One of the projects that I’m currently working on requires the use of soft-certificates in order to confirm identity and for doing authorization. Since the application that is being written only needs to have support for Internet Explorer 7, I imported my PKCS #12 certificate through Internet Explorer (Internet Options -> Content -> Certificates -> Personal -> Import).
As I was importing it, there was a page where I needed to provide a password that the CA had given me. On the same page there is an option to “Enable strong private key protection”. It was followed by the sentence “You will be prompted every time the private key is used by an application if you enable this option”. Since I favored security over convenience, I happily selected this option and provided my new password. Just in case I needed to move to another computer, I also marked the key as being exportable.
After time had past on the project, the discussion of automated functional tests with Selenium came up. I thought, thats OK: I remembered that there is an option for IE to remember my password when I’m prompted to give IE permission to use my private key. I selected this option the next time I was prompted by IE for my password. What I found out when stopping and starting a new IE process was that IE ignores the fact that I told it to remember my password. To make matters worse, since I no longer had my password that the CA gave me, I could not re-import the original certificate.
Just when I thought I was out of options, inspiration kicked in and I performed the following steps to make it so that I no longer had to provide my password whenever IE wanted to use my private key:
- Go to the Personal Certificate tab (see above)
- Select the certificate that you wish to remove the password from
- Click “Export”
- Click “Next”
- Select “Yes, export the private key”
- Unselect “Enable strong protection (requires IE 5.0, NT 4.0 SP4 or above)
- Select “Include all certificates in the certification path if possible”
- You may either select “Delete the private key if the export is successful” or remove the certificate manually after the export
- Provide your Password and Confirm your password
- Specify a file name (something that you will remember with the PFX extension)
- Click “Next”
- Click “Finish”
- Click “Import”
- Click “Next”
- Browse for your exported certificate
- Click “Next”
- Provide your password as before
- Mark this key as exportable
- Click “Next”
- Place all certificates in the following store: Personal
- Click “Next”
- Click “Finish”
What saved me here was that since I chose to make the certificate exportable when I did the original import, I could perform the preceding steps. If I did not do this and since I forgot the password for my original PFX file, then my only option would have been to contact the CA to issue me another certificate.
Now that this is done, I can start up my automated regression functional test suite and not have to be bothered to provide my password every time IE runs a test.
Ross Niemi's Musings
January 23, 2008 at 12:53 am |
Ok Ross… Time for an update… My rss reader has cob webs on it
don’t worry i’m not much better
May 6, 2008 at 10:06 am |
Thank you so much! I have been trying to get things working for days since we had to renew our cert. You are a life saver and even better a time saver!!
April 3, 2009 at 9:47 am |
nice tips.!