locked
CertificateStores.findAllAsync returns incomplete installed certificate

    Question

  • I am using this call in my app to install a client certificate.
    CertificateEnrollmentManager.importPfxDataAsync(
      pfx,
      "xxxxxx",
      ExportOption.notExportable,
      KeyProtectionLevel.noConsent,
      InstallOptions.none,
      "MYCERT"
    )

    I had the problems once now, that a user managed to close the app before the certificate installation was finished. Then, unexpectedly, when the app app was launched again, the call to
    certQuery = new CertificateQuery()
    certQuery.friendlyName = "MYCERT"
    CertificateStores.findAllAsync(certQuery)
    
    returned the certificate. However, using it with HttpClient always resulted in a "An Error Occurred in the Secure Channel Support" error. Reinstalling the app solved the problem. I wonder why the findAllAsync can return a not completely installed certificate?
    Monday, March 16, 2015 1:36 PM

All replies

  • It's a corrupted install of a certificate. These things happen.

    Matt Small - Microsoft Escalation Engineer - Forum Moderator
    If my reply answers your question, please mark this post as answered.

    NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

    Monday, March 16, 2015 7:20 PM
    Moderator
  • Really, this can happen anytime? What the recommended recovery strategy from MSFT in such case? How do I even detect a corrupt cert install? Shouldn't such a vital thing be handled as an atomic operation?
    Monday, March 16, 2015 7:37 PM
  • Let me ask you:  what would your ideal answer for this question be? 

    Matt Small - Microsoft Escalation Engineer - Forum Moderator
    If my reply answers your question, please mark this post as answered.

    NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

    Wednesday, March 18, 2015 2:43 PM
    Moderator
  • Matt, I don't understand your reply. It's not a minor issue, don't you think? It renders the whole app non-working if the certificate store is corrupted. If that is known to happen, then this is a bug. Since nothing the app developer can do to prevent this (the user closing the app while the certificate store is being updated) I think MSFT has to step up and consider this as a bug to be fixed.
    I could think of two ways, without knowing the internals of how this is implemented

    1. importPfxDataAsync marks the certificate as "stored" only at the end of the insertion operation, when it has validated that the certificate has been written to the store correctly.

    2. Save the certificate out-of-process like a BackgroundFileTransfer.

    In the current situation what are the ways to fix/repair a corrupt cert store? Is reinstalling the app the only solution? Why isn't the certificate not validated in some way before its returned from the (corrupt) cert store?

    As for your question: One answer could have been to answer any of my questions or "I'll forward that to the product team" or "please file a bug report".

    Such obstacles will not help to convince programmers to develop (LOB) Windows Apps if "these things just happen". I appreciate the help you guys offer here. I want to develop Windows (LOB) Apps and I know I am pushing the platform to its limits sometimes. But this is basic behaviour that should just work rock-solid.

    Wednesday, March 18, 2015 8:07 PM
  • Phil -  It's a bug, and I do appreciate your feedback.  However, this is just a simple interrupted disk write with a simple workaround/recovery.  I don't have any better answers than "sorry, this happens."  I guess we didn't anticipate that someone would kill the process while doing this, and hopefully, most users won't run into this.  I will file a bug on this issue.


    Matt Small - Microsoft Escalation Engineer - Forum Moderator
    If my reply answers your question, please mark this post as answered.

    NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.


    Thursday, March 19, 2015 1:26 PM
    Moderator
  • Matt, appreciate it. What's the "simple workaround/recovery"?
    Thursday, March 19, 2015 1:51 PM
  • Delete the certificate and/or reinstall the app.

    Matt Small - Microsoft Escalation Engineer - Forum Moderator
    If my reply answers your question, please mark this post as answered.

    NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

    Thursday, March 19, 2015 2:07 PM
    Moderator
  • Delete the certificate from within the app? Cause the user cannot delete certificates in the apps cert store, iirc
    Thursday, March 19, 2015 2:38 PM
  • I meant you could delete the certificate from the certificate manager.

    Matt Small - Microsoft Escalation Engineer - Forum Moderator
    If my reply answers your question, please mark this post as answered.

    NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

    Friday, March 20, 2015 1:31 PM
    Moderator
  • I am sorry, Matt. The Cert Manager does show per-app certs? I was under the impression they are saved in the apps local store (AC?) and the certmgr does not show them. In which store are they visible?

    Friday, March 20, 2015 1:42 PM
  • I didn't think of this, but you could always navigate directly to the folder and delete it there. It's not optimal but it should work.

    Matt Small - Microsoft Escalation Engineer - Forum Moderator
    If my reply answers your question, please mark this post as answered.

    NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

    Friday, March 20, 2015 4:03 PM
    Moderator