CA certificate directory on Windows - windows

I make a network client in C and normaly I work with linux and I don't know how work CA certificate on windows. And the windows manual is not very good.
A CA certificate directory (root) exist by default on windows?
Like the directory /etc/ssl/certs/ under linux, which is a list of CA certificate.
I need this for adapted a programme which work with openSSL.
can you help me? Thank you in advance.

I don't believe Windows stores your Certificates in a default file location, but rather in a registry entry. Check out this link - it's for Windows Server 2003, but I believe most of the information is still relevant.
The basic tools typically used to manage certificates are Certreq.exe and Certutil.exe.
Here is a basic C++ program example for how to insert/create a certificate for Windows. It does not address the network portion of your question, but I think you might find it useful.
Good luck.

A CA certificate directory (root) exist by default on windows? Like
the directory /etc/ssl/certs/ under linux, which is a list of CA
certificate.
No. You must provide a file with root and intermediate certificates with your app on Windows. It can be from Linux or you can export nessecity certificates from Windows Store manually through certmgr. Or you can create a list of trusted root and intermediate certificates programmatically with help's of WinAPI like Qt does, for example.

you can acces to the Windows certificate store (which contain CA cert) and manipulate certificate whith this functions:
CertOpenSystemStore()
CertEnumCertificatesInStore()
CertCloseStore()
and convert DER certificate to OpenSSL X509 structure with:
d2i_X509()
for exemple, see in this link:
TLS client:
.

Related

Self-signed root certificate doesn't work on Windows

I've created self-signed CA-certificate and added it to "trusted root certification authorities".
Then I've created another certificate that was signed by created earlier CA-certificate.
Then I've signed my exe with first certificate, download this file on the computer and try to launch. But Windows thinks that it is untrusted file. In the file properties I can see digital sign with my certificates' hierarchy.
So, the question is what I'm doing wrong?
Thanks.

How to create a self signed cerficate using command prompt?

Is there a way to create a self signed certificate in IIS in windows 2012 R2 using command prompt?
I went many documents, everywhere there is tutorial using Windows powershell but not using command prompt.
I do not have makecert utility installed in my system. Is there any other command or utility.
I saw a selfssl utility but i am not sure whether it will work on windows 2012 RE server.
Try certreq tool. Data are given in a form of inf file. The before mentioned link contains information about the file structure. This link contains example inf file of an SSL certificate (could be of more help).
Then run
certreq -new your_inf_file.inf generated_req.req
As a side effect it will generate a self signed certificate in Certificate Enrollment Requests in the store you specified in the inf file. Just move the certificate to My store and also (because it is self signed) to Trusted Root Certification Authorities.
You can also use xca. It is a nice utility built on openssl which lets you create any certificates (self signed or any chain of CAs) and it is easy to use.
I wouldn't bother with makecert as it is deprecated. Instead, I would suggest you use PowerShell as it is the mainstream administration tool in Windows Server. Windows Server 2012 has a built-in cmdlet to generate self-signed certificates: https://technet.microsoft.com/en-us/library/hh848633(v=wps.630).aspx
When Microsoft deprecated makecert tool, they enhanced the certreq cmdline tool with the ability to generate self-signed certificates, though, with an overhead: http://blogs.technet.com/b/askds/archive/2012/08/14/rsa-key-blocking-is-here.aspx
The article rsa-key-blocking-is-here.aspx moved here.
rsa-key-blocking-is-here

Create my own Authenticode root certificate and submit it to Microsoft

Scenario: I create my own root certificate for Authenticode (used to sign executable only). Easy. Unfortunately, it will only work on computers where I have installed the certificate!
So, I want to become an official CA (the root certificate will be present on all Windows of the world). As a bonus, I can sell this service to others :)
TL;DR: I want to become a official CA recognized by Microsoft for signing executables only (Authenticode, not SSL/TLS).
Questions: is it possible to submit its root certificate to Microsoft for they integrate with Windows? What are the costs? Is it possible for an individual and/or small business?
Thank you in advance!

How to install certificates on other's machine?

On my machine, I’m using a signed application with an installed certificate to get a trusted publisher dialog from Windows. I’ve created a certificate with makecert.exe and installed it to the certification store in windows. From there, I’ve exported the PFX and signed with signtool.exe my application. In order to get the same trusted publisher dialog on another machine, a certificate is necessary. Instead of installing the certificate by hand, an installer should accomplish the importation of the certificate. Unfortunately, the windows installer doesn’t support this feature. Because of that, I’m looking for a solution like a classical API command in windows. Is there something built-in in windows to make it easier or something comparable?
To install certificate with respect of MSI setup you have to use custom actions. If you not familiar with custom actions I recommend you to use the simplest custom action which allows you to start an exe. It can be an existing utility like CertUtil.exe (see here some examples and try certutil -importPFX -? to see help about the import of PFX files).

Does Mercurial access the Windows certificate store?

I'm working to upgrade our source control from hg 1.6.0 to 1.8.2 and I'm looking to set up and use SSL certs. This is on a Windows Server 2008 Enterprise system running IIS 6.0, not my server so I need to use those versions of software right now. All my users are running Windows too.
To ease installation/configuration for my users I'd prefer to modify the Windows Cert Store instead of the cacert.pem file. Does Mercurial have access to the Windows Certificate Store? It doesn't seem to. I am using internally created certificates and I can get things to work without SSL warnings by adding my root cert to the cacert.pem file in Mercurial but I can't seem to get it to work by adding the certs to the Windows Cert Store. Am I missing something?
Thanks,
Scott
No, Mercurial does not access the Windows certificate store.
It includes in its distribution a cacert.pm (as you know, even though before 1.7.3, the story was a bit different)
The article "X.509 certificates and Mercurial" has more information.
A principal thing to remember here is that Mercurial will not work as a complete server out of the box, requesting authentication information, in the form of basic, digest, or certificates, at all.
This means that in order to use X.509 certificates with Mercurial, one needs to place a web server that knows of these authentication mechanisms in front of it.
This article includes makecert.exe, which actually knows about the Windows certificates store (contrary to Mercurial itself)
makecert.exe is a bit of a different beast from openssl as it interfaces directly with the machine’s or user’s certificate store (the special place where certificates live a happy life in Windows).

Resources