Sign in to follow this  
Followers 0
readmedottxt

Obtaining list of local computer personal certificates

4 posts in this topic

#1 ·  Posted (edited)

I can't find anything in the help file and I'm unsure if anything other than the certutil.exe command is available.

Are there any programmatic ways of obtaining the following data: ?

certutil.exe -store my

I can write something to parse the result using StdOutRead however I'd rather a proper way of getting a list.

Can anyone help?

Edited by readmedottxt

Share this post


Link to post
Share on other sites



Method depends on the store you want to see. This should work for IE:

Global Const $wbemFlagReturnImmediately = 0x10
Global Const $wbemFlagForwardOnly = 0x20
Global $wbemFlags = $wbemFlagReturnImmediately + $wbemFlagForwardOnly

Global $oWMI = ObjGet("winmgmts:\\" & @ComputerName & "CIMV2\Applications\MicrosoftIE")
$colCerts = $oWMI.ExecQuery("SELECT * FROM MicrosoftIE_Certificate", "WQL", $wbemFlags)
For $oCert In $colCerts
    ConsoleWrite("Caption: " & $oCert.Caption & @LF)
    ConsoleWrite("Description: " & $oCert.Description & @LF)
    ConsoleWrite("IssuedBy: " & $oCert.IssuedBy & @LF)
    ConsoleWrite("IssuedTo: " & $oCert.IssuedTo & @LF)
    ConsoleWrite("SettingID: " & $oCert.SettingID & @LF)
    ConsoleWrite("SignatureAlgorithm: " & $oCert.SignatureAlgorithm & @LF)
    ConsoleWrite("Type: " & $oCert.Type & @LF)
    ConsoleWrite("Validity: " & $oCert.Validity & @LF)
Next

:mellow:


Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law

Share this post


Link to post
Share on other sites

#3 ·  Posted (edited)

Googling around, I found some references to the automation interface for MMC and tried this:

; List personal certificates via MMC application object model
; See MSDN:  MMC 2.0 Automation Object Model  (http://msdn.microsoft.com/en-us/library/aa815049%28VS.85%29.aspx)

Global $oMMC_App, $sMMC_Ver, $sMsg
Global $oCerts_Doc, $oCerts_ScopeNS
Global $oCerts_Root, $oCerts_Child
Global $oCurrentUser

; COM Error handler
$oAutoItError = ObjEvent("AutoIt.Error", "_AutoItError")

; MMC Application object
$oMMC_App = ObjCreate("MMC20.Application")
If IsObj($oMMC_App) Then
    $sMMC_Ver = $oMMC_App.VersionMajor & "." & $oMMC_App.VersionMinor
    ConsoleWrite("MMC version = " & $sMMC_Ver & @LF)

    ; Load document (Certificates SnapIn)
    $oMMC_App.Load("certmgr.msc")

    ; MMC document
    $oCerts_Doc = $oMMC_App.Document
    If IsObj($oCerts_Doc) Then
        $sMsg = "$oCerts_Doc.Location = " & $oCerts_Doc.Location & "; $oCerts_Doc.Name = " & $oCerts_Doc.Name
        ConsoleWrite("Certificates document loaded:  " & $sMsg & @LF)

        ; ScopeNamespace object
        $oCerts_ScopeNS = $oCerts_Doc.ScopeNamespace
        If IsObj($oCerts_ScopeNS) Then
            ConsoleWrite("Certificates document scope namespace retrieved." & @LF)

            ; Console root node (the root node is the top scope (tree) node)
            $oCerts_Root = $oCerts_Doc.RootNode
            If IsObj($oCerts_Root) Then
                $sMsg = @TAB & "$oCerts_Root.IsScopeNode() = " & $oCerts_Root.IsScopeNode() & @LF & _
                        @TAB & "$oCerts_Root.Name = " & $oCerts_Root.Name & @LF & _
                        @TAB & "$oCerts_Root.NodeType = " & $oCerts_Root.NodeType
                ConsoleWrite("Certificates console root node retrieved:" & @LF & $sMsg & @LF)

                ; First child of root node
                $oCerts_Child = $oCerts_ScopeNS.GetChild($oCerts_Root)
                If IsObj($oCerts_Child) Then
                    $sMsg = @TAB & "$oCerts_Child.IsScopeNode() = " & $oCerts_Child.IsScopeNode() & @LF & _
                            @TAB & "$oCerts_Child.Name = " & $oCerts_Child.Name & @LF & _
                            @TAB & "$oCerts_Child.NodeType = " & $oCerts_Child.NodeType
                    ConsoleWrite("First child of root node retrieved:" & @LF & $sMsg & @LF)

                    ; First child should be Current User
                    If StringInStr($oCerts_Child.Name, "Current User") Then
                        $oCurrentUser = $oCerts_Child
                        ConsoleWrite("Certificates - Current User node found." & @LF)

                        _MMCRecurseView($oCurrentUser)
                    Else
                        ConsoleWrite("Error retrieving next child of root node." & @LF)
                    EndIf
                Else
                    ConsoleWrite("Error first child of root node." & @LF)
                EndIf
            Else
                ConsoleWrite("Error retrieving Certificates console root node." & @LF)
            EndIf
        Else
            ConsoleWrite("Error retrieving Certificates document scope namespace." & @LF)
        EndIf
    Else
        ConsoleWrite("Error loading Certificates document." & @LF)
    EndIf
Else
    ConsoleWrite("Error creating MMC application object." & @LF)
EndIf


; Clean up objects
$oCurrentUser = ""
$oCerts_Child = ""
$oCerts_Root = ""
$oCerts_ScopeNS = ""
$oCerts_Doc.Close
$oMMC_App.Quit()


; console write a recursive listing of nodes
Func _MMCRecurseView($oNode)
    ; Check first child
    Local $oChild = $oCerts_ScopeNS.GetChild($oNode)
    If IsObj($oChild) Then
        ConsoleWrite(@LF & "Node found: name = " & $oChild.Name & "; Type GUID = " & $oChild.NodeType & @LF)
        If $oChild.IsScopeNode() Then
            ConsoleWrite("This is a scope node." & @LF)
            $oCerts_ScopeNS.Expand($oChild)
            ConsoleWrite("Expanded node." & @LF)
            _MMCRecurseView($oChild)
        EndIf

        ; Check siblings
        While 1
            $oChild = $oCerts_ScopeNS.GetNext($oChild)
            If IsObj($oChild) Then
                ConsoleWrite(@LF & "Node found: name = " & $oChild.Name & "; Type GUID = " & $oChild.NodeType & @LF)
                If $oChild.IsScopeNode() Then
                    ConsoleWrite("This is a scope node." & @LF)
                    $oCerts_ScopeNS.Expand($oChild)
                    ConsoleWrite("Expanded node." & @LF)
                    _MMCRecurseView($oChild)
                EndIf
            Else
                ConsoleWrite("Sibling is not an object." & @LF)
                ExitLoop
            EndIf
        WEnd
    Else
        ConsoleWrite("First child not an object." & @LF)
    EndIf
EndFunc   ;==>_MMCRecurseView

Func _AutoItError()
    Local $HexNumber = Hex($oAutoItError.number, 8)
    ConsoleWrite(@LF & "-------------------------------------------------" & @LF & _
            "AutoIt COM Error (may be expected):" & @LF & _
            "Number is: " & $HexNumber & @LF & _
            "-------------------------------------------------" & @LF & @LF)
EndFunc   ;==>_AutoItError

It doesn't quite work because once you get down to a 'Certificates' node, you have to change APIs from the MMC to the SnapIn's (certmgr.msc in this case). The DOM for MMC and the COM interface for it are well documented, but I haven't been able to find anything documenting an automation interface to the CertMgr objects under the MMC.

I don't know that it is worth the effort to chase that down either, since CertUtil.exe or CAPICOM probably provide more functionality.

:mellow:

Edited by PsaltyDS

Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law

Share this post


Link to post
Share on other sites

I found it!

I experimented with the code snippets posted but couldn't get what I need. I eventually found some vbs examples, converted them to au3 and presto!

Thanks very much for the assistance

$CertStore = ObjCreate("CAPICOM.Store")
$CertStore.Open (1, "My" , 0) ; local machine store, "my", read only
$Certificates = $CertStore.Certificates

Now I have an array ($Certificates) to parse and perform tasks.

Having never played with CAPICOM before, I didn't know what to do or where to begin. Everything appeared like you couldn't use it by script, I did plenty of reading of CryptoAPI and other stuff but it turned out nice and easy.

Cheers

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0