12

I have some C# 4.0 code that attempts to install a CA (.der encoded) certificate into the "Trusted Root Certification Authorities" store for the current (My) user. My little console app runs silently against other stores, but for this store a GUI popup comes up "You are about to install a certificate from a certification authority... Windows cannot validate that the certificate is actually from..... Do you want to install this certificate?"

This messagebox is a problem because the idea is to automatically deploy the app with an MSI and silently get the right certs in the right place. Having a modal box will kill automated deployment.

How can this installation be done without a deployment-breaking messagebox?

David Gardiner
  • 16,892
  • 20
  • 80
  • 117
Snowy
  • 5,942
  • 19
  • 65
  • 119
  • 2
    The reason Windows pops that question up is that adding certificates to the root store has security implications, and so should not be done lightly. I'm not sure whether there is a way to avoid the popup, but I would hope not! Installing an application should **not** be allowed to compromise the security of the PC -- especially not silently. – dajames Nov 20 '10 at 14:13
  • 3
    @dajames Like Oleg wrote in his answer: an administrator is allowed to install certificates in the local machines trusted root store without a popup. And when you install an application you usually give the installer admin rights, so I think your scenario is actually possible. Another reason you should be careful which installer/application you give your precious admin rights. – Stefan Podskubka Sep 28 '11 at 16:53

1 Answers1

29

It can sound not logical, but to have no warning you should add the certificate not to the Root certificate store of the current user, but to the Root of the local machine instead. You can easy verify that

certmgr.exe -add -c t.cer -s -r currentUser root

produce the security warning, but

certmgr.exe -add -c t.cer -s -r localMachine root

not.

So if you want import a certificate in .NET then the corresponding code could be about following

using System;
using System.Security.Cryptography.X509Certificates;

namespace AddCertToRootStore {
    class Program {
        static void Main (string[] args) {
            X509Store store = new X509Store (StoreName.Root,
                                             StoreLocation.LocalMachine);
            store.Open (OpenFlags.ReadWrite);
            X509Certificate2Collection collection = new X509Certificate2Collection();
            X509Certificate2 cert = new X509Certificate2 (@"C:\Oleg\t.cer");
            byte[] encodedCert = cert.GetRawCertData();
            Console.WriteLine ("The certificate will be added to the Root...");
            store.Add (cert);
            Console.WriteLine("Verify, that the certificate are added successfully");
            Console.ReadKey ();
            Console.WriteLine ("The certificate will be removed from the Root");
            store.Remove (cert);
            store.Close ();
        }
    }
}
Oleg
  • 220,925
  • 34
  • 403
  • 798
  • I just tried this on my Windows 7 Machine. You need admin rights for that to work. I think it makes sense that the administrator can install trusted root certificates for the local machine without a visual prompt. – Stefan Podskubka Sep 28 '11 at 16:45
  • @Stefan: Of course **only administrator** are able to install **root certificates in the *local* machine**, but especially installation of certificates in the case need be sometimes silent. Think about the setups for example. So I see no problem in what you wrote. – Oleg Sep 28 '11 at 17:11
  • I just wanted to point out (for other people stumbling upon this answer) that only the administrator can do that, not just any user. That wasn't clear to me right away after reading your answer. But otherwise +1 for the insight and the useful code sample – Stefan Podskubka Sep 29 '11 at 07:38