tags:

views:

409

answers:

3
+1  Q: 

Modifying security on installed certificates

We are working on creating an installation package for a WCF-based web service. The service uses message-level encryption via an installed certificate. I am trying to come up with an automated way to both install the certificate and set its permissions.

Currently, we are manually installing the certificate via the MMC snap-in. After it is installed, we need to find the file containing the installed certificate and modify the permissions so that the Network Service account can access it. The only way I know to find the file is to open the "...\Microsoft\Crypto\RSA\MachineKeys" folder (exact path differs based on platform) and identify the file with the most recent modified date.

I'm thinking we'll use WIX to create the installation package. WIX has a specific feature for installing a certificate, but I assume permissions will still be an issue. Is there some utility or API or other means to get the physical path for an installed certificate identified by the subject name (or similar).

Of course, maybe there's a more direct solution to this problem.

Thanks for any help with this issue.

A: 

Does the certificate need to be installed? Could you reference it from a PFX file or similar instead, negating any need for installation?

sascha  2009-03-10 21:42:27
Thanks for replying, Sacha. No, it doesn't need to be installed.
Daniel Pratt  2009-03-10 23:54:22
+1  A: 

Source: Least Privilege

There is no clean way to do that in managed code. The general procedure is:

  1. Select a certificate
  2. Create an RSACryptoServiceProvider object from the certificate's PrivateKey property
  3. Retrieve the UniqueKeyContainerName property.
  4. Search for this file name in the various locations where keys are stored. Thats under ApplicationData for user keys and CommonApplicationData for machine keys

If you want to do this in a custom action, I recommend you do this in C++. (Managed Custom Actions are most of the time not a good idea.)

If you only want to set ACLs, there are two tools that can do that for you:

  • WinHttpCertCfg.exe
  • The certificates tool included in WSE3

See the link for the details, hope this helps!

Jeroen Landheer  2009-03-11 03:33:58
For managed custom actions I would say it depends. If you are installing a .net app that already has a launch condition requiring the .net framework you'll be ok. We have been using managed C++ custom actions in WiX for 2 years and are moving to their new DTF C# custom actions, never had problems.
Rob McCready  2009-03-11 17:36:21
@Rob: I know that managed custom actions actually can work... but they are not supported. Rob Mensching (a leading member of the WiX team) has made a blog post explaining why this is unsupported: http://robmensching.com/blog/posts/2007/4/19/Managed-Code-CustomActions-no-support-on-the-way-and-heres
Jeroen Landheer  2009-03-11 17:58:13
@Jeroen: DTF custom actions are not subject to the technical limitations noted in Rob's post mostly because they are run in a separate process. Recent builds of WIX include DTF project types.
Daniel Pratt  2009-03-11 20:11:36
@Jeroen, the post you reference is older than the DTF post I made later. @Daniel Pratt is correct.
Rob Mensching  2009-03-12 22:38:27
@Daniel Pratt and Rob Mensching: Thank you for clarifying that to me, I seemed to have missed that. Apologies for the confusion...
Jeroen Landheer  2009-03-13 07:24:39
A: 

A certificate itself doesn't have permissions. It can be in either a user's certificate store, such as the MY, CA or ROOT stores. Or it can be in the computer's version of those stores. It sounds like you are also installing a private key along with the certificate. To make a private key accessible to a service, it should be installed to the computer's key store. If you doing the import manually via something like CryptImportKey, you should specify CRYPT_MACHINE_KEYSET when the key container is acquired with CryptAcquireContext.

Murray  2009-03-11 18:43:32

related questions

Displaying Version Information in a Web Service
Example Web Service
SoapException: Root element is missing occurs when .NET web service called from Flex
Best practice for webservices
What is your preferred method of sending complex data over a web service?
.Net - Returning DataTables in WCF
Is it possible to return objects from a WebService?
How much extra overhead is generated when sending a file over a web service as a byte array?
Returning Large Results Via a Webservice
File Uploads via Web Services
best way to persist data in .NET Web Service
What is the difference between an endpoint, a service, and a port when working with webservices?
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Where can I find some good WS-Security introductions and tutorials?
ASP.NET Web Service Results, Proxy Classes and Type Conversion
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
Document or RPC based web services
How to easily consume a web service from PHP
Timer-based event triggers
How to pass enumerated values to a web service
Homegrown consumption of web services
How do I print an HTML document from a web service?
How do I fill a DataSet or a DataTable from a LINQ query resultset ?