We are working on creating an installation package for a WCF-based web service. The service uses message-level encryption via an installed certificate. I am trying to come up with an automated way to both install the certificate and set its permissions.
Currently, we are manually installing the certificate via the MMC snap-in. After it is installed, we need to find the file containing the installed certificate and modify the permissions so that the Network Service account can access it. The only way I know to find the file is to open the "...\Microsoft\Crypto\RSA\MachineKeys" folder (exact path differs based on platform) and identify the file with the most recent modified date.
I'm thinking we'll use WIX to create the installation package. WIX has a specific feature for installing a certificate, but I assume permissions will still be an issue. Is there some utility or API or other means to get the physical path for an installed certificate identified by the subject name (or similar).
Of course, maybe there's a more direct solution to this problem.
Thanks for any help with this issue.
Source: Least Privilege
There is no clean way to do that in managed code. The general procedure is:
- Select a certificate
- Create an RSACryptoServiceProvider object from the certificate's PrivateKey property
- Retrieve the UniqueKeyContainerName property.
- Search for this file name in the various locations where keys are stored. Thats under ApplicationData for user keys and CommonApplicationData for machine keys
If you want to do this in a custom action, I recommend you do this in C++. (Managed Custom Actions are most of the time not a good idea.)
If you only want to set ACLs, there are two tools that can do that for you:
- WinHttpCertCfg.exe
- The certificates tool included in WSE3
See the link for the details, hope this helps!
Does the certificate need to be installed? Could you reference it from a PFX file or similar instead, negating any need for installation?
A certificate itself doesn't have permissions. It can be in either a user's certificate store, such as the MY, CA or ROOT stores. Or it can be in the computer's version of those stores. It sounds like you are also installing a private key along with the certificate. To make a private key accessible to a service, it should be installed to the computer's key store. If you doing the import manually via something like CryptImportKey, you should specify CRYPT_MACHINE_KEYSET when the key container is acquired with CryptAcquireContext.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 我欲成王,谁敢阻挡 的文章《Modifying security on installed certificates》','https://www.manongdao.com/article-915679.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}