PrimalScript 2009 and Private Key Usage

Use this forum to ask questions before you buy. Need information on licensing or pricing? Questions about a trial version? This is the right place for you. No scripting questions, please.
Forum rules
DO NOT POST SUBSCRIPTION NUMBERS, LICENSE KEYS OR ANY OTHER LICENSING INFORMATION IN THIS FORUM.
Only the original author and our tech personnel can reply to a topic that is created in this forum. If you find a topic that relates to an issue you are having, please create a new topic and reference the other in your post.
User avatar
johnvi
Posts: 3
Joined: Tue Nov 30, 2010 10:01 pm

PrimalScript 2009 and Private Key Usage

Post by johnvi » Tue Nov 30, 2010 10:01 pm

Greetings,Did a quick search, so hopefully I'm not bringing up an old topic.I have seen when using PrimalScript 09 with Entrust (Entrust is a technology used for PKI) some odd things happen. The short version is that PrimalScript does not look at MSCAPI, the KeyStore, but rather is only looks for a *.PFX file, the PRIVATE key portion of a persons keypair. The problem is that this is causing a lot of problems among script writers here.My question is, Will PrimalScript ever get more developed in terms of Security Portion of the product, instead of only allowing the use of a PFX file, why not have it interface with the key store, the results are that a person can use a more secure method to sign scripts: I.e CAC/RSA Token, etc...

User avatar
Alexander Riedel
Posts: 6837
Joined: Tue May 29, 2007 4:43 pm

PrimalScript 2009 and Private Key Usage

Post by Alexander Riedel » Wed Dec 01, 2010 12:57 am

We have changed PrimalScript a few years back to use PFX files exclusively because the KeyStore interface broke with every other service update from Microsoft and was generally too unreliable. There are also severe limitations because of Microsoft's redistribution policies.

Until today we have never received any reports on problems wit PFX files, so if you could elaborate on what the oddities are, we can certainly visit the topic in more detail.
Alexander Riedel
SAPIEN Technologies, Inc.

User avatar
johnvi
Posts: 3
Joined: Tue Nov 30, 2010 10:01 pm

PrimalScript 2009 and Private Key Usage

Post by johnvi » Fri Feb 18, 2011 12:16 am

Well,When a system has Entrust Security Provider on it, ESP (Entrust) control the Keystore. With this, any calls being made to the cert (in this scenario Entrust CSP cert) go through esp. When this happens, the entrust client is prompting for the creation of a profile since it sees a PFX file it is there to control. Every time, the EPF file ends up being deleted, (Behavior of ESP) and with it the cert (As the EPF file in entrust populates ms capi). So we get into a redundant circle of the file being deleted, and not being able to sign code. What entrust suggested is that the program to have a way to interface with CAPI instead of just looking at a certificate? More of integration with the keystore, than being restricted to looking for only a certificateHope this makes sense, sorry if i got too into the weeds with entrust

User avatar
Alexander Riedel
Posts: 6837
Joined: Tue May 29, 2007 4:43 pm

PrimalScript 2009 and Private Key Usage

Post by Alexander Riedel » Fri Feb 18, 2011 4:12 am

Many of our customers need to use multiple certificates for different clients that cannot and MUST NOT be added to their local certificate store. My suggestion would be to tell Entrust they need a way to tell them there are certificates they should leave alone.
Alternatively you can always add a specific signing command to the tools pane and sign your scripts using an external signing tool that works with this additional layer.

Alexander Riedel
SAPIEN Technologies, Inc.

User avatar
johnvi
Posts: 3
Joined: Tue Nov 30, 2010 10:01 pm

PrimalScript 2009 and Private Key Usage

Post by johnvi » Sun Feb 27, 2011 11:02 pm

Okay thenI think what we will end up doing is create a cert within Entrust and use Microsoft Strong as the CSP type. This should eliminate Entrust from touching the cert/