I'm working to upgrade our source control from hg 1.6.0 to 1.8.2 and I'm looking to set up and use SSL certs. This is on a Windows Server 2008 Enterprise system running IIS 6.0, not my server so I need to use those versions of software right now. All my users are running Windows too.
To ease installation/configuration for my users I'd prefer to modify the Windows Cert Store instead of the cacert.pem file. Does Mercurial have access to the Windows Certificate Store? It doesn't seem to. I am using internally created certificates and I can get things to work without SSL warnings by adding my root cert to the cacert.pem file in Mercurial but I can't seem to get it to work by adding the certs to the Windows Cert Store. Am I missing something?
Thanks,
Scott
No, Mercurial does not access the Windows certificate store.
It includes in its distribution a cacert.pm (as you know, even though before 1.7.3, the story was a bit different)
The article "X.509 certificates and Mercurial" has more information.
A principal thing to remember here is that Mercurial will not work as a complete server out of the box, requesting authentication information, in the form of basic, digest, or certificates, at all.
This means that in order to use X.509 certificates with Mercurial, one needs to place a web server that knows of these authentication mechanisms in front of it.
This article includes makecert.exe, which actually knows about the Windows certificates store (contrary to Mercurial itself)
makecert.exe is a bit of a different beast from openssl as it interfaces directly with the machine’s or user’s certificate store (the special place where certificates live a happy life in Windows).
Related
I need to install a cert to allow a browser to talk to localhost via our app. The .pfx file created for this purpose works great when imported with the Windows 10 MMC tool. But that's a lot of steps to make our users do manually.
By following the steps in this answer (Install a pfx certificate in a users store in Windows using WiX), I can build an MSI and it runs on the target machine without errors.
However, the cert does not exist in the usual "Certificates - Local Computer" MMC tool, nor can the cert be bound to the app with netsh. After a bit of searching, it turns out the cert is installed "somewhere in IIS", and is only visible in the IIS tool (?!).
Using openssl, I converted the .pfx to a .pem file. When running the MSI, this DOES seem to install the cert to the proper place (?!). However, the cert is missing the private key, so it also can't be bound with netsh ('SSL Certificate add failed, Error 1312').
What on earth is going on, and how can I make Wix install the certificate properly?
Well, I guess I figured it out. I tried running the MSI on a virgin Windows 10 installation, and the .pfx file installed correctly and can be bound ok.
So, my guess is that "something" is checking the local computer to see if IIS is installed, and makes the decision to install the cert in a place that only IIS can see or use it. There's probably a lot more going on behind the scenes, but that's the gist of it.
In summary, use a .pfx file to get the private key, and remember that the installation will only work on computers without IIS installed.
I understand how SSL works, but my question is more regarding the storage of certs on client side. To understand the exact context you can assume that I am sort of writing my own browser.
My Rendering part will be done by WebKit and http request handling part will be done by libCurl. libCurl has an option called CURLOPT_CAPATH using which i can tell one folder location to libCurl and that's what libCurl will refer to for perhaps trusted certificates authorities. But I do not know which location is that? IS it operating system specific, my browser sort of app is suppose to work on multiple plateforms.
Where OSx and Windows keep their certificates?
Is it one unified directory ? or its splitted in multiple locations?
Windows keep them in registry not in directory?
multiple browsers on same operating system use the same certificate store or all of them have their on certificate store?
Do i need to worry about nss?
Where OSx and Windows keep their certificates?
OS X stores certificates in the Keychain. Windows stores certificates in the Certificate Store.
Is it one unified directory ?
No.
or its splitted in multiple locations?
Yes.
Windows keep them in registry not in directory?
Windows stores certificates in the Certificate Store. Its backed by a file(s), but you don't operate on the file directly.
multiple browsers on same operating system use the same certificate store or all of them have their on certificate store?
It depends.
Firefox and Opera carry around their own collection of trust anchors (CA Certifcates).
Chrome uses the operating system provided store.
Safari uses the certificates in the Keychain.
IE uses uses the certificates in the Certificate Store.
I'm not sure what other browsers do. For example, I don't know from where Iceweasel and Dillo fetch the list of trust anchors.
Do i need to worry about nss?
It depends. What do you have in mind?
... CURLOPT_CAPATH ...
When using cURL, you often use a "ca-certs" file. See Automatically converted CA Certs from mozilla.org.
I'm using CAPICOM to load a certificate needed by a WebService client.
I need to have the certificate installed in Windows, and then open it from the certificate file itself, which I think is "kinda stupid".
Is there any way to either (in order of preference):
Save the PFX File contents to a memo field in the database, and load it from there, without installing it on Windows?
Load the PFX File from the file itself, without installing it on Windows
I'm using Delphi XE3, LibEay32 and Capicom 2.0
If you want to install the certificate in Windows you will ALWAYS get a popup asking the user for permission, unless the certificate comes from a root that is already trusted. If you don't want that the only option is to use the PFX contents from a memo field each time you need the certificate.
I have no experience with Capicom, but from what I read it is a Microsoft DLL that you use?
If you are having problems with Capicom and LibEay32 you might want to check out the Eldos Secure BlackBox components. I have very good experiences with those and their support is great.
I distribute a Windows desktop app which has all executable files digitally signed by a Verisign Class 3 Code Signing certificate. For the vast majority of users, this seems to work fine.
However a small number of users report the certificate is invalid. They say it comes up with the message "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider". This corresponds to error code CERT_E_UNTRUSTEDROOT (0x800B0109). This has also been reported on a fully-updated Windows 7 machine. So presumably my certificate is OK, but Windows sometimes doesn't trust VeriSign certificates.
Why does Windows sometimes not trust VeriSign? Is there anything I can add to my installer (also signed) which will tell Windows to trust the certificate?
There are frequent updates of the Root Certificates which Microsoft rolls out via Windows Update, but which are tagged as "optional update". Hence not all users may have them installed and may need to install them manually. This also holds for "fully updated" machines, as the automatic installation is often set to only install "important updates", which the Root Certificate updates are not.
Depending on the type of desktop application, you may have to follow certain rules when signing, too. For example applications interacting with the Windows Security Center require essentially the same signing method as drivers. That is, the certificate chain gets embedded along with the signature (/ac switch to signtool). You can get the MSCV-VSClass3.cer applicable to VeriSign certificates here.
The process is often called cross-signing, which seems to be a misnomer. While this is one step in getting your driver binary or catalog cross-signed, the vital step is that Microsoft signs the driver (or more usually the catalog file these days), which is the actual cross-signing.
On my machine, I’m using a signed application with an installed certificate to get a trusted publisher dialog from Windows. I’ve created a certificate with makecert.exe and installed it to the certification store in windows. From there, I’ve exported the PFX and signed with signtool.exe my application. In order to get the same trusted publisher dialog on another machine, a certificate is necessary. Instead of installing the certificate by hand, an installer should accomplish the importation of the certificate. Unfortunately, the windows installer doesn’t support this feature. Because of that, I’m looking for a solution like a classical API command in windows. Is there something built-in in windows to make it easier or something comparable?
To install certificate with respect of MSI setup you have to use custom actions. If you not familiar with custom actions I recommend you to use the simplest custom action which allows you to start an exe. It can be an existing utility like CertUtil.exe (see here some examples and try certutil -importPFX -? to see help about the import of PFX files).