how to automaticaly export windows root certificates to a file?

Question

On a windows machine, I want to create a c++ code that exports windows root certificates to .pem \ .crt file (just like certmgr.msc tool allows me to do manually). currently digging in windows' cryptoAPI docs but didn't find something.

Edit: after using the soltuion below the PEM certificates are created in the following format (unnecary newline between lines and an extra character at the end) : -----BEGIN CERTIFICATE-----

MIICvDCCAiUCEEoZ0jiMglkcpV1zXxVd3KMwDQYJKoZIhvcNAQEEBQAwgZ4xHzAd

BgNVBAoTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxFzAVBgNVBAsTDlZlcmlTaWdu

....

Rj1QNAufcFb2jip/F87lY795aQdzLrCVKIr17aqp0l3NCsoQCY/Os68olsR5KYSS

3P+6Z0JIppAQ5L9h+JxT5ZPRcz/4/Z1PhKxV0f0RY2M=

-----END CERTIFICATE-----

i don't believe it will be accepted by openSSL, what is the cause for this?

plstryagain · Answer 1 · 2017-08-10T09:13:02.077

What you're looking for is CertEnumCertificatesInStore function. Also if you want to save certificate in PEM you will need CryptBinaryToString.

#include <Windows.h>
#include <wincrypt.h>
#include <string>
#include <fstream>
#include <vector>

#pragma comment(lib, "crypt32.lib")

int _tmain(int argc, _TCHAR* argv[])
{
    DWORD num = 1;
    /* open root certificate store */
    HCERTSTORE hCertStore = CertOpenSystemStore(NULL, L"ROOT");

    PCCERT_CONTEXT pCert = nullptr;
    while (pCert = CertEnumCertificatesInStore(hCertStore, pCert))
    {
        /* if you need save certificate in PEM */
        DWORD size = 0;
        CryptBinaryToString(pCert->pbCertEncoded, pCert->cbCertEncoded, CRYPT_STRING_BASE64HEADER, nullptr, &size);
        std::vector<wchar_t> pem(size);
        CryptBinaryToString(pCert->pbCertEncoded, pCert->cbCertEncoded, CRYPT_STRING_BASE64HEADER,
            pem.data(), &size);

        std::wstring pem_cert = std::to_wstring(num) + L".pem";
        std::wofstream pem_cert_file(pem_cert, std::ios::binary | std::ios::out);
        pem_cert_file.write(pem.data(), pem.size() - 1);


        /* or if you need save certificate in binary form (DER encoding)*/
        std::string der_cert = std::to_string(num) + ".cer";
        std::ofstream der_cert_file(der_cert, std::ios::binary | std::ios::out);
        der_cert_file.write(reinterpret_cast<char*>(pCert->pbCertEncoded), pCert->cbCertEncoded);
        ++num;
    }

    CertCloseStore(hCertStore, 0);
    return 0;
}

thanks a lot! editied my question for certificate format issue that i saw after using the code — uriBaba, Aug 10 '17 at 08:44
@uriBaba sorry, forgot add std::ios::binary and remove null-character — plstryagain, Aug 10 '17 at 09:12
first to obtain required buffer size, then to do actually conversion — plstryagain, Aug 10 '17 at 14:29
thx, another question - this method obtains only current user certifcates.(accodring to MSDN). Is it possible to get also the local nachine certificates? — uriBaba, Aug 13 '17 at 11:52
yes, use CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, CERT_SYSTEM_STORE_LOCAL_MACHINE, L"ROOT") instead of CertOpenSystemStore — plstryagain, Aug 13 '17 at 18:05

how to automaticaly export windows root certificates to a file?

1 Answers1

Linked

Related