EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Save CA & Client certificate to 1 file in pkcs12?

Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.
#4079
Posted: 10/19/2007 09:43:02
by Ken Ivanov (EldoS Corp.)

SBB does not control the way in which certificates are installed by Windows. A PFX file does not contain any meta information specifying where to put each of the certificates. The only thing I could suggest is to change the order of the certificates in the storage. It may help.
#4080
Posted: 10/19/2007 10:26:17
by Farrel Coetzee (Basic support level)
Joined: 10/18/2007
Posts: 11

How do I change the store location to eg. "Trusted Root Certificate Authorties".

I did an experiment with the root CA Certificate(server.crt). It installs automatically with IE into the "Trusted Root Certificate Authorties". When I did the following with the code as attached in file

Code
  abc := TElMemoryCertStorage.Create(nil);
// abc.Add(Cert);
  abc.Add(CAPemCert); //server.crt  
  SaveToFile(abc);


The certificate installed under "Personal" store. How do I change the store location?



#4082
Posted: 10/19/2007 10:54:19
by Ken Ivanov (EldoS Corp.)

By default, certificate contained in the PFX file is installed to the Personal certificate store. There's no way to tell IE to install it to the different store.
#4103
Posted: 10/22/2007 03:03:34
by Farrel Coetzee (Basic support level)
Joined: 10/18/2007
Posts: 11

This still does not explain why the server.crt installs under the "Trusted Root Certificate Authorties" when installed directly, but when added to TElMemoryCertStorage it gets placed in personal.

Is there a technical reason for this? Does TElMemoryCertStorage alter the ROOT certificate?
#4104
Posted: 10/22/2007 03:19:25
by Ken Ivanov (EldoS Corp.)

Quote
This still does not explain why the server.crt installs under the "Trusted Root Certificate Authorties" when installed directly

Self-signed certificates without a private key are always installed to the ROOT store (and the certificates containing the private key are always installed to the MY store).

Quote
Does TElMemoryCertStorage alter the ROOT certificate?

TElMemoryCertStorage never alters the certificates it stores. Did you try my above suggestion to change the order of the certificates in the PFX? If it does not help, then nothing will.
#4107
Posted: 10/22/2007 08:25:57
by Farrel Coetzee (Basic support level)
Joined: 10/18/2007
Posts: 11

What is the difference in using

SB_ALGORITHM_PBE_SHA1_RC2_40

vs

SB_ALGORITHM_PBE_SHA1_3DES?

I have also changed the order of adding the certificates, but it made no differecne in the way it adds the certificates in the windows storage.

It's really bad that we cannot add the CA Root Certificate to the "Trusted Root Authorities".

Have you tried taking a Root CA and installing it directly and it autoamtically sets itself to "Trusted Root Authorities"? Then try and add it to the TElMemoryCertStorage and save it and then try and installing it again, but then ends up in PERSONAL storage?

I am really determined to get this right. I'm sure something is wrong in the code or I'm not setting the chain correctly.
#4108
Posted: 10/22/2007 08:41:59
by Ken Ivanov (EldoS Corp.)

Quote
What is the difference in using SB_ALGORITHM_PBE_SHA1_RC2­_40 vs SB_ALGORITHM_PBE_SHA1_3DE­S?

These are different algorithms. AFAIR, there were problems on earlier versions of Windows with certificates encrypted with algorithms other than RC2/40.

Quote
I have also changed the order of adding the certificates, but it made no differecne in the way it adds the certificates in the windows storage.

Then there's no way to install the CA certificate from a PFX to to the Trusted Root store. I've asked the corresponding question in the Microsoft newsgroup but did not get an answer yet.

Quote
Have you tried taking a Root CA and installing it directly and it autoamtically sets itself to "Trusted Root Authorities"? Then try and add it to the TElMemoryCertStorage and save it and then try and installing it again, but then ends up in PERSONAL storage?

It is likely that certificates imported from a PFX file are always installed to the Personal store. If you wish to install a certificate to the Trusted Root store, you should use other format (.CSR, .SPC, .P7B).
#4109
Posted: 10/22/2007 08:49:08
by Farrel Coetzee (Basic support level)
Joined: 10/18/2007
Posts: 11

Hi,

just made an interesting discovery, I added a sub certificate which was signed by the RootCA and added this between the RootCA and Client. This went automatically to the "Intermediate Certifications Authorities". This tells me that there is still hope for the ROOT to go to the correct folder and that not all files installed by pfx go to personal.

I will try different file format. Let me know if you get feedback from microsoft newsgroup. Thanks
#4110
Posted: 10/22/2007 09:26:22
by Farrel Coetzee (Basic support level)
Joined: 10/18/2007
Posts: 11

Could it be the way I Load my certificates (LoadCertificate) into the TElX509Certificate object? I load my client and CA Root and Sub Certificate in via this call.
#4111
Posted: 10/22/2007 09:29:48
by Ken Ivanov (EldoS Corp.)

Thank you for the information. We will also perform a deeper investigation of the issue and answer you as soon as we find something.
Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.

Reply

Statistics

Topic viewed 9921 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!