Certificates

Piccolo Joined: 28 Sep 2004 Posts: 3 Location: France

Hello all,

Hope this is not a mandatory to speak german here Wink

because if yes, i could no longer post here.

My question: is that a way with NetInstall 5.7SP2 to add a X509 certificate to user's containers ?
[The concerned certificate is used internally for a secure intranet webserver and has been self signed by us]

Regards

Melchior Joined: 13 Jun 2004 Posts: 119 Location: München

No, not mandatory.

Didn't have experience with deploying certificates. Have you tested the spy functionality?

Stefan

Piccolo Joined: 28 Sep 2004 Posts: 3 Location: France

i tought that the certificate's management was a very cryptic and hardened part of Windows - that's why i didn't use this way til now.

So i followed your suggest then i get some good results.

First of all, installing a new certificate will affect only the registry.
The concerned branch is:

Code:

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates]

where a new key is created. The key's name is equal to the sha1 fingerprint of the certificate.
Inside it, a value "blob" (REG_BINARY) containing encrypted informations regarding the certificate itself is created.

Elsewhere, the key:

Code:

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\Root\ProtectedRoots]

is also affected by the process.
The REG_BINARY value "Certificates" is extended with data concerning the new certificate.
But it's not so simple: the ACL on this last key doesn't give user's rights to change the value ...
We need to change the ACL via the script "ChangeRegSecurity" by adding change rights for the current user.
After that, we can change the value of the key then roll back to the initial permissions.

We can put some remarks at this point:
- i didn't find the way to add only the current user (no % variables available in ChangeRegSecurity)
- adding a group for which the current user is member can introduce a temporary security hole. Don't forget to rool back to previous state Cool

- changing the value of the value "Certificates" on multiple PC can probably destroy other certificates previously added ...
- the certificate itself does not appear in user's certs container until the user goes to the secure Web server concerned by the added certificate.

Finally the way i used is not so clean Confused

and can show several border effects ...
Thank's for your help.

Hi,

take a look hat "certmgr.exe" (Google.com)
I hope this is the tool you are looking for.

Torsten

Piccolo Joined: 28 Sep 2004 Posts: 3 Location: France

Hallo Torsten,

Vielen Dank für deine Hilfe !

I found the mentionned tool in the .NET SDK and tested it.
After few times and research, i finally found the correct syntax.

Code:

certmgr.exe -add -c certfile.cer -s -r localMachine root

where:
-add add the certificate to a store.
-c provide the input file containing the certificate.
-s tell to use a system store.
-r localMachine is the target store (per machine or per user(-r currentUser)).
root is the name of the store ("root" for root certificates, "ca" for intermediate CA and "my" for personal certificates).

Of course, this is not a NetInstall feature but we can now use the execute() function in NI for running this script.

My question is now closed. Thank's. Cool