为了保障网络传输安全,许多信息敏感的网站都采用了SSL验证方式,这样客户端需要对服务器端发送的证书进行信任才可以访问站点,但是如果要彻底信任此证书,不用每次都先跑到警告页面以及弹出信任对话框,就必须信任此证书的根证书~
但是在客户端安装根证书在部署上存在很大的困难,那么怎么样能作到在网站上自动为用户安装呢?这里我参考了www.ca365.com(中国数字认证网)的做法,正入初次访问此网站,会弹出一个对话框问你是否要安装这个根证书(silent执行好象不太可能,安全上也不允许),那么我们也要实现这种方式。
那么怎么样实现呢?从这个网站我们唯一可以得到的信息是可以通过XEroll组件来进行注册证书,如:
sPKCS7 = sPKCS7 & " -----BEGIN CERTIFICATE----- " & vbNewLine
sPKCS7 = sPKCS7 & " MIIDszCCApugAwIBAgIIPn9KwWPUprMwDQYJKoZIhvcNAQEFBQAwZzELMAkGA1UE " & vbNewLine
sPKCS7 = sPKCS7 & " BhMCQ04xEDAOBgNVBAgTB0JlaWppbmcxEDAOBgNVBAcTB0JlaWppbmcxDjAMBgNV " & vbNewLine
sPKCS7 = sPKCS7 & " BAoTBUNBMzY1MSQwIgYDVQQDExtDQTM2NSBUZXN0IFJvb3QgQ2VydGlmaWNhdGUw " & vbNewLine
sPKCS7 = sPKCS7 & " HhcNMDEwNTEyMDg0MDIwWhcNMzEwNTA1MDg0MDIwWjBnMQswCQYDVQQGEwJDTjEQ " & vbNewLine
sPKCS7 = sPKCS7 & " MA4GA1UECBMHQmVpamluZzEQMA4GA1UEBxMHQmVpamluZzEOMAwGA1UEChMFQ0Ez " & vbNewLine
sPKCS7 = sPKCS7 & " NjUxJDAiBgNVBAMTG0NBMzY1IFRlc3QgUm9vdCBDZXJ0aWZpY2F0ZTCCASIwDQYJ " & vbNewLine
sPKCS7 = sPKCS7 & " KoZIhvcNAQEBBQADggEPADCCAQoCggEBAL7TIQ00d7mYx9CNOvGJDCTm+yFK5rM3 " & vbNewLine
sPKCS7 = sPKCS7 & " tH3Om5e9eQtt290t3TJoMEm78SNi7rVl/tgPtR3IEznL8C9NREeyG48Mlh3RLkCH " & vbNewLine
sPKCS7 = sPKCS7 & " 9YVvwqoz5dPU8OSiV4KMwuaAk0NxEWal3jtDN2yNZiNrqjXeYWdkIvYE8jEYSXVD " & vbNewLine
sPKCS7 = sPKCS7 & " GB748oBMhrXR8mN5QyYPJ/yuXTK4vkrgOdn+DA46NECpFNpj97AgdmsjU1oEx/WF " & vbNewLine
sPKCS7 = sPKCS7 & " xSDrwQv5JwpVkNO4hlUqvU2HkSwJiYibWTHiuq/WX2KZRiGBbQsMUlBKT/SGTz0x " & vbNewLine
sPKCS7 = sPKCS7 & " kTBciXzkTN4kd0nHcYcbhRyNCj3S9tLjZuU4KmO8aYq+3uw7MzuIqaUCAwEAAaNj " & vbNewLine
sPKCS7 = sPKCS7 & " MGEwHQYDVR0OBBYEFOFerZs5arMIYGXkIn7sz8xPsdHLMA4GA1UdDwEB/wQEAwIB " & vbNewLine
sPKCS7 = sPKCS7 & " BjAfBgNVHREEGDAWhhRodHRwOi8vd3d3LmNhMzY1LmNvbTAPBgNVHRMBAf8EBTAD " & vbNewLine
sPKCS7 = sPKCS7 & " AQH/MA0GCSqGSIb3DQEBBQUAA4IBAQB5tTmySgq4J50bWoz+F7pZL75U0X4IPmQ+ " & vbNewLine
sPKCS7 = sPKCS7 & " wXaUr8M7PthCMMIv/CN9mLbWK8fEXO8cEMkpusgSbSZybJpNggeLuyu+9iZcJnsZ " & vbNewLine
sPKCS7 = sPKCS7 & " TOXs7JnG0D91N0m/y/8Q794XsG64X2MRKBAMEyv/l0oR2fYym9iOkCJtv5rkMYWG " & vbNewLine
sPKCS7 = sPKCS7 & " jYplLrJWsEooFOrn4CzWkJ3lYuuc+WdlXEsPfLedPB5xAl1PU8FSjxvwEczOdWWK " & vbNewLine
sPKCS7 = sPKCS7 & " 99YMbVaQDMPSeVLKwxWeLtcZ10leyCotGpPaLLwcUEWiTyVt0mPZ+NQEqpm3nApp " & vbNewLine
sPKCS7 = sPKCS7 & " BeRFkRLtHm1+BF8piiZ/89ToczDZBx87TM2KqqUolQ4usKzB+P/r " & vbNewLine
sPKCS7 = sPKCS7 & " -----END CERTIFICATE----- " & vbNewLine
' 安装
XEnroll.InstallPKCS7Ex(sPKCS7)
但是怎么样得到sPKCS7呢?我们知道,证书服务器上有个站点叫做CertSrv我们可以访问它,
原来这里也实现了自动注册的功能,所不同的是这里你还需要点下这个link。赶紧吧,找到它的原代码,解剖下吧~
原来它使用了ICertRequest对象(我们可以从system32目录下面找到对应的certcli.dll)
Dim sCertificate
sCertificate = ICertRequest.GetCACertificate(GETCERT_CASIGCERT, sServerConfig, CR_OUT_BASE64_HEADER Or CR_OUT_CHAIN)
sPKCS7 = FormatBigString(sCertificate, " sPKCS7=sPKCS7 & " )
一些参数:
Const CR_OUT_BASE64HEADER =& H00000000
Const CR_OUT_CHAIN =& H00000100
sServerConfig = myservername/certserver
myservername就是你的证书服务器机器名
certserver就是你的证书服务的名字,如下图:
如果想在.Net中 用这个DLL不要忘了先注册哦,否则引用不了的。
其实根证书不会随意变化,一般只需要一次性得到PKCS7就好了,所以大家可以通过下面这个工具得到他:
http://dl2.csdn.net/down3/20070626/26140955280.rar,基于.net framework 2.0
有什么问题不清楚可以提出来,谢谢。