Certificate Enrollment from the Browser
Back in Windows XP, an ActiveX control known as XEnroll could be used from the browser to request digital certificates on the client’s behalf. Certificate authorities and others would use this control when a customer purchased a certificate for code signing, server authentication, or other purposes.
In Windows Vista, XEnroll was deprecated (and prevented from loading in the browser) and replaced by CertEnroll. However, there are a few restrictions to be aware of when using the CertEnroll control:
- The control is only available on Windows Vista and later
- The control must loaded in a page delivered by HTTPS
- The control must be loaded by an <object> tag in the markup
- The control must be in the top-level frame
Prior to Windows Vista SP1, there was the additional requirement that the page must be in the Trusted Sites Zone. That requirement was removed for Vista SP1 and Windows 7.
You’ll note that the first page doesn’t work properly while the second one does. This demonstrates restriction #2. The CertEnroll control uses the SiteLock template to help ensure that it is being used securely. For Windows Vista SP1 and later, the control is configured to Allow running from https://* .
The SiteLock code will evaluate the hosting security context when asked if the control’s interface is SafeForScripting and SafeForInitialization. It will return E_FAIL if the security context is not permitted to use the control. Within Internet Explorer, if a page attempts to load a control that indicates that it is not SafeForInitialization and SafeForScripting, the user will be shown an Information Bar.
This information bar does not offer the user the option to override, as controls which have indicated that they are not safe to be loaded should never load in the browser.
Restriction #4 isn’t a part of SiteLock itself, but is an attack-surface reduction technique which is useful for reducing attack-surface against ClickJacking or other UI-spoofing attacks. However, it appears that the CertEnroll team will be removing this restriction in an update.
Have a great weekend!