none
How to add a to a X509Certificate2 to a X509Store RRS feed

  • Question

  • The following code throws no exceptions, but it does not add the certificate.

                    StorePermission sp = new StorePermission(PermissionState.Unrestricted);
                    sp.Flags = StorePermissionFlags.OpenStore;
                    sp.Assert(); // This should not be necessary, run with full trust. As Admin even.

    var store = new X509Store(StoreName.TrustedPublisher, StoreLocation.CurrentUser); //.LocalMachine); store.Open(OpenFlags.ReadWrite); foreach (var cert in store.Certificates) { ConsoleLine("\nCERT " + cert.Subject + "##" + cert.GetIssuerName() + "##" + cert.GetSerialNumberString()); } var scsq = new X509Certificate2 (Path.Combine(SDetPath, "SCSQ.cer"),
    (string)null, X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.UserKeySet); // Added flags later for good luck. ConsoleLine(" Cert " + scsq.Subject); // Good store.Certificates.Add(scsq); foreach (var cert in store.Certificates) ConsoleLine("\nCERTNEW " + cert.Subject + "##" + cert.GetIssuerName() + "##" + cert.GetSerialNumberString());

    // Not added.

    The context is that this is running in an installer of an Excel Add-In, and so I want Excel to trust it.  It is run as a command line .exe.  For testing I also run as Admin without success.

    I suspect that the problem is (meaningless) security reasons (given that my code is already running).  If so, then how does one use certUtil to see and add to the trusted publisher store?  

       certutil -addstore trustedpublisher scsq.cer

    says that it works but does not add the cert.  Also does not seem to be able to list the trustedpublisher store?

    certmgr can add to the store (no Admin rights required).  And then Excel trusts the cert.  But do I really need to resort to poking characters to a GUI to get this done?!

    I might add that I also happen to have the private key in a p12 cert.  It appears in certmgr under "personal".  (the scsq.cer file does not and should not have a private key.)  But I do not think that is the issue as the certmgr seems to keep them nicely distinct even if the easy-to-use UI terminology is confusing.

    (Generally this is (relatively) so easy with Java or OpenSSL.  There is a keystore and a truststore.  They are just files.  In a place you know where to find them.  You access them by explicit file name.  Simple utilities add and remove entries.  You can see easily what is in them.  The systems do not try to second guess what you want, secretly split things up, hide things in ApplicationData or the Registry etc.   No pretty GUIs, just scriptable command lines or APIs that (mostly) work.)

    Thanks,

    Anthony


    Anthony






    Tuesday, November 5, 2013 7:08 AM

Answers

  • Hi Anthony,

    I mark some changes on your code, test it and it works fine. I could find the cert in my MMC Certificates. I don’t let the application work as Administrator and it successes. Here is the code, please try it again and let me know the result.

    static void Main(string[] args)

            {

                var store = new X509Store(StoreName.TrustedPublisher, StoreLocation.CurrentUser); //.LocalMachine);

                store.Open(OpenFlags.ReadWrite);

                store.Add(new X509Certificate2(X509Certificate2.CreateFromCertFile("e:\\TestCert.cer")));

                store.Close();

                Console.WriteLine("success");

                Console.Read();

                // Not added.

            }

    Best Regards,


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Wednesday, November 6, 2013 2:51 AM
    Moderator

All replies

  • Hi Anthony,

    I mark some changes on your code, test it and it works fine. I could find the cert in my MMC Certificates. I don’t let the application work as Administrator and it successes. Here is the code, please try it again and let me know the result.

    static void Main(string[] args)

            {

                var store = new X509Store(StoreName.TrustedPublisher, StoreLocation.CurrentUser); //.LocalMachine);

                store.Open(OpenFlags.ReadWrite);

                store.Add(new X509Certificate2(X509Certificate2.CreateFromCertFile("e:\\TestCert.cer")));

                store.Close();

                Console.WriteLine("success");

                Console.Read();

                // Not added.

            }

    Best Regards,


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Wednesday, November 6, 2013 2:51 AM
    Moderator
  • Thank you very much, I have wasted hours on this.  Had given up on .net and was calling certutil, which is awful.

    Going through it, the key line is 

      Store.Add

    vs 

      Store.Certificates.Add

    I had used the latter, following several examples on the net.  Wrong.  Store.Certificates is a temporary cache, not the actual store.   And the Store.Certificates property refreshes the store every time it is queried, which is why it was not even added to the list of certificates that I had displayed after the Add.

    A big warning should be added to the docs about this unusual behaviour (but won't be).  Buried in all my other theories as to what might be wrong (permissions, flush required, flags and attributes etc.) this was hard to find.

    Regards,

    Anthony


    Anthony

    Wednesday, November 6, 2013 5:25 AM