Tranquil IT Forum

Contact us
at https://forum.tranquil.it/

Creating a package to install certificates in the Windows Store

https://forum.tranquil.it/viewtopic.php?t=2769

Page 1 of 1

Creating a package to install certificates in the Windows Store

Published: June 18, 2021 - 5:06 PM
by megs
Good morning,

I am trying to create a package to install certificates across the entire fleet.
In the install section I do this:

Code: Select all

CPath=r'C:\CERTIFMAAF'
ROOTlist=['IGCAACracineEtatfrancais.crt']
CINTList=['ACAGENTSAGRIALIMAUTONOME.crt',
          'ACAGENTSAVANCEE.crt',
          'ACAGENTSDDIAVANCEE.crt',
          'ACAGENTSDDISTANDARD.crt',
          'ACAGENTSSTANDARD.crt',
          'ACDISPOSITIFTECHNIQUE.crt',
          'ACDISPOSITIFTECHNIQUEDDI.crt',
          'ACPARTENAIRESAGRIALIMAUTONOME.crt',
          'ACPARTENAIRESAVANCEE.crt',
          'ACPARTENAIRESSTANDARD.crt',
          'ACRACINEAGRIALIMAUTONOME.crt',
          'ACRACINEMINISTEREENCHARGEDELAGRICULTURE.crt',
          'ACSERVEURSAGRIALIMAUTONOME.crt',
          'ACSERVEURSAVANCEE.crt',
          'ACSERVEURSDDISTANDARD.crt',
          'ACSERVEURSPARTENAIRESAGRIALIMAUTONOME.crt',
          'ACSERVEURSSTANDARD.crt',
          'ACUSAGERS.crt']

def install():
    if isdir(CPath):
        print('-- Déjà en place, on passe...')
    else:
        mkdirs (CPath)
        copytree2(r'.\CERTIFMAAF',CPath ,onreplace=default_overwrite)
        for cert in (ROOTlist):
            print (" Installing " + cert + " in Trusted Root CA Store.")
            cmd=r'certutil.exe -silent -addstore root {}\{}.crt'.format(CPath,cert)
            run_notfatal(cmd)
        for cert in (CINTList):
            print (" Installing " + cert + " in Trusted Intermediaries CA.")
            cmd=r'certutil.exe -silent -addstore ca {}\{}.crt'.format(CPath,cert)
            run_notfatal(cmd)
I have no errors (normal, it's in silent mode), except that the certificates are not installing.
Is this a rights issue? Can't the computer/system account integrate certificates?
How can I make it work?

Re: Creating a package to install certificates in the Windows Store

Published: June 21, 2021 - 3:45 PM
by dcardon
Hello Megs,

In the code, the substitution seems to add a .crt file to the filename of the file that already contains a .crt file:

Code: Select all

{}\{}.crt
The WAPT agent executes the contents of the `def install()` function as a Local System account, so it has the rights to add certificates to the local store. However, care must be taken when creating directories at the root (C:\CERTIFMAAF) with inherited permissions to prevent anything other than the Local System account from writing to them. In fact, it's not necessary to make an intermediate copy in C:\CERTIFMAAF (if there are no other applications that need access to the .crt files themselves), and you can use `certutil` directly from the WAPT package installation directory.

Sincerely,

Denis

Re: Creating a package to install certificates in the Windows Store

Published: June 21, 2021 - 4:21 PM
by megs
Yes indeed, it was Friday night so... :roll: .
Also, the paths are unclear to me, so there's no way to retrieve the correct certificate path unless I copy it to a place where I know for sure where it is. I tried the path .\CERTIFMAAF but poof... not found. :lol:

But it doesn't change anything anyway. Certutils doesn't work via command prompt. It works with PowerShell, however, since it doesn't call an external executable.

I've compiled a simpler, more user-friendly version for everyone (Win 7 not tested). Feel free to use it as a guide if you wish. Tested and working on Win10. WAPT 1.8.2. Linux core version.

Code: Select all

from setuphelpers import *
import os

uninstallkey = []
CRootPath=r'C:\CERTIFMAAF\ROOT'
CCaPath=r'C:\CERTIFMAAF\CA'
Certlist=[]

def install():
    global CRootPath
    global CCaPath
    global Certlist

    if isdir(CRootPath):
        print("-- Déjà en place, on passe...")
    else:
        copytree2(r'.\CERTIFMAAF',r'C:\CERTIFMAAF' ,onreplace=default_overwrite)

        for cert in os.listdir(CRootPath):
            cmd=r'import-certificate {}\{} -CertStoreLocation "Cert:\LocalMachine\Root"'.format(CRootPath,cert)
            print (cmd)
            run_powershell(cmd)
        for cert in os.listdir(CCaPath):
            cmd=r'import-certificate {}\{} -CertStoreLocation "Cert:\LocalMachine\CA"'.format(CCaPath,cert)
            print (cmd)
            run_powershell(cmd)

def uninstall():
    if isdir(CRootPath):
        print ("Removing... ")
        remove_tree (CPath)
        for cert in (RemoveList):
            print (" Removing ALL IGC and AC in Trusted Root & CA Store.")
            cmd=r'get-childitem cert:"LocalMachine\Root" | Where-object {$_.subject -like "CN=IGC/A AC*"} | ForEach-Object {Remove-Item -Path "Cert:\LocalMachine\CA\$($_.Thumbprint)"}'
            run_powershell(cmd)
            cmd=r'get-childitem cert:"LocalMachine\CA" | Where-object {$_.subject -like "CN=AC *"} | ForEach-Object {Remove-Item -Path "Cert:\LocalMachine\CA\$($_.Thumbprint)"}'
            run_powershell(cmd)
Finally, all that remains is to figure out how to find the identifier of each certificate from the folder and its stored contents, and then delete them in a targeted manner to create a generalized package. But I don't have the time.
Time zone set to UTC+02:00
Page 1 of 1

Developed by phpBB® Forum Software © phpBB Limited

Official French translation © Qiaeru