Silent installation of root certificate in WiX

Question

Silent installation of root certificate in WiX

How can I easily install root certificates from WiX? I install some root and intermediate certificates, and for root certificates the system displays a confirmation dialog showing the basic properties of the certificate and fingerprint. This is the corresponding code that I use using WixIIsExtension displayed in the iis namespace:

 <Binary Id="RootCa" SourceFile="Certificates\RootCa.cer" /> <DirectoryRef Id="TARGETDIR"> <Component Id="RootCa" Guid="..."> <iis:Certificate Id="RootCa" BinaryKey="RootCa" Name="RootCa" StoreLocation="currentUser" StoreName="root"/> </Component> </DirectoryRef> <Feature ...> <ComponentRef Id="RootCa" /> </Feature>

+6

wix

Dialecticus Nov 20 '12 at 17:04

source share

4 answers

I use custom action for the same

 <CustomAction Id="InstallCertificates" Directory="TARGETDIR" ExeCommand="[SystemFolder]Certutil –addstore –f &quot;root&quot; &quot;[INSTALLLOCATION]Certificates\CertificateName.cer&quot;" Execute="immediate" Return="ignore" />

+4

Sunil agarwal Nov 21 '12 at 5:13

source share

I have been looking for an answer for a long time. So here is what I have:

WiX Code:

 <CustomAction Id="ImportCer.Props" Property="ImportCer" Value="[INSTALLDIR]ca\root.cer" /> <CustomAction Id="ImportCer" Execute="deferred" FileKey="hsminst.dll" DllEntry="ImportCer" /> <CustomAction Id="ImportPfx.Props" Property="ImportPfx" Value="[INSTALLDIR]ca\super.pfx" /> <CustomAction Id="ImportPfx" Execute="deferred" FileKey="hsminst.dll" DllEntry="ImportPfx" />

C ++ Code:

  extern "C" __declspec(dllexport) UINT __stdcall ImportCer(MSIHANDLE hInstall) { char szPath[MAX_PATH]; GetModuleFileNameA(NULL, szPath, MAX_PATH); char certFilePath[MAX_PATH] = {0}; DWORD certFilePathLen = MAX_PATH; MsiGetProperty ( hInstall, "CustomActionData", certFilePath, &certFilePathLen); wchar_t certFilePathW[MAX_PATH]; MultiByteToWideChar( CP_ACP, 0, certFilePath, -1, certFilePathW, MAX_PATH); PCCERT_CONTEXT pCertCtx = NULL; if (CryptQueryObject ( CERT_QUERY_OBJECT_FILE, certFilePathW, CERT_QUERY_CONTENT_FLAG_ALL, CERT_QUERY_FORMAT_FLAG_ALL, 0, NULL, NULL, NULL, NULL, NULL, (const void **)&pCertCtx) != 0) { HCERTSTORE hCertStore = CertOpenStore ( CERT_STORE_PROV_SYSTEM, 0, 0, CERT_STORE_OPEN_EXISTING_FLAG | CERT_SYSTEM_STORE_LOCAL_MACHINE, L"root"); if (hCertStore != NULL) { if (!CertAddCertificateContextToStore ( hCertStore, pCertCtx, CERT_STORE_ADD_ALWAYS, NULL)) { return -2; } if (!CertCloseStore (hCertStore, 0)) { return -3; } } else { return -1; } if (pCertCtx) { CertFreeCertificateContext (pCertCtx); } } return 0; } extern "C" __declspec(dllexport) UINT __stdcall ImportPfx(MSIHANDLE hInstall) { char certFilePath[MAX_PATH] = {0}; DWORD certFilePathLen = MAX_PATH; MsiGetProperty ( hInstall, "CustomActionData", certFilePath, &certFilePathLen); wchar_t certFilePathW[MAX_PATH]; MultiByteToWideChar( CP_ACP, 0, certFilePath, -1, certFilePathW, MAX_PATH); CRYPTUI_WIZ_IMPORT_SRC_INFO importSrc; memset( &importSrc, 0, sizeof(CRYPTUI_WIZ_IMPORT_SRC_INFO)); importSrc.dwSize = sizeof(CRYPTUI_WIZ_IMPORT_SRC_INFO); importSrc.dwSubjectChoice = CRYPTUI_WIZ_IMPORT_SUBJECT_FILE; importSrc.pwszFileName = certFilePathW; importSrc.pwszPassword = L"111111"; importSrc.dwFlags = CRYPT_EXPORTABLE; HCERTSTORE serviceStore = CertOpenStore( CERT_STORE_PROV_SYSTEM, 0, 0, CERT_STORE_OPEN_EXISTING_FLAG | CERT_SYSTEM_STORE_CURRENT_USER, L"my"); if (CryptUIWizImport( CRYPTUI_WIZ_NO_UI , NULL, NULL, &importSrc, serviceStore ) == 0) { return -1; } return 0; }

Hope help u

+3

AkmecNurik Nov 30 '12 at 6:52

source share

I am having problems installing certificates with WiX - two problems I received:

1. If you specify WiX to install in trusted root certificates on the local computer, this will not work, it will be installed in the Personal Store instead.
2. Permissions for certificates installed by WiX (if they have a private key) are not set by the Everyone user. [You can change permissions using MMC-> Certificate Manager-> Local Machine → (find a certificate with a private key). Right-click-> All Tasks-> Private Key Management, which displays a file permission dialog box.

You can avoid both of these problems using the microsoft winhttpcertcfg.exe tool. I use it in a batch file (see below) and use the silent WiX user action to invoke the batch file. I authorize WiX to install the tool, certificates, and batch files before executing the package. The package can be configured to remove the tool and certificates after installation. It can also be used to start a service installed by WiX, which is certificate-dependent. Using the package significantly reduces the number of user actions in your WiX file.

The result of incorrect installation of certificates was an intermittent error (some machines worked, and some did not) with the client of the .net client "Failed to create a secure SSL / TLS channel" when executing an http request.

 REM Batch file to install certificates using WinHttpCertCfg.exe "[path to installed]winhttpcertcfg.exe" -i "[path to installed]ca.pfx" -a Everyone -c LOCAL_MACHINE\Root > c:\temp\installcc.log "[path to installed]winhttpcertcfg.exe" -i "[path to installed]server.pfx" -a Everyone -c LOCAL_MACHINE\My >> c:\temp\installcc.log

I install the install and uninstall batch file into the product. Then in WiX - pay attention to the pending and personalized user action.

 <CustomAction Id="InstallCustomAction_Cmd" Property="InstallCustomActionQt" Value="&quot;cmd.exe&quot; /c &quot;[#InstallCustomAction.cmd]&quot;" Execute="immediate" /> <CustomAction Id="InstallCustomActionQt" BinaryKey="WixCA" DllEntry="CAQuietExec" Execute="deferred" Return="ignore" Impersonate="yes"/> <InstallExecuteSequence> <Custom Action="InstallCustomAction_Cmd" Before="InstallFinalize">NOT REMOVE</Custom> <Custom Action="InstallCustomActionQt" After="InstallCustomAction_Cmd" >NOT REMOVE</Custom> ... </InstallExecuteSequence> ... <Component Id="InstallCustomAction" Guid="{your-GUID}"> <File Id="InstallCustomAction.cmd" KeyPath="yes" Source="tools\InstallCloudConnectCustomAction.cmd" /> </Component>

+1

Friedrich brunzema Oct 7 '14 at 21:14

source share

Dialecticus · Accepted Answer · 2012-11-22T12:33:25+0000

The custom action provided by Sunil is equivalent to the Certificate component with the StoreLocation="localMachine" attribute. In my case, installing in an engine shop still makes sense, so I'll go with that. The original question still remains: how to quietly install the root certificate in the user repository. If anyone has an answer to this question, I will mark it as the correct answer.

Silent installation of root certificate in WiX

More articles: