Progress
on the Web


How WebClient Uses Digital Signatures

Now, apply your knowledge of digital signatures to WebClient. If you want to digitally sign each cabinet file to be downloaded and want the end user to verify the digital signature of each cabinet file downloaded, who needs which key?

So, in order to use digital signatures, you need a private key, a public key, and a public-key certificate, while your end user needs your public-key certificate. This subsection covers:

Getting a Private Key, Public Key, and Public-key Certificate

To get a private key, public key, and public-key certificate:

  1. Select a PKI vendor (CA) whose software is compatible with Microsoft Authenticode Technology and request a “software publishing digital certificate.”
  2. To get names of CAs, ask your PSC product-marketing representative.

  3. Get the software that generates and securely stores public keys and private keys on your system.
  4. You can typically get the software from Microsoft or download it from the CA’s Web site. You might have to provide a name for the certificate storage location.

  5. Fill out the CA’s request for information about you, your company, and how you are going to pay.
  6. Submit the requested information and the stored public key to the CA.
  7. Steps 2–4 are typically handled through a Web site.

  8. Wait for the CA to verify your identity.
  9. NOTE: The CA might use phone calls or personal visits to verify the information you supply.

  10. If the CA can prove your individual and corporate identity, they will contact you and tell you how to obtain your digital certificate.
  11. Typically, this involves same software and the same Web site as steps 2–4.

    The digital certificate will be stored on your system in the same named certificate location as was used for the initial public-private key generation.

You can repeat Steps 2–6. And you can have digital certificates issued by multiple CAs for a single public-private key pair.

Defining an Application as Signed

Now that you have a private key, public key, and public-key certificate, you can define an application as signed. To do so, in the Web Client Application Assembler’s Generate window, in the Digital Signature rectangle, check the From Registry (if the digital signature information resides in the registry) or From File (if the digital signature information resides in a file) radio button, as shown in Figure 5–1.

Figure 5–1: Defining an Application as Signed in the Application Assembler’s Generate Window

What WebClient Does Differently for an Application Defined as Signed

If you define an application as signed, when you generate the application, the Application Assembler:

By contrast, if you define an application as unsigned, when you generate the application, the Application Assembler:

How Your Public-key Certificate Gets to the End User

When an application is defined as signed and the end user downloads a signed configuration or component cabinet file (each of which contains your public-key certificate), WebClient on the end user’s machine:

  1. Extracts the digital signature and your public-key certificate from the cabinet file
  2. Verifies the digital signature of the cabinet file using your public-key certificate
  3. Also verifies your public key certificate through its issuer’s root public-key certificate. The issuer’s root public-key certificate can be obtained from the cabinet file itself or from the certificate store used by Microsoft Internet Explorer.

  4. Displays the information on the certificate and asks the end user if they trust it
  5. NOTE: If the end user says “No,” the process aborts.

  6. Optionally stores your public-key certificate into the Digital Certificate store of Internet Explorer.
Changing the Definition of an Application from Signed to Unsigned and from Unsigned to Signed

An application can change from being signed to unsigned and from unsigned to signed. That is, if the previous version of an application is defined as signed, you can define the current version as unsigned. And if the previous version of an application is defined as unsigned, you can define the current version as signed.

NOTE: PSC recommends not changing the status of an application from signed to unsigned.

If the end user downloads an application configuration file that is unsigned (indicating that the current version of the application is defined as unsigned) and the previous version of the application is defined as signed, WebClient asks the end user to confirm that it is OK for the application to be changing from signed to unsigned.

NOTE: Unless the end user has been informed of this change by a trusted source, PSC recommends that you instruct your end user to reject the change and contact you.

Creating Test Public-key Certificates

WebClient includes a batch file, MakeTestCert.bat, that makes it easier for you to create fake public-key certificates for testing. For more information, see the comments in the file, which resides at $DLC/bin, where $DLC represents the Progress installation directory.

NOTE: You cannot generate test certificates using MakeTestCert.bat on a machine running Windows 98. Also, you cannot generate a test certificate on one machine (say, one not running Windows 98) and use it on another machine (say, one running Windows 98).


Copyright © 2004 Progress Software Corporation
www.progress.com
Voice: (781) 280-4000
Fax: (781) 280-4095