Creating a package to install certificates in the Windows Store

Questions about WAPT Packaging / Requests and help regarding Wapt packages.
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Locked
megs
Messages: 8
Registration: December 7, 2018 - 1:59 PM

June 18, 2021 - 5:06 PM

Good morning,

I am trying to create a package to install certificates across the entire fleet.
In the install section I do this:

Code: Select all

CPath=r'C:\CERTIFMAAF'
ROOTlist=['IGCAACracineEtatfrancais.crt']
CINTList=['ACAGENTSAGRIALIMAUTONOME.crt',
          'ACAGENTSAVANCEE.crt',
          'ACAGENTSDDIAVANCEE.crt',
          'ACAGENTSDDISTANDARD.crt',
          'ACAGENTSSTANDARD.crt',
          'ACDISPOSITIFTECHNIQUE.crt',
          'ACDISPOSITIFTECHNIQUEDDI.crt',
          'ACPARTENAIRESAGRIALIMAUTONOME.crt',
          'ACPARTENAIRESAVANCEE.crt',
          'ACPARTENAIRESSTANDARD.crt',
          'ACRACINEAGRIALIMAUTONOME.crt',
          'ACRACINEMINISTEREENCHARGEDELAGRICULTURE.crt',
          'ACSERVEURSAGRIALIMAUTONOME.crt',
          'ACSERVEURSAVANCEE.crt',
          'ACSERVEURSDDISTANDARD.crt',
          'ACSERVEURSPARTENAIRESAGRIALIMAUTONOME.crt',
          'ACSERVEURSSTANDARD.crt',
          'ACUSAGERS.crt']

def install():
    if isdir(CPath):
        print('-- Déjà en place, on passe...')
    else:
        mkdirs (CPath)
        copytree2(r'.\CERTIFMAAF',CPath ,onreplace=default_overwrite)
        for cert in (ROOTlist):
            print (" Installing " + cert + " in Trusted Root CA Store.")
            cmd=r'certutil.exe -silent -addstore root {}\{}.crt'.format(CPath,cert)
            run_notfatal(cmd)
        for cert in (CINTList):
            print (" Installing " + cert + " in Trusted Intermediaries CA.")
            cmd=r'certutil.exe -silent -addstore ca {}\{}.crt'.format(CPath,cert)
            run_notfatal(cmd)
I have no errors (normal, it's in silent mode), except that the certificates are not installing.
Is this a rights issue? Can't the computer/system account integrate certificates?
How can I make it work?
High
User avatar
dcardon
WAPT Expert
Messages: 1932
Registration: June 18, 2014 - 09:58
Location: Saint Sébastien sur Loire
Contact :
Contact dcardon

June 21, 2021 - 3:45 PM

Hello Megs,

In the code, the substitution seems to add a .crt file to the filename of the file that already contains a .crt file:

Code: Select all

{}\{}.crt
The WAPT agent executes the contents of the `def install()` function as a Local System account, so it has the rights to add certificates to the local store. However, care must be taken when creating directories at the root (C:\CERTIFMAAF) with inherited permissions to prevent anything other than the Local System account from writing to them. In fact, it's not necessary to make an intermediate copy in C:\CERTIFMAAF (if there are no other applications that need access to the .crt files themselves), and you can use `certutil` directly from the WAPT package installation directory.

Sincerely,

Denis
Denis Cardon - Tranquil IT
Share your experiences on WAPT! Send us your blog and article URLs in the "Your Opinion of the forum, and we'll feature them on the WAPT
High
megs
Messages: 8
Registration: December 7, 2018 - 1:59 PM

June 21, 2021 - 4:21 PM

Yes indeed, it was Friday night so... :roll: .
Also, the paths are unclear to me, so there's no way to retrieve the correct certificate path unless I copy it to a place where I know for sure where it is. I tried the path .\CERTIFMAAF but poof... not found. :lol:

But it doesn't change anything anyway. Certutils doesn't work via command prompt. It works with PowerShell, however, since it doesn't call an external executable.

I've compiled a simpler, more user-friendly version for everyone (Win 7 not tested). Feel free to use it as a guide if you wish. Tested and working on Win10. WAPT 1.8.2. Linux core version.

Code: Select all

from setuphelpers import *
import os

uninstallkey = []
CRootPath=r'C:\CERTIFMAAF\ROOT'
CCaPath=r'C:\CERTIFMAAF\CA'
Certlist=[]

def install():
    global CRootPath
    global CCaPath
    global Certlist

    if isdir(CRootPath):
        print("-- Déjà en place, on passe...")
    else:
        copytree2(r'.\CERTIFMAAF',r'C:\CERTIFMAAF' ,onreplace=default_overwrite)

        for cert in os.listdir(CRootPath):
            cmd=r'import-certificate {}\{} -CertStoreLocation "Cert:\LocalMachine\Root"'.format(CRootPath,cert)
            print (cmd)
            run_powershell(cmd)
        for cert in os.listdir(CCaPath):
            cmd=r'import-certificate {}\{} -CertStoreLocation "Cert:\LocalMachine\CA"'.format(CCaPath,cert)
            print (cmd)
            run_powershell(cmd)

def uninstall():
    if isdir(CRootPath):
        print ("Removing... ")
        remove_tree (CPath)
        for cert in (RemoveList):
            print (" Removing ALL IGC and AC in Trusted Root & CA Store.")
            cmd=r'get-childitem cert:"LocalMachine\Root" | Where-object {$_.subject -like "CN=IGC/A AC*"} | ForEach-Object {Remove-Item -Path "Cert:\LocalMachine\CA\$($_.Thumbprint)"}'
            run_powershell(cmd)
            cmd=r'get-childitem cert:"LocalMachine\CA" | Where-object {$_.subject -like "CN=AC *"} | ForEach-Object {Remove-Item -Path "Cert:\LocalMachine\CA\$($_.Thumbprint)"}'
            run_powershell(cmd)
Finally, all that remains is to figure out how to find the identifier of each certificate from the folder and its stored contents, and then delete them in a targeted manner to create a generalized package. But I don't have the time.
High
Locked

Return to “WAPT Packages”


  • To go further with WAPT