Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Installing Root CA Cert via code on Win32

We've just set up a new remote access solution using Microsoft's TS Gateway, which requires a couple of somewhat fiddly steps on the end users behalf in order to get it working (installing our root ca cert, requirement of RDP 6.1 client etc).

In order to make this setup process as easy as possible (a lot of these users aren't technically minded), I'm looking to create a program to perform all these tasks automatically. I have most of it working, however I'm not entirely sure how to go about importing the Root CA cert into the Windows certificate store.

Because this can potentially be run on a wide range of computers with varying levels of patches and updates, I'm steering well clear of .NET and anything that isn't native - the tool should 'just run' without the user having to install anything extra (well, I will say windows XP, no service packs, is the bare minimum required version of windows). In saying that, I don't mind using something third party if it can be bundled in with the tool, as long as it's not huge, and doesn't introduce any interactive steps. Ideally something in the windows API would be best, however I can't seem to track down anything relevant.

Currently the tool is a C++ application, so I don't mind if it's quite low level stuff.

like image 654
CapBBeard Avatar asked Mar 18 '09 01:03

CapBBeard


2 Answers

First you need to open the root certificate store...

 HCERTSTORE hRootCertStore = CertOpenSystemStore(NULL,"ROOT");

Then add the certificate using one of the CertAdd functions, such as CertAddEncodedCertificateToStore.

CertAddEncodedCertificateToStore(hRootCertStore,X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,pCertData,cbCertData,CERT_STORE_ADD_USE_EXISTING,NULL);

pCertData and cbCertData would likely point to the certificate data that you read from a file (not sure if the certificate will be in a file, or how you will include it in your application).

Then close the store with...

CertCloseStore(hRootCertStore,0);

NOTE: This code if run as the user, installs the certificate to the user's root store, not the computer's. It also results in a warning dialog that the user must understand and select "Yes" to authorize the import. If your setup program can run this code in a system account, the import will affect the computer's root store and not warning dialog will be shown.

like image 152
Murray Avatar answered Sep 25 '22 01:09

Murray


Have you looked at CertAddEncodedCertificateToStore ?

like image 36
BobbyShaftoe Avatar answered Sep 23 '22 01:09

BobbyShaftoe