[] b = web.DownloadData(url);

Regards,
Allen Chen
Microsoft Online Community Support
--------------------
| Thread-Topic: Automatically add trusted publisher to client store
| thread-index: AclElYnLcw0IzIw4SM6enZmHKgN7FQ==
| From: =?Utf-8?B?U3RldmVuIFRhbmc=?= <[email protected]>
| References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
| Subject: RE: Automatically add trusted publisher to client store
| Date: Tue, 11 Nov 2008 23:09:00 -0800
| Lines: 47
| Message-ID: <[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3168
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.dotnet.framework.aspnet:79710
| NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| Hello Allen,
| I created a simple WPF app tested follow. see embedded content>
|
| "Allen Chen [MSFT]" wrote:
|
| > Hi Steven,
| >
| > If you put a txt file in the same virtual directory where the pfx file
| > locates and access it in the browser via
http://myaspserver/mydir/test.txt
|
| Yes, the browser will show the content.
|
| > can you see the content of the file? If you can, can you download it
via
| > the following code?
| >
| > WebClient web = new WebClient();
| > string url = "http://myaspserver/mydir/test.txt";
| > byte[] b = web.DownloadData(url);
| >
|
| Yes, it is downloadable.
|
| > If you can from your description the following code does not work?
(Please
| > confirm it)
| >
| > WebClient web = new WebClient();
| > string url = "http://myaspserver/mydir/ mykey_2008.pfx";
| > byte[] b = web.DownloadData(url);
| >
|
| This is also download able in the wpf test app.
|
| > Please test it and tell me the result. It can help to narrow down this
| > issue. BTW, does your client machine need a proxy to access network
| > resources? In addition please check the Firewall settings on both
server
| > side and client side as Bruce mentioned.
| >
| > Regards,
| > Allen Chen
| > Microsoft Online Support
| >
|
| If WPF testapp work, in general aspx shall work, both of them call .net
| am I right? but it seems that the aspx would not work.
|
| Best Regards
| Steven
|
 
Hi Allen,
Sorry that I didn't response this due to busy on other stuff. I tried
updated the
aspx page and added Proxy = WebProxy.GetDefaultProxy(), when I visit this
page
from client side (I called the InstallCertification in the Page_Load), the
browser says that:
System.Net.WebException: Unable to connect to the remote server --->
System.Net.Sockets.SocketException: No connection could be made because the
target machine actively refused it 127.0.0.1:8080 at
System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress
socketAddress) at System.Net.Sockets.Socket.InternalConnect(EndPoint
remoteEP) at System.Net.ServicePoint.ConnectSocketInternal(Boolean
connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address,
ConnectSocketState state, IAsyncResult asyncResult, Int32 timeout, Exception&
exception) --- End of inner exception stack trace --- at
System.Net.WebClient.DownloadDataInternal(Uri address, WebRequest& request)
at System.Net.WebClient.DownloadData(Uri address) at
System.Net.WebClient.DownloadData(String address) at
ASP.xweb_index_aspx.InstallCertification()

All the best
 
Hi Steven,

Thanks for your update.

Are you accessing the 80 port or the 8080 port? From the code you provided
previously you're accessing the 80 port. See below:

WebClient web = new WebClient();
string url = "http://myaspserver/mydir/test.txt";
byte[] b = web.DownloadData(url);

However, from the exception it seems you're using this url:
string url = "http://myaspserver:8080/mydir/test.txt";

Could you clarify which url you're using? If it is 8080 please check if the
TCP port of this site has been set as 8080 in IIS.
http://support.microsoft.com/kb/149605

For further investigation please also provide the IIS version and the
operating system you're using.

Regards,
Allen Chen
Microsoft Online Support

--------------------
| Thread-Topic: Automatically add trusted publisher to client store
| thread-index: AclILeI2tNdcfObdRf+REkafcpvKkQ==
| X-WBNR-Posting-Host: 207.46.193.207
| From: =?Utf-8?B?U3RldmVuIFRhbmc=?= <[email protected]>
| References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
| Subject: RE: Automatically add trusted publisher to client store
| Date: Sun, 16 Nov 2008 12:57:06 -0800
| Lines: 46
| Message-ID: <[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3168
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.dotnet.framework.aspnet:79977
| NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| Hi Allen,
| Sorry that I didn't response this due to busy on other stuff. I tried
| updated the
| aspx page and added Proxy = WebProxy.GetDefaultProxy(), when I visit
this
| page
| from client side (I called the InstallCertification in the Page_Load),
the
| browser says that:
| System.Net.WebException: Unable to connect to the remote server --->
| System.Net.Sockets.SocketException: No connection could be made because
the
| target machine actively refused it 127.0.0.1:8080 at
| System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot,
SocketAddress
| socketAddress) at System.Net.Sockets.Socket.InternalConnect(EndPoint
| remoteEP) at System.Net.ServicePoint.ConnectSocketInternal(Boolean
| connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address,
| ConnectSocketState state, IAsyncResult asyncResult, Int32 timeout,
Exception&
| exception) --- End of inner exception stack trace --- at
| System.Net.WebClient.DownloadDataInternal(Uri address, WebRequest&
request)
| at System.Net.WebClient.DownloadData(Uri address) at
| System.Net.WebClient.DownloadData(String address) at
| ASP.xweb_index_aspx.InstallCertification()
|
| All the best
| --
| =======================
| Steven Tang
| SYWWUYU)
| **:)
|
|
| "Allen Chen [MSFT]" wrote:
|
| > Hi Steven,
| >
| > I remember the proxy detection of ASP.NET applications is different
from
| > that of desktop applications. Could you try to explicitly specify the
proxy
| > to see if it works?
| >
| >
| > WebClient web = new WebClient();
| > web.Proxy = WebProxy.GetDefaultProxy();
| > string url = "http://myaspserver/mydir/ mykey_2008.pfx";
| > byte[] b = web.DownloadData(url);
| >
| > Regards,
| > Allen Chen
|
|
 
Hello Allen,
I tried to update the path and no file download issue anymore, but the
trust
will not be added to the client computer and it shows that X509 cannot be
applied.
It looks like the code download the prx file from itself and then try to add
the trust
to the server computer, not the client computer.
You know the aspx is the server side code, Is there any way to modify
the
code let:
When client computer visit this aspx page,
this aspx page download the prx to the client system and install it into
the client computer?

Best Regards
Steven
 
Hi Steven,

Firstly, for the security reason, automatically downloading and adding the
pfx to the X509Store is not recommended.

If we have to do so we need to use ActiveX. However, we cannot ensure if
the clients have enabled ActiveX. If they don't we cannot achieve the
requirement.

Following article demonstrates how to create an MFC ActiveX control:

http://www.codeproject.com/KB/COM/CompleteActiveX.aspx

Another option is to let your customer download a console application and
run it. You can put your code in the console application. Then add a
download link on the page to notify your customers. Though it's not an
ideal means I think it's a more secure way for your customers.

Please let me know if you need further assistance.

Regards,
Allen Chen
Microsoft Online Community Support
 
Hi Steven,

Do you have any progress on this issue?

Regards,
Allen Chen
Microsoft Online Community Support
 
Don't forget some file extensions are not in the default allowed MIME types of IIS. That would explain why .txt would work but not .pfx. If that is the case then just go to the web site or global web configuration in IIS Manager, then add a MIME header entry ".pfx" and an appropriate MIME type (see filext.com for examples).

Other possibilities are the default proxy configuration or expired certificates at the server if you are using HTTPS. In these cases bypass the proxy or add a client policy callback to allow a site with expired certificate.

Both of these methods are documented in MSDN, but I think the first is the case here.

A third possibility if you have no access to set the MIME types is to create a download aspx which clears all headers, sets the content disposition to a file (with optional filename) then streams the file out as bytes.




v-alche wrote:

RE: Automatically add trusted publisher to client store
25-Nov-08

Hi Steven

Do you have any progress on this issue

Regards,
Allen Che
Microsoft Online Community Support

EggHeadCafe - Software Developer Portal of Choice
ASP.NET Color Tool Derived from Reflection
http://www.eggheadcafe.com/tutorial...04-bb778fb8bfb7/aspnet-color-tool-derive.aspx
 
Back
Top