Microsoft KB Archive/194889

= Sgcinst.exe is Available for Download =

Article ID: 194889

Article Last Modified on 6/23/2005

-

APPLIES TO


 * Microsoft Internet Information Server 3.0
 * Microsoft Internet Information Server 4.0

-



This article was previously published under Q194889



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



SUMMARY
Sgcinst.exe is a command-line tool that is used when installing Server Gated Cryptography certificates into Microsoft Internet Information Server (IIS). Sgcinst.exe converts vendors' Server-Gated Cryptography certificates into a format that can be imported into IIS.

Sgcinst.exe is available at the following Internet location:

ftp://ftp.microsoft.com/bussys/winnt/winnt-public/misc/sgcinst/



MORE INFORMATION
Installing an SGC Certificate with current versions of IIS may require a two step process. Verisign and other Certificate Authorities (CAs) currently issuing server identification Certificates return the server Certificate as a base-64 encoded x.509v3 Certificate. The released version of IIS Key Manager is designed to accept these and install them for IIS use.

To more effectively control issuance of the SGC Certificates, Verisign has created an intermediate, or issuing, CA for SGC Certificates. This requires a Certificate chain be returned to the IIS computer. This chain includes both the SGC server Certificate and the intermediate CA Certificate in a base-64 encoded PKCS-7 data structure. With current IIS releases, this must be pre-processed prior to installing the SGC server Certificate using IIS Key Manager.

The program Sgcinst.exe performs the required pre-processing. It accepts a base-64 encoded PKCS-7 data structure, installs the intermediate CA Certificate, and creates a base-64 encoded x.509v3 Certificate file containing only the SGC server Certificate. This output file may then be loaded for IIS using Key Manager.

The process for installing an SGC server Certificate from Verisign, or other CA returning a PKCS-7 Certificate chain, is as follows:

 Retrieve the PKCS-7 Certificate chain from the CA and save it to a temporary folder on the IIS computer. It is recommended this be saved with a .pk7 extension.  Run the Sgcinst.exe program with the PKCS-7 Certificate chain file as the inputfile and a filename to hold the base-64 encoded x.509v3 SGC server Certificate as the outputfile.

To do this, open a Command Prompt window on the Windows NT server computer, go to the folder containing the Certificate files, and then enter the following command:

     sgcinst inputfile -i -o outputfile

where:

     inputfile  = file containing the base-64 encoded PKCS-7 Certificate chain outputfile = file which will hold the base-64 encoded x.509v3 SGC server Certificate

If the CA Certificate chain had been saved to a file named Sgccert.pk7, then the SGCINST command would be:

     sgcinst sgccert.pk7 -i -o sgccert.cer

If the inputfile is not a properly formatted base-64 encoded PKCS-7, the program will return the following error message:

Error in reading input file: inputfile

 Install the base-64 encoded x.509v3 SGC server Certificate using the IIS Key Manager. See your IIS documentation if you need assistance with this operation.

For more information on the Server Gated Cryptography (SGC), please go to the following Microsoft web site:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnmag00/html/websecureside.asp

Additional query words: schannel.dll crypto

Keywords: kbinfo KB194889

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.