none
Install Certificate (.cer) to target machine's trustedpublisher Failed RRS feed

  • Question

  • I am attempting to use the following command to install a certificate to a client machine. This is the certificate that I am signing a silverlight XAP file with (exported as .cer without the private key).

    certmgr.exe -add .\DigiCert.cer -s -r localMachine trustedpublisher

    When I run this command, I get:

    Error: Failed to open the distantion Store
    CertMgr Failed

    The cert is able to be opened and installed using the wizard just fine, however I'm trying to reduce the number of steps the end user has to take to use the silverlight application, and the 5 or so steps the wizard has just adds to their frustration.

    Wednesday, December 31, 2014 10:44 PM

Answers

  • Hello,

    With your provided .cer file, I create a VM to use command to install it, and it aslo works as my .cer file as except:

    I am wondering if it is caused by the computer environment, if it is possible, please have a try to install the .cer file to other machines to see if it works since your .cer file is successfully installed in my side.

    Regards.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Tuesday, January 6, 2015 10:08 AM
    Moderator

All replies

  • Hello Jothay,

    As far as I know, CertMgr.exe can fail forlocalMachinebecause of User Access Control, please have a try to run this .exe again as an administrator role or right click the executable and select Properties.  On the Compatibility tab at the bottom check "Run this program as an administrator".  From then on running CertMgr.exe for localMachineshould bring up the UAC prompt.  When you select "Continue" it should complete successfully.

    Regards.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Friday, January 2, 2015 2:04 AM
    Moderator
  • I've been testing from an Admin cmd prompt and I have the run as admin checkbox set in properties.
    Friday, January 2, 2015 4:58 PM
  • bump
    Monday, January 5, 2015 5:36 AM
  • Hello,

    This is strangle because after running with the administrator, in my side, the .cer file is successfully installed into Trusted Publisher as below:

    certmgr.exe -add D:\Makecert\Test20140605.cer -s -r localMachine trustedpublisher

    Not sure if this is related with the .cer file. Do you try to replace localMachine with currentUser to see if it works?

    Regards.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Monday, January 5, 2015 9:35 AM
    Moderator
  • I've tried:

    localMachine trustedpublisher
    currentUser trustedpusher
    my trustedpusher
    my
    <blank>

    You are welcome to try the certificate install yourself:
    http://srocalendar.us/ClientBin/DigiCert.cer

    Monday, January 5, 2015 6:05 PM
  • As I wasn't making any headway with this, I just decided to make my own cert installer. For those that need it, you can use the following code to install a certificate. I hard-coded the name of the cert file and which store to put it in, which could easily be converted to parameters.

    namespace MyCompany.Cert
    {
        using System;
        using System.Diagnostics;
        using System.IO;
        using System.Security.Cryptography.X509Certificates;
        using System.Security.Principal;
    
        public class Program
        {
            enum ExitCode
            {
                Success = 0,
                UnauthorizedAccess = 1,
                FileNotFound = 2,
                UnknownError = 10,
            }
    
            static int Main(string[] args)
            {
                try
                {
                    var tr1 = new TextWriterTraceListener(File.CreateText(@"C:\Temp\CertificateInstallLog.txt"));
                    Trace.Listeners.Add(tr1);
                    Trace.WriteLine("Checking for admin rights");
                    if (!IsUserAdministrator())
                    {
                        Trace.WriteLine("Failed to install certificate: Requires Administrator rights");
                        return (int)ExitCode.UnauthorizedAccess;
                    }
                    Trace.WriteLine("Have Admin rights, installing certificate");
                    Trace.WriteLine("Create Store Reference: localMachine trustedPublisher");
                    var store = new X509Store(StoreName.TrustedPublisher, StoreLocation.LocalMachine);
                    Trace.WriteLine("Opening Store: Read/Write");
                    store.Open(OpenFlags.ReadWrite);
                    Trace.WriteLine("Adding Certificate from file");
                    var cert = GetCertificate();
                    Trace.WriteLine("Got certificate from file");
                    store.Add(cert);
                    Trace.WriteLine("closing store");
                    store.Close();
                    Trace.WriteLine("Exiting");
                    Trace.Flush();
                    return (int)ExitCode.Success;
                }
                catch (FileNotFoundException ex)
                {
                    Trace.WriteLine("Failed to install certificate. File not found");
                    Trace.Flush();
                    return (int)ExitCode.FileNotFound;
                }
                catch (Exception ex)
                {
                    Trace.WriteLine("Failed to install certificate. " + ex.Message);
                    Trace.Flush();
                    return (int)ExitCode.UnknownError;
                }
            }
    
            public static X509Certificate2 GetCertificate()
            {
                X509Certificate2 cert;
                try
                {
                    Trace.WriteLine("trying path 'DigiCert.cer'");
                    cert = new X509Certificate2("DigiCert.cer");
                }
                catch (System.Security.Cryptography.CryptographicException)
                {
                    Trace.WriteLine("Path 'DigiCert.cer' failed");
                    var path = string.Empty;
                    try
                    {
                        path = @"C:\Program Files" +
                                (Directory.Exists(@"C:\Program Files (x86)") ? @" (x86)" : string.Empty) +
                                @"\<someprogramfolder>\DigiCert.cer";
                        Trace.WriteLine("trying path " + path);
                        cert = new X509Certificate2(path);
                    }
                    catch (System.Security.Cryptography.CryptographicException ex)
                    {
                        Trace.WriteLine("Path '{0}' failed", path);
                        throw ex;
                    }
                }
                return cert;
            }
    
            /// <summary>Query if this object is user administrator.</summary>
            /// <returns>true if user administrator, false if not.</returns>
            public static bool IsUserAdministrator()
            {
                var user = WindowsIdentity.GetCurrent();
                if (user == null)
                {
                    throw new NullReferenceException("Could not determine windows identity");
                }
                var myPrincipal = new WindowsPrincipal(user);
                if (myPrincipal.IsInRole(WindowsBuiltInRole.Administrator)) { return true; }
                Trace.WriteLine("You need to run the application using the 'Run as Administrator' option");
                return false;
            }
        }
    }

    Don't forget to include an app.manifest that tells the program to always request admin rights:

    <?xml version="1.0" encoding="utf-8"?>
    <asmv1:assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <assemblyIdentity version="1.0.0.0" name="MyApplication.app" />
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
        <security>
          <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
            <!-- UAC Manifest Options
                If you want to change the Windows User Account Control level replace the
                requestedExecutionLevel node with one of the following.
    
            <requestedExecutionLevel  level="asInvoker" uiAccess="false" />
            <requestedExecutionLevel  level="requireAdministrator" uiAccess="false" />
            <requestedExecutionLevel  level="highestAvailable" uiAccess="false" />
    
                Specifying requestedExecutionLevel node will disable file and registry virtualization.
                If you want to utilize File and Registry Virtualization for backward
                compatibility then delete the requestedExecutionLevel node.
            -->
            <requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
          </requestedPrivileges>
          <applicationRequestMinimum>
            <defaultAssemblyRequest permissionSetReference="Custom" />
            <PermissionSet class="System.Security.PermissionSet" version="1" ID="Custom" SameSite="site" Unrestricted="true" />
          </applicationRequestMinimum>
        </security>
      </trustInfo>
      <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
        <application>
        </application>
      </compatibility>
    </asmv1:assembly>



    • Edited by Jothay Tuesday, January 6, 2015 1:13 AM
    Tuesday, January 6, 2015 1:12 AM
  • Hello,

    With your provided .cer file, I create a VM to use command to install it, and it aslo works as my .cer file as except:

    I am wondering if it is caused by the computer environment, if it is possible, please have a try to install the .cer file to other machines to see if it works since your .cer file is successfully installed in my side.

    Regards.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Tuesday, January 6, 2015 10:08 AM
    Moderator
  • Hello Jothay,

    Any update? I have marked my last reply as answer since I think it is helpful, if you think it provides no help, please unmark it.

    Thank you for your understanding and support.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Friday, January 16, 2015 9:58 AM
    Moderator