Skip to main content

 none
CertEnroll and untrusted root certificates RRS feed

  • Question

  • Hi guys,

    I need install a certificate chain in Windows Certificate Store using CertEnroll running from the web browser. This chain has intermediates and root certificates, where the root certificate is possibly untrusted.

    When I call InstallResponse method (from IX509Enrollment interface) with AllowUntrustedRoot parameter, the root certificate is installed in the Intermediate Certification Authorities on Certificate Store and not in the Trusted Root Certification Authorities, that would be correct.

    Why it's happening?

    Thanks in advance.

    • Moved by Bob_Bao Friday, February 10, 2012 2:09 AM (From:Application Compatibility for Windows Desktop Development)
    Thursday, February 9, 2012 6:13 PM

Answers

  • Carlos,

      The online documentation for InstallResponse is a bit confusing. It says:

    AllowUntrustedRoot

    Perform the same action as the AllowUntrustedCertificate flag but also installs the certificate even if the certificate chain cannot be built because the root is not trusted.

    Note  On Windows Vista, the behavior of this flag is the same as that defined for the AllowUntrustedCertificate flag. You can install an untrusted root beginning with Windows Vista with SP1.

    I italicized the confusing part. What it should really say is: You can install a certificate that chains up to an untrusted root beginning with Vista SP1.

    I have sent an email to the approrpiate documentation folks to correct this. There is no way to install a certificate into the root store using InstallResponse. The behavior you are seeing is expected where the root cert in the chain that you are installing goes to the intermediate store. It was deemed to be a security risk to allow web callers to install certificates into the root store.

    Andrew

    • Marked as answer by Celso Ferreira Monday, February 13, 2012 10:01 PM
    Monday, February 13, 2012 6:18 PM

All replies

  • Perhaps this hotfix may help you: http://support.microsoft.com/kb/2078942/

    Could you please elaborate the scenario with some code or steps? I will help to move it to the Application Security for Windows Desktop forum:

    http://social.msdn.microsoft.com/Forums/en/windowssecurity/threads

    Thanks.


    Bob Bao [MSFT]
    MSDN Community Support | Feedback to us

    Friday, February 10, 2012 2:09 AM
  • Hi Bob, thanks for reply.

    I already have the hotfix KB2078942 (my system is Windows 7 with SP1).

    Follow the code in javascript.

    <html>
        <head>
            <title>Certificate import test</title>
        </head>
        <body>
            <object id='CertEnroll' name='CertEnroll'></object>
            <object id='XEnroll' name='XEnroll'></object>
        
            <script language="javascript">
                
                var CERT_ENROLL_CLASSID = "clsid:884e2049-217d-11da-b2a4-000e7bbb2b09";
                
                function InstallCertChainCEnroll(pkcs7){
                    CertEnroll.classid = CERT_ENROLL_CLASSID;
                    var enrollObj = CertEnroll.CreateObject("X509Enrollment.CX509Enrollment");
                    enrollObj.Initialize(1);
                    for (var i=0;i<pkcs7.length;i++){
                        enrollObj.InstallResponse(4, pkcs7[i], 6, "");
                    }
                    return true;
                }
                
                document.write("<br>Installing certificate...");
                try{
                    var pkcs7Chain = new Array();

                    pkcs7Chain[0] =                                                     
                    "-----BEGIN CERTIFICATE-----" +
                    "MIIDUzCCAjugAwIBAgIIMPQ+41XDpAAwDQYJKoZIhvcNAQEFBQAwNzERMA8GA1UE" +
                    "AwwIQWRtaW5DQTExFTATBgNVBAoMDEVKQkNBIFNhbXBsZTELMAkGA1UEBhMCU0Uw" +
                    ....
                    "QCU+xDRP4/o/HHR5T0MEYI+bmuWfF6hbGai6r4VlLmnQHb0Rs5mGDN3eHj0lyMhT" +
                    "NiNSvPMvQviVxEsjwBjpYhe53cI4bxIVOpqW8GvxUot/Yakdy5xC" +
                    "-----END CERTIFICATE-----"

                    InstallCertChainCEnroll(pkcs7Chain);
                } catch (ex){
                    document.write("<br>" + ex);
                    document.write("<br>" + ex.message);
                }            
            </script>
        </body>
    </html>

    What's happening is that this certificate in pkcs7Chain variable is a root certificate and IstallResponse method should install this guy in Trusted Root Certification Authorities, but is it installed in the Intermediate Certification Authorities area.

    Friday, February 10, 2012 1:19 PM
  • Carlos,

      The online documentation for InstallResponse is a bit confusing. It says:

    AllowUntrustedRoot

    Perform the same action as the AllowUntrustedCertificate flag but also installs the certificate even if the certificate chain cannot be built because the root is not trusted.

    Note  On Windows Vista, the behavior of this flag is the same as that defined for the AllowUntrustedCertificate flag. You can install an untrusted root beginning with Windows Vista with SP1.

    I italicized the confusing part. What it should really say is: You can install a certificate that chains up to an untrusted root beginning with Vista SP1.

    I have sent an email to the approrpiate documentation folks to correct this. There is no way to install a certificate into the root store using InstallResponse. The behavior you are seeing is expected where the root cert in the chain that you are installing goes to the intermediate store. It was deemed to be a security risk to allow web callers to install certificates into the root store.

    Andrew

    • Marked as answer by Celso Ferreira Monday, February 13, 2012 10:01 PM
    Monday, February 13, 2012 6:18 PM