Get started for free

locked
Read certificate store of a server RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    I am trying to read the certificate stores of different servers.

    I need to login to an admin user and access the server to read the certificate store. I cant find any other possibilities than the X509Store class to read a certificate store but i cant figure out a possibility to login to a specific user with this class. I'm also not sure if it is possible to connect to a server with this class.

    Maybe you can help me to solve my problem. Thank you

    Thursday, August 13, 2020 12:28 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    The X509Store constructor overload accepting a store name allows for remote machine names so yes you can use that type to query certs on another machine. However remember that certs can be either user or machine level. You naturally would only be able to access the machine certs if you used an arbitrary admin account.

    But X509Store doesn't support credentials so impersonation as Stefan would be the first option. Not sure if it would work though. For it to work you'd need to impersonate an account that has the necessary admin privileges on the remote machine. To me this seems like a domain account otherwise impersonation would fail locally. 

    I think you're going to have to step outside the X509Store to get what you want. There are a few options available based upon this old TechNet post.

    1) Stick with X509Store but switch to the overload accepting the IntPtr to the unmanaged HCERTSTORE structure. HCERTSTORE has an option to use a registry key. To get that registry key open the remote registry using the alternative credentials.

    2) Forget the convenient cert functions and just access the remote registry directly. Not really a future proof solution but it is simpler.

    3) Use the WMI classes to do basically the same thing.

    Michael Taylor http://www.michaeltaylorp3.net

    Thursday, August 13, 2020 1:31 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    As in any other of such cases: Impersonation should work.
    Thursday, August 13, 2020 12:33 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    The X509Store constructor overload accepting a store name allows for remote machine names so yes you can use that type to query certs on another machine. However remember that certs can be either user or machine level. You naturally would only be able to access the machine certs if you used an arbitrary admin account.

    But X509Store doesn't support credentials so impersonation as Stefan would be the first option. Not sure if it would work though. For it to work you'd need to impersonate an account that has the necessary admin privileges on the remote machine. To me this seems like a domain account otherwise impersonation would fail locally. 

    I think you're going to have to step outside the X509Store to get what you want. There are a few options available based upon this old TechNet post.

    1) Stick with X509Store but switch to the overload accepting the IntPtr to the unmanaged HCERTSTORE structure. HCERTSTORE has an option to use a registry key. To get that registry key open the remote registry using the alternative credentials.

    2) Forget the convenient cert functions and just access the remote registry directly. Not really a future proof solution but it is simpler.

    3) Use the WMI classes to do basically the same thing.

    Michael Taylor http://www.michaeltaylorp3.net

    Thursday, August 13, 2020 1:31 PM