none
Adding to Trusted Root Certification Authorities Programmatically RRS feed

  • Question

  • My WCF client-server application is now working correctly, using wsHttp binding and X509 certificates on the client and server, both signed by my own Self-signed RootCA.

    This level of security is good enough for my purposes - but I've noticed that the application only works correctly if the RootCA is in Trusted Root Certification Authorities within the Certificate Store. This would be fine if I were manually adding the certificates to every client - but as I'd like to distribute the application online, that is not suitable.

    Seemingly I can only get my RootCA into the Intermediate Certification Authorities store programmatically, using the following code.

        Private Sub AddRootCA_Click(sender As Object, e As EventArgs) Handles AddRootCA.Click
    
            Dim UseStoreLoc As StoreLocation
            UseStoreLoc = StoreLocation.CurrentUser
    
            Dim TempFolderPath As String = Path.GetTempPath & "SBR2015setup\"
    
            If Directory.Exists(TempFolderPath) Then
                ' Already exists
            Else
                Try
                    Dim di As DirectoryInfo = Directory.CreateDirectory(TempFolderPath)
                Catch ex As Exception
                    '
                End Try
            End If
    
            My.Computer.FileSystem.WriteAllBytes(TempFolderPath & "RootCA.cer", My.Resources.RootCA_cer, False)
            My.Computer.FileSystem.WriteAllBytes(TempFolderPath & "WcfClt.pfx", My.Resources.WcfClt_pfx, False)
    
            ' Store the Root CA key
            Try
                Dim CAstore As New X509Store(StoreName.CertificateAuthority, UseStoreLoc)
                Dim rootCert As New X509Certificate2(TempFolderPath & "RootCA.cer")
                CAstore.Open(OpenFlags.ReadWrite)
                CAstore.Add(rootCert)
                RootCAadd.Checked = True
            Catch ex As Exception
                MsgBox("Adding RootCA failed. " & ex.Message.ToString)
                GoTo Failed
            End Try
    

    I've tried using X509Store(StoreName.AuthRoot... instead - but that does not seem to load the key in anywhere.

    The issue I guess is that because I am using a self-signed certificate, Windows does not trust it enough, so manual intervention is required. Is there another way around this? I only intend to load these keys on during setup. I did wonder if I just needed to request elevation to admin rights - but even that does not seem to help.


    Cheers, John

    Thursday, August 13, 2015 11:18 PM

Answers

  • Well here's a curious thing...and I think I can answer my own original query.

    Although it does require elevation to Administrator, storing the self-signed RootCA certificate in the LocalMachine/AuthRoot store works, as opposed to CurrentUser/AuthRoot.

    So the code is:

            Dim TempFolderPath As String = Path.GetTempPath & "SBR2015setup\"
    
            If Directory.Exists(TempFolderPath) Then
                ' Already exists
            Else
                Try
                    Dim di As DirectoryInfo = Directory.CreateDirectory(TempFolderPath)
                Catch ex As Exception
                    '
                End Try
            End If
    
            My.Computer.FileSystem.WriteAllBytes(TempFolderPath & "RootCA.cer", My.Resources.RootCA_cer, False)
            My.Computer.FileSystem.WriteAllBytes(TempFolderPath & "WcfClt.pfx", My.Resources.WcfClt_pfx, False)
    
            ' Store the Root CA key
            Try
                Dim CAstore As New X509Store(StoreName.AuthRoot, StoreLocation.LocalMachine)
                Dim rootCert As New X509Certificate2(TempFolderPath & "RootCA.cer")
                CAstore.Open(OpenFlags.ReadWrite)
                CAstore.Add(rootCert)
                RootCAadd.Checked = True
            Catch ex As Exception
                MsgBox("Adding RootCA failed. " & ex.Message.ToString)
                GoTo Failed
            End Try
    
            ' Now store the Client key
            Try
                Dim persStore As New X509Store(StoreName.My, StoreLocation.LocalMachine)
                Dim persCert As New X509Certificate2(TempFolderPath & "WcfClt.pfx", "********", X509KeyStorageFlags.PersistKeySet)
                persStore.Open(OpenFlags.ReadWrite)
                persStore.Add(persCert)
                CltKeyAdd.Checked = True
            Catch ex As Exception
                MsgBox("Adding Client key failed. " & ex.Message.ToString)
                GoTo Failed
            End Try
    
    Failed:
    
        End Sub

    All I need to do now is work out an elegant way of getting the admin rights during install.


    Cheers, John

    • Marked as answer by j_dublevay Friday, August 14, 2015 3:18 PM
    Friday, August 14, 2015 3:17 PM

All replies

  • Hi j_dublevay,

    As far as I Know, when we generate  the certificate with makecert.exe.   we need manually adding the certificates to

     trusted Root.

    Best Regards,

    Vince Li

    Friday, August 14, 2015 12:27 PM
  • OK - thanks Vince. That's not great - 'proper' certificates are expensive!

    I did discover that PowerShell can do some certificate movements between stores. I wonder whether that might be able to assist me. I guess it would come with all of the same elevation issues though.


    Cheers, John

    Friday, August 14, 2015 1:52 PM
  • Well here's a curious thing...and I think I can answer my own original query.

    Although it does require elevation to Administrator, storing the self-signed RootCA certificate in the LocalMachine/AuthRoot store works, as opposed to CurrentUser/AuthRoot.

    So the code is:

            Dim TempFolderPath As String = Path.GetTempPath & "SBR2015setup\"
    
            If Directory.Exists(TempFolderPath) Then
                ' Already exists
            Else
                Try
                    Dim di As DirectoryInfo = Directory.CreateDirectory(TempFolderPath)
                Catch ex As Exception
                    '
                End Try
            End If
    
            My.Computer.FileSystem.WriteAllBytes(TempFolderPath & "RootCA.cer", My.Resources.RootCA_cer, False)
            My.Computer.FileSystem.WriteAllBytes(TempFolderPath & "WcfClt.pfx", My.Resources.WcfClt_pfx, False)
    
            ' Store the Root CA key
            Try
                Dim CAstore As New X509Store(StoreName.AuthRoot, StoreLocation.LocalMachine)
                Dim rootCert As New X509Certificate2(TempFolderPath & "RootCA.cer")
                CAstore.Open(OpenFlags.ReadWrite)
                CAstore.Add(rootCert)
                RootCAadd.Checked = True
            Catch ex As Exception
                MsgBox("Adding RootCA failed. " & ex.Message.ToString)
                GoTo Failed
            End Try
    
            ' Now store the Client key
            Try
                Dim persStore As New X509Store(StoreName.My, StoreLocation.LocalMachine)
                Dim persCert As New X509Certificate2(TempFolderPath & "WcfClt.pfx", "********", X509KeyStorageFlags.PersistKeySet)
                persStore.Open(OpenFlags.ReadWrite)
                persStore.Add(persCert)
                CltKeyAdd.Checked = True
            Catch ex As Exception
                MsgBox("Adding Client key failed. " & ex.Message.ToString)
                GoTo Failed
            End Try
    
    Failed:
    
        End Sub

    All I need to do now is work out an elegant way of getting the admin rights during install.


    Cheers, John

    • Marked as answer by j_dublevay Friday, August 14, 2015 3:18 PM
    Friday, August 14, 2015 3:17 PM