locked
X509Certificate2 question RRS feed

  • Question

  • Hi Guys,
    I am developing a WPF (xbap) application which is of the full trusted app type. I have created a certificate using makesert.exe, provided by the SDK, that has to be installed to the client machine (into the certificate store - StoreName.Root, StoreName.My, StoreName.TrustedPublisher). For the purposes of the installation I have created a console application (.exe) that will help the user to download the certificate file and to install it to the client machine. The whole program runs without any problems under Windows XP, but under Vista the certificate is not installed into the StoreName.Root. After a lot of researches I have found out that Vista has a requirement that needs from the user to insert the physical path of the StoreName.Root.
    My question is if there is any possibility to make a program or anything that will make the whole described problem above automatically and to prevent the user of doing the whole installation by himself.
    I will appreciate any help on this.

    Down below I am listing the program I have created.

    Thank you in advance!

    namespace CertficateInstaller

    {

        class CertficateInstaller

        {

            static void Main(string[] args)

            {

                WebClient webClient = new WebClient();

                webClient.Credentials = new System.Net.NetworkCredential("koko", "qazawax");

    <!--[if !supportEmptyParas]--> <!--[endif]-->

                byte[] certBytes = webClient.DownloadData("http://servername/WebIndesignEditor.pfx");

     <!--[endif]-->

                if (certBytes.Length > 0)

                {

                    Console.WriteLine("Start....");

                    createCert(StoreName.TrustedPublisher, certBytes);

                    createCert(StoreName.Root, certBytes);

                    createCert(StoreName.My, certBytes);

                    Console.WriteLine("Cuccess....");

                }

                else

                {

                    Console.WriteLine("Probelm downloading certificate");

                    Console.ReadLine();

                }

            }

    <!--[if !supportEmptyParas]--> <!--[endif]-->

            private static void createCert(StoreName storageName, byte[] certBytes)

            {

                X509Store store = new X509Store(storageName, StoreLocation.CurrentUser);

                store.Open(OpenFlags.MaxAllowed);

                store.Add(new X509Certificate2(certBytes));

                store.Close();

            }

        }

    }


    Wednesday, April 23, 2008 6:30 PM

Answers

  • Ah there we go.  Your test certificate does exactly what you describe on Vista RTM for me... so the problem is something specific about your cert.  A quick internet search reveals others having Vista-specific .p12 issues. 

     

    UPDATED:

     

    I have since learned why this is happening, although the root cause of the problem you're seeing may still be a bug.  To get this code to work correctly on Vista, you need to NOT use a .pfx / .p12 /.pwhatever file.   This actually contains the private signing key that you originally used to sign your apps.

     

    Instead, you should use purely the certificate file that can be derived from your .p12 file.  The easiest way I've found to handle this extraction is directly from the windows certificate manager itself (certmgr.msc).  Simply Right-click on your certificate in a store, select "All Tasks / Export", and make sure not to export the private key.  Chose the default .cer option.

     

    With the .cer file derived from your .p12, I was able to programmatically add your certificate to my Vista machine without any code changes (other than the file to be loaded).

     

    Hope this helps,

    -Matt

    Thursday, April 24, 2008 6:33 PM
  • Yes, the whole reason to only distribute the .cer to your customers is BECAUSE it doesnt contain that private key.

     

    So, you should keep both the .p12/.pfx file around, AND the .cer.  Keep the .p12/.pfx tightly guarded, and/or set a strong password on it.  DO NOT send it to your customers.  

     

    Sign your apps with your .p12 file.   Tell your customers to install the .cer if they need to run your app elevated. 

     

    Let me know if this is still unclear...

     

    -Matt

    Friday, May 2, 2008 6:07 PM

All replies

  • I tried your code snippet on both XP, Vista RTM, and Vista SP1, and had no problem getting the certificates installed correctly (with my own certificate).  Make sure that you're running the console app as administrator (as it may not automatically elevate).  The dialog that comes up for adding to the Root store is unavoidable.  One other possibility is you might have a malformed .pfx file, so you might also try generating a test certificate with Visual Studio to see if the issue is your certificate.

     

    HTH,

    Matt

    Wednesday, April 23, 2008 8:08 PM
  • Thanks for you quick answer Matt,

    I am listing the way we made  the certificate:

    1. makecert -r -n "CN=SomeName" -b 20/12/2004 -e 01/01/2099   -sv SomeName.pvk SomeName.cer  
    2. cert2spc SomeName.cer SomeName.spc
    3. pvkimprt -pfx SomeName.spc SomeName.pvk

    or you can  directly download: Certificate-download,

    so Whould you please make a test with it. I tried to use a certificate generate by VIsual Studio 2008 but the result is the same.Did i miss something?
     
    Thursday, April 24, 2008 6:11 AM
  • Ah there we go.  Your test certificate does exactly what you describe on Vista RTM for me... so the problem is something specific about your cert.  A quick internet search reveals others having Vista-specific .p12 issues. 

     

    UPDATED:

     

    I have since learned why this is happening, although the root cause of the problem you're seeing may still be a bug.  To get this code to work correctly on Vista, you need to NOT use a .pfx / .p12 /.pwhatever file.   This actually contains the private signing key that you originally used to sign your apps.

     

    Instead, you should use purely the certificate file that can be derived from your .p12 file.  The easiest way I've found to handle this extraction is directly from the windows certificate manager itself (certmgr.msc).  Simply Right-click on your certificate in a store, select "All Tasks / Export", and make sure not to export the private key.  Chose the default .cer option.

     

    With the .cer file derived from your .p12, I was able to programmatically add your certificate to my Vista machine without any code changes (other than the file to be loaded).

     

    Hope this helps,

    -Matt

    Thursday, April 24, 2008 6:33 PM
  • Thanks again Matt,

    I tried your sugestion but the problem now is that I can not assign this new sertificate(.cer) to my WPF project becouse  does not containt any private kay. Is it possible to create .cer certifiacte with private key.

    Thanks in advance Smile link-error message:
    Friday, April 25, 2008 9:42 AM
  •  

    Yes Vista makes me crazy too   .. I have the exact same problem installing the certificate...what a luck I found that thread....
    Friday, April 25, 2008 10:57 AM
  • So any ideas and sugestions about this issue? Smile
    Tuesday, April 29, 2008 10:22 AM
  • Yes, the whole reason to only distribute the .cer to your customers is BECAUSE it doesnt contain that private key.

     

    So, you should keep both the .p12/.pfx file around, AND the .cer.  Keep the .p12/.pfx tightly guarded, and/or set a strong password on it.  DO NOT send it to your customers.  

     

    Sign your apps with your .p12 file.   Tell your customers to install the .cer if they need to run your app elevated. 

     

    Let me know if this is still unclear...

     

    -Matt

    Friday, May 2, 2008 6:07 PM
  • Matt...I  you
    I hope I won't have more problems with this anymore
    10x buddy
    Wednesday, May 7, 2008 1:37 PM
  • Hi Matt,
    I thought that I fixed the problem because everything was working fine on vista home premium but when i tried on to install the cert on vista business edt the initial problem is still there - the certificate (SomeName.cer that we created on step 1 with makecert.exe) that is sent to the client is not installed in Trusted Root Certification Authority store. What do you think about this kind of behaiviour?
    Thursday, May 8, 2008 1:11 PM
  • No idea.  Are you adding the cer to the store manually or with code?  And if with code, can you try manually?  (there may be some security differences between Business / Home, but none I can think of affecting this scenario...)

     

    -Matt

    Friday, May 9, 2008 5:14 PM
  • Both with code and manually - the problem is still accure

    Saturday, May 10, 2008 12:59 PM
  • Thanks for the info, I'll try setting up a Vista Business box some time this week to see if I can repro the problem myself and file a bug if so...

     

    Tuesday, May 13, 2008 7:22 PM
  • Man did I told you that I love u?   Matt ur luxurious man...Thanks in advance...I really hope that I got some virus or something on my vista and that's causing the problem....And dont forget to tell what's happend
    Wednesday, May 14, 2008 12:14 PM
  • hey matt :) I hope I'm not so irritating but is there any progress on the crazy vista problem :) sorry about asking again but I'm really dispirit :)
    Friday, May 30, 2008 7:02 AM