3

I understand the question title may be a duplicate but I have not found an answer for my situation yet so here goes;

I have this simple peice of code

// Convert the Filename to an X509 Certificate
X509Certificate2 cert = new X509Certificate2(certificateFilePath);

// Get the server certificate store
X509Store store = new X509Store(StoreName.TrustedPeople, StoreLocation.LocalMachine);

store.Open(OpenFlags.MaxAllowed);
store.Add(cert); // x509 certificate created from a user supplied filename

But keep being presented with an "Access Denied" exception.

I have read some information that suggests using StorePermissions would solve my issue but I don't think this is relevant in my code. Having said that, I did test it to to be sure and I couldn't get it to work.

I also found suggestions that changing folder permissions within Windows was the way to go and while this may work(not tested), it doesn't seem practical for what will become distributed code.

I also have to add that as the code will be running as a service on a server, adding the certificates to the current user store also seems wrong.

Is there anyway to programmatically add a certificate into the local machine store?

David
  • 125
  • 2
  • 9
  • Is this code running elevated, or is UAC getting in the way? – Bob Vale Jun 24 '13 at 15:54
  • Run the code under an admin account. – Oscar Jun 24 '13 at 15:57
  • @Oscar I don't have full control over the server but the user account I am using is in the admistrators group. – David Jun 24 '13 at 16:05
  • @Bob could you elaborate? – David Jun 24 '13 at 16:05
  • Ok, so, you're admin. Have you tried with this similar question? http://stackoverflow.com/questions/566570/how-can-i-install-a-certificate-into-the-local-machine-store-programmatically-us – Oscar Jun 24 '13 at 18:06
  • @David when you run this code with UAC turned on, even if you are in the administrators group you are not an administrator, you need to use the run as administrator option. I'm not 100% clear if this applies to service, normally you run a service as localsystem to bypass that – Bob Vale Jun 24 '13 at 20:08
  • @Oscar I'm not sure where specifically you want me to look in your link. I seem to be using the same code. In fact, i may have used that very post to try and achieve what I'm after and stuck with the code. The only difference I can see is I am using `store.Open(OpenFlags.MaxAllowed);` whereas the in your link they are using `store.Open(OpenFlags.ReadWrite);` which I had started with and it didn't work so I moved on. – David Jun 25 '13 at 08:18
  • Are you running this code explicitly as admin? – Oscar Jun 25 '13 at 08:22
  • @Bob I have been researching UAC and elavated permissions and trying different approaches and think you might be onto something but I still haven't managed to get it to work. Yet. Adding elevated permissions to the manifest file seems the right way to go but I haven't yet found how to have the code use this new manifest using vs2012. there are lots of examples for vs2005 but they don't translate. – David Jun 25 '13 at 10:25
  • @Oscar What do you mean? Are you referring to right clicking and "Run as"? If you are, no I haven't. So far, I have been debugging but lets assume your suggestions works. Every future user would have to do the same and I don't think it's practical. I want to have the same effect from within the code. – David Jun 25 '13 at 10:29
  • I'm trying to understand why your code is failing. If it's a permissions problem, you just need to add an application manifest to ask for them. But first let see if it runs ;-) – Oscar Jun 25 '13 at 12:20
  • @David I've not done it recently myself. As a test, have you tried disabling UAC or running the service as local system, if that works then worry about creating the manifest. – Bob Vale Jun 25 '13 at 12:49
  • @David take a look at [this](http://philippsen.wordpress.com/tag/c-and-uac/) – Bob Vale Jun 25 '13 at 12:58

1 Answers1

0

Thank you to Oscar and Bob for asking the questions and leading me in the right direction +10 to you both :)

My issue, as I think we all knew (even me) was the user running the application had insufficient privilages to add a certificate to the local machine store.

But various attempts to elevate the user permissions were failing for me, let me explain why.

I had 3 seperate projects in my solution, the wcf service which requires the X509certificates, the windows form client and the cryptography class library which, amongst other things, installs the certificates provided via the windows form client.

As most of the code within all 3 projects could run without elevated permissions, I really wanted to only elevate them at the certificate install stage within the class library but I tried to use Process and Verb= "runas" in code and this didn't work. Then I tried to add a custom manifest but if you try to alter the properties of a class library to use a custom manifest, you'll find the option is disabled.

So I changed things. My cryptography class is now within my windows form client and I've added the custom manifest to the client. This now means the whole client opens with elevated privilages but I'd rather that than the alternative.

Thank you again

David
  • 125
  • 2
  • 9