locked
Retrieve the (untrusted) CA certificate RRS feed

  • Question

  • Use case

    Upon first installing a device, I want the user to insert a smart card and use that card to configure this device. I got quite far with that, even to the point of finding and contacting the LDAP server and authenticating the user. The smart card can be used to log on to a domain, though the device isn't a domain member.

    What I want to do next is to get the CA that signed the card, and add it to the trusted root CAs. This is not a security flaw - this only happens the first time, and I trust that the first user is really "my owner", so I trust what he trusts.

    Opening the certificate on the card with Internet Explorer also displays the (untrusted) CA certificate, and I can even install it into the trusted CA's from there.

    Software running on Windows XP pro, and I use a 2003 server for the CA and other services.

    What I tried

    I have handles/pointers to the card's certficate store, and key pairs (user typed PIN so i can also access the private key, which is not really needed yet).

    Using CertNameToStr on the CERT_CONTEXT->pCertInfo->Issuer reveals the DN of the issuer, which is correct.

    Calling CertGetCertificateChain on the context only returns a 1-sized chain (the certificate itself), and sets the CERT_TRUST_IS_UNTRUSTED_ROOT flag in the TrustStatus result flags. The latter is correct and expected, but where is the rest of the chain? It did retrieve the CA certificate, otherwise it couldn't have concluded that it wasn't trusted. But it's not in the chain, where it should be.

    Also tried calling CertGetIssuerCertificateFromStore instead, with exactly the same results - no CA certificate, but it does retrieve the trust status.

    Concluding that this must be some kind of security "feature" that filters the untrusted things away, I tried adding the CA to my trusted roots. IE now shows it as trusted. Calling CertGetCertificateChain or CertGetIssuerCertificateFromStore now both clear the CERT_TRUST_IS_UNTRUSTED_ROOT flag, so they DO trust the CA now, but they still return no chain elements other than the card's itself.

    I want to get the CA certificate (so I can put it into the ROOT store). What do I need to call to get it?

     

     

    Tuesday, March 23, 2010 2:47 PM

Answers

  • Found the solution.

    There is one chain (is there ever a situation where cChain >1 ?) which has elements.

    handle->rgpChain[iChain]->rgpElement[iElement]

    The elements form the chain, and the last element in the chain is the root CA certificate.

    • Marked as answer by MiLoSoftware Thursday, April 8, 2010 9:38 AM
    Thursday, April 8, 2010 9:37 AM

All replies

  • Hello

    It would be necessary to look at the chain. Please try using certutil -verify on the leaf cert. Save the leaf cert to a file, run the following and please send to me (jialge@microsoft.com) the output file. 

    certutil –verify –urlfetch leafcert.cer > verify.txt


    Regards,
    Jialiang Ge
    MSDN Subscriber Support in Forum
    If you have any feedback of our support, please contact msdnmg@microsoft.com.
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
    Thursday, March 25, 2010 3:41 AM
  • Found the solution.

    There is one chain (is there ever a situation where cChain >1 ?) which has elements.

    handle->rgpChain[iChain]->rgpElement[iElement]

    The elements form the chain, and the last element in the chain is the root CA certificate.

    • Marked as answer by MiLoSoftware Thursday, April 8, 2010 9:38 AM
    Thursday, April 8, 2010 9:37 AM