Anyone install an X.509 certificate?

[wolbrink]

As part of my application, I'd like to make installing a certain X.509 certificate into the machine's certificate store as a trusted root .

Has anyone done this, who might have some pointers?

--Troy

[DavidGayler]

Hi, can you give some more information on requirements. That would be useful. For example, does this cert have a private key associated with it? Also, is this a ISV app or internal app? The reason I ask it if you want to import a cert, you can use Certmgr.exe. However, this is not redistributable tool. If you need something you can redist and you can have .NET 2.0 as a prereq, then the new x509certificate classes will get you what you need. If you cant have the .NET 2.0 prereq, then you will need to look at CAPICOM or the CryptoAPI.

[wolbrink]

Good questions! The cert being distributed would only have the public key. It's an ISV app, and I'm not yet requiring .NET, so I'd probably have to use CAPICOM. I'd be wanting to install it into the root store of the local machine. I can google around and find script for this, no problem. But what I'm looking for is if someone has already done this from the context of InstallAware who would have specific advice (from experience).

--Troy

[DavidGayler]

OK, that is helpful information. My InstallAware setup actually calls an external application that ultimately adds the cert to the local machine root store. I would think you can either...
1) Create a DLL that exports a C func that does what you need with the cert
OR
2) Create a program that does what you need and simply call it from your installaware script. The return code and a log file should be enough for you to tell if the operation was successful and have error information if not.
3) Call a script that does what you need.

So, yes, I have created something that does what you are talking about and haven't had any issues with it in InstallAware yet. Hope that helps. Good luck.

[wolbrink]

OK, that is helpful information. My InstallAware setup actually calls an external application that ultimately adds the cert to the local machine root store.

Excellent. I'll probably use CAPICOM. I have a catch-all IA custom plugin that I'm using for my app setup, so I'll just do this from there. Or I may just develop a .NET application if that's more straightforward.

Questions for you:

1. Do you use CAPICOM for this? If not what technology do you use?

2. Do your users get a Windows security prompt requesting permission for the cert to be installed?

Thanks,
Troy

[DavidGayler]

Hi,
I actually use the CryptoAPI in a native C++ DLL. This is called from a assembly using C++/CLI (it is the easiest way for interop calls IMO). I couldnt use the .NET x509Certificate2 classes as I needed more control over the KeyContainer where the private key was stored. Also, I needed to mint certificates, so the CryptoAPI was the only alternative. I you use CAPICOM, make sure that it is installed on the machine as I am not sure if it comes preinstalled. CAPICOM is redistributable I think.

As for telling the user what the install does, I spell this out in the description on one of the install pages, so yes, I let them know what install is going to do.