EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Installing certificates chain using SBB

Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.
#24427
Posted: 04/03/2013 08:54:06
by Eduardo Helminsky (Standard support level)
Joined: 08/20/2010
Posts: 102

Hi

I have an automated routine to install chain certificates (*.cer, *.p7b, *.crt) but it is dependend of CAPICOM.DLL.

Question: Is there a way to install these certificates "silently" using SBB ?

If so, how can I do this (example) ?

Thanks

BTW, I am very happy with SBB because I have used this to sign XML, to communicate with webservices using SSL and everything is working so good. And I am finishing my changes to use SBB Mail package. In the tests it is already working. Congratulations to Eldos team.
#24428
Posted: 04/03/2013 08:58:41
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

We have a complex sample that shows how to work with certificates and install them into Windows stores. Its located in \EldoS\SecureBlackbox.VCL\Samples\Delphi\PKIBlackbox\Certificates folder.

Not sure I've understand what do you mean by "install these certificates "silently"". Could you clarify this.
#24430
Posted: 04/03/2013 09:05:02
by Eugene Mayevski (EldoS Corp.)

You need to call TCustomCertStorage.Add method for each certificate in chain.

Note, that different certificates by default go to different stores (end-entity certificate often goes to MY, intermediates go to CA, and root can go to ROOT or to CA or to some other). So your import procedure will be quite sophisticated.


Sincerely yours
Eugene Mayevski
#24436
Posted: 04/03/2013 09:53:31
by Eduardo Helminsky (Standard support level)
Joined: 08/20/2010
Posts: 102

I think Eugene has answered my question.

TCustomCertStorage.Add or TElWinCertStorage.Add (in my case) is what I need. The main challenge is discover what StoreName should I use for each certificate. The only think I know is (*.pfx) should by installed in MY storage and there others should be installed in ROOT. I will make some tests and check where is the correct way to install them.

Vsevolod, when I say "silently" is without any additional warnings or confirmations from the user. If I call for example:
"rundll32 cryptext.dll,CryptExtAddSPC cert.p7b' it will require the user to confirm some operations.

Thanks for quick answers
#24440
Posted: 04/03/2013 11:15:26
by Eugene Mayevski (EldoS Corp.)

PFX is just a container format for one or several certificates. Certificates are usually imported as I described. The procedure doesn't depend on where those certificates were taken from (PFX or other container).


Sincerely yours
Eugene Mayevski
#24441
Posted: 04/03/2013 11:36:29
by Eduardo Helminsky (Standard support level)
Joined: 08/20/2010
Posts: 102

Eugene

I understand your point. Let me try to rewrite the question: If I have a PFX file that can contain one or more certificates; how I now where (storename) each one need to be installed ?

My common situation is that one of these certificates (inside PFX) should be installed in MY container, and others are AC or intermediate AC.

I am sorry if I am not clear and let me know about your doubts about my question.
#24442
Posted: 04/03/2013 11:59:41
by Eugene Mayevski (EldoS Corp.)

Quote
Eduardo Helminsky wrote:
If I have a PFX file that can contain one or more certificates; how I now where (storename) each one need to be installed ?


There's no strict rule. You can use the rule I've described, but this is based on guessing.

- The certificate with a private key goes to MY
- Self-signed root can go to ROOT (if the user wants) or to CA
- intermediate certificates (or any CA certificates) go to CA


Sincerely yours
Eugene Mayevski
#24443
Posted: 04/03/2013 12:46:25
by Eduardo Helminsky (Standard support level)
Joined: 08/20/2010
Posts: 102

Ok. I got it the main idea.

I have checked the example code in Certificates folder but I could not compile it. It complains about some units missing.

The steps:
1) I have a PFX file with some certificates
2) How can I count the number of certificates it have ?
3) After I know how many certificates have I will install one by one according the tips you told in the last thread.
4) Could you post a piece of code ?
#24444
Posted: 04/03/2013 12:50:45
by Eugene Mayevski (EldoS Corp.)

Quote
Eduardo Helminsky wrote:
1) I have a PFX file with some certificates
2) How can I count the number of certificates it have ?


Load all certificates into the instance of TElMemoryCertStorage using its LoadFromStreamPFX method. Then work with this instance.


Sincerely yours
Eugene Mayevski
#24445
Posted: 04/03/2013 13:50:15
by Eduardo Helminsky (Standard support level)
Joined: 08/20/2010
Posts: 102

Eugene

Almost there, but with the code below the main certificate is not installed on the My Storage. What am I doing wrong ? I already tried with MY and My and checked using GetAvailableStores.
Code
procedure TForm1.Button1Click(Sender: TObject);
var xMem: TElMemoryCertStorage;
    xCer: TElX509Certificate;
    xWin: TElWinCertStorage;
    F: TFileStream;
    nI: Integer;
    nT: Integer;
begin
     F := TFileStream.Create('c:\mycertificate.pfx',fmOpenRead);
     try
        xMem := TElMemoryCertStorage.Create(self);
        xWin := TElWinCertStorage.Create(self);
        try
           xMem.LoadFromStreamPFX(F,'thepassword');
           nT := xMem.CertificateList.Count;
           for nI := 0 to nT-1 do begin
              xCer := xMem.Certificates[nI];
              Memo1.Lines.Add(xCer.SubjectName.CommonName);
              if xCer.PrivateKeyExists then begin
                 xWin.Add(xCer,'My');
              end else begin
                 xWin.Add(xCer,'CA');
              end;
           end;
        finally
           xMem.Free;
        end;
     finally
        F.Free;
     end;
end;
Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.

Reply

Statistics

Topic viewed 3293 times

none




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!