Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Programmatically install Certificate Revocation List (CRL)

I need to download and install about 50 CRLs once a week and install them on several Windows servers. Downloading is the easy part, is there a way I could script the CRL import process?

like image 641
Goyuix Avatar asked May 18 '09 14:05

Goyuix


People also ask

How can you check the certificate revocation list CRL?

To do this, open the Chrome DevTools, navigate to the security tab and click on View certificate. From here, click on Details, and scroll down to where you'll see "CRL Distribution Points".

How do I publish a new certificate revocation list CRL?

To manually publish the CRL on a separate server On the CA server, load Certification Authority, expand your CA, right-click Revoked Certificates , click All Tasks , and then click Publish . On the Publish CRL popup dialog box, ensure that New CRL is selected, and then click OK .


1 Answers

Here is my final source (slightly scrubbed for the public) - but should work. I won't change the accepted answer, but I do hope this helps (as does upvoting the question and answers!).

Note: This will import both a CRL or a regular certificate into the LOCAL MACHINE Trusted Root store. Changing the below CERT_SYSTEM_STORE_LOCAL_MACHINE to CERT_SYSTEM_STORE_CURRENT_USER in the call CertOpenStore will change it to work for the Current User store.

using System;
using System.Collections.Generic;
using System.Text;
using System.Runtime.InteropServices;

namespace ConsoleApplication2
{
  class Program
  {
    public struct CRYPTUI_WIZ_IMPORT_SRC_INFO
    {
      public Int32 dwSize;
      public Int32 dwSubjectChoice;
      [MarshalAs(UnmanagedType.LPWStr)]public String pwszFileName;
      public Int32 dwFlags;
      [MarshalAs(UnmanagedType.LPWStr)]public String pwszPassword;
    }

    [DllImport("CryptUI.dll", CharSet = CharSet.Auto, SetLastError = true)]
    public static extern Boolean CryptUIWizImport(
      Int32 dwFlags,
      IntPtr hwndParent,
      IntPtr pwszWizardTitle,
      ref CRYPTUI_WIZ_IMPORT_SRC_INFO pImportSrc,
      IntPtr hDestCertStore
    );

    [DllImport("CRYPT32.DLL", CharSet = CharSet.Auto, SetLastError = true)]
    public static extern IntPtr CertOpenStore(
      int storeProvider,
      int encodingType,
      IntPtr hcryptProv,
      int flags,
      String pvPara
    );

    public const Int32 CRYPTUI_WIZ_IMPORT_SUBJECT_FILE = 1;
    public const Int32 CRYPT_EXPORTABLE = 0x00000001;
    public const Int32 CRYPT_USER_PROTECTED = 0x00000002;
    public const Int32 CRYPTUI_WIZ_NO_UI = 0x0001;

    private static int CERT_STORE_PROV_SYSTEM = 10;
    private static int CERT_SYSTEM_STORE_CURRENT_USER = (1 << 16);
    private static int CERT_SYSTEM_STORE_LOCAL_MACHINE = (2 << 16);

    static void Main(string[] args)
    {
      if (args.Length != 1)
      {
        Console.WriteLine("Usage: certimp.exe list.crl");
        Environment.ExitCode = 1;
      }
      else
      {
        IntPtr hLocalCertStore = CertOpenStore(
          CERT_STORE_PROV_SYSTEM,
          0,
          IntPtr.Zero,
          CERT_SYSTEM_STORE_LOCAL_MACHINE,
          "ROOT"
        );

        CRYPTUI_WIZ_IMPORT_SRC_INFO importSrc = new CRYPTUI_WIZ_IMPORT_SRC_INFO();
        importSrc.dwSize = Marshal.SizeOf(importSrc);
        importSrc.dwSubjectChoice = CRYPTUI_WIZ_IMPORT_SUBJECT_FILE;
        importSrc.pwszFileName = args[0];
        importSrc.pwszPassword = null;
        importSrc.dwFlags = CRYPT_EXPORTABLE | CRYPT_USER_PROTECTED;

        if (!CryptUIWizImport(
            CRYPTUI_WIZ_NO_UI,
            IntPtr.Zero,
            IntPtr.Zero,
            ref importSrc,
            hLocalCertStore
          ))
        {
          Console.WriteLine("CryptUIWizImport error " + Marshal.GetLastWin32Error());
          Environment.ExitCode = -1;
        }
      }
    }
  }
}
like image 154
Goyuix Avatar answered Oct 08 '22 22:10

Goyuix