Regarding Certificate store in Geneva CardSpace.

Question

Hi All,
    On Windows Server 2008 I have created two different applications one for RP & other for STS. Now I want to access this from another machine which is in network. I am using VPN client at end user side.
     I have three machines connected through intranet. One having Windows Server 2008, Second having  Windows Vista  for end user, third having Certificate Server.     
     Now what I want to do is whenever any new certificate is created on Certificate Server I will update the certificate details inside DB of my Server which is Windows Server 2008[This is not having Certificate authority]. I can do that. Now with these details I can create a managed card for user.
     Now when I want to log in with this card as it is not in the Certificate Store of Current user of my Windows Server 2008; it is showing me msg that "This card Can not be used right now."

     As I am not having Certificate authority on Windows Server 2008 where my application resides....so I can't have client certificate here. I am just having details in DB.


     I want to ask you that how to cope with this.....? & is it necessory to have that certificate in Current user store at Windows Server 2008...?

    I will be very very thankful to you if you will help me in this.


Thank you,
Sanjay.

Answer 1

For managed card backed by certificate, the client certificate must be present in the CurrentUser store on the client machine (end user's machine).
Since you are trying to act as client on WS08 machine by testing card submit on that machine, you will need the cert there for your test purposes.

Answer 2

Hi Rakesh,

    I have two queries...

1. You said 
    For managed card backed by certificate, the client certificate must be present in the CurrentUser store on the client machine (end user's machine).

So if there are two seperate machines one as server & other as client does that mean I have to send client certificate to client to client machine so that he can install it in his/her machine?

2. And here in my case Certificate server is another machine....so I thought that as it is for test purpose; I will bring that certificate from there & add it to CurrentUser store of client machine from where user is accessing that site. But here it's not coming with Private key.  
    Now I have added it to Current User Store & Local Computer Store of client machine. But still getting the message that

"This card Can not be used right now."

   Now how I can add private key to certificate if it's not bringing it while transfer....?

Please suggest me....


Thanks,
Sanjay.

Answer 3

I beleive that if you create the certificate request from the client machine, you will get the certificate with the private key.
If not requesting from the client machine, when creating a certificate request you can enable the option to "mark keys as exportable".
Install such a certificate. Then export the certificate with private key via the MMC (certmgr.msc) in a PFX format. You will choose export private key option and also provide a password.
Later you can copy the PFX file to the client machine and install it to the user's certificate store (just double-click it and follow the prompts).