EldoS | Feel safer!

Software components for data protection, secure storage and transfer

How to open Windows Service certificate storage

Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.
#14195
Posted: 08/16/2010 00:01:20
by C3 TechSupport (Standard support level)
Joined: 05/28/2008
Posts: 12

I want to store trusted FTPS server certs in the Windows Certificate Store and check that they exist in the store using TElWinCertStorage. I want to store the certs in the current service store (not the current user store) because I want to be able to manage the certs for my service user in MMC, without having to interactively log on as the service user.

I have an FTPS client server called "FTPFetcher".
The FTP server that I trust is called "ftp.foobar.com".
I import client certificate "ftp.foobar.com" into the "FTPFetcher/Trusted Publishers" Certificates store using the MMC Certificates Snap-in running in Service Accounts mode.

My C# code is similar to this:

Code
TElWinCertStorage winCertStorage = new TElWinCertStorage();
winCertStorage.StorageType = TSBStorageType.stSystem;
winCertStorage.SystemStores.BeginUpdate();
winCertStorage.SystemStores.Clear();
winCertStorage.SystemStores.Add("TrustedPublisher");
winCertStorage.AccessType = TSBStorageAccessType.atCurrentService;
winCertStorage.SystemStores.EndUpdate();


When attempting to open a Windows Certificate Store with AccessType = atCurrentService I get an error "Failed to open storage".

The service user is a member of the Users group.

Any help appreciated.

- Daniel
#14197
Posted: 08/16/2010 00:49:53
by Eugene Mayevski (EldoS Corp.)

Try using "Trust" as the store name - this is the correct name of the store.
Alternatively you can try setting AccessType to atServices and store name to "FTPFetcher\Trust"


Sincerely yours
Eugene Mayevski
#14205
Posted: 08/16/2010 19:41:57
by C3 TechSupport (Standard support level)
Joined: 05/28/2008
Posts: 12

Quote
Eugene Mayevski wrote:
Try using "Trust" as the store name - this is the correct name of the store.
Alternatively you can try setting AccessType to atServices and store name to "FTPFetcher\Trust"


Tried both suggestions, same error.
#14206
Posted: 08/17/2010 01:25:17
by Eugene Mayevski (EldoS Corp.)

Are you trying to execute the above code in context of the service being started OR from IDE?


Sincerely yours
Eugene Mayevski
#14212
Posted: 08/17/2010 15:00:12
by C3 TechSupport (Standard support level)
Joined: 05/28/2008
Posts: 12

Quote
Eugene Mayevski wrote:
Are you trying to execute the above code in context of the service being started OR from IDE?


Compiled executable running as a service. In IDE it works fine, I guess because it is running in the context of my Administrator account.
#14215
Posted: 08/18/2010 02:15:04
by Ken Ivanov (EldoS Corp.)

Please try to set the ReadOnly property to true prior to opening the storage. It is very likely that the system does not allow services to modify their storages, that results in the exception you get.

And, as Eugene said, please use the "Trust" name to specify the Trusted Publishers store.
Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.

Reply

Statistics

Topic viewed 1690 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!