Jump to content

Advanced certificate install question

colombeen

By colombeen
in Developer General Discussion

 Share

Recommended Posts

colombeen Prodigy

colombeen

Posted
Posted (edited)

Hi guys,

I have a pretty advanced question...

 

This is the issue i'm facing :

On a regular basis we need to install pfx certificates (with password protection) on devices from external companies.

To install the certificate we always have to contact the user, setup a really dull and long process to get an RDP session to that device, install the certificate.

 

I'm looking for :

a way to generate exe files on the fly, that will include the pfx file and password, and automatically install them without any interaction from the user, and the user not being able to retrieve the password to install the certificate.

 

Question :

Is this possible with AutoIT? And if so, does anyone have a working example for the certificate installation part or the auto generate with file include?

 

Thx in advance

colombeen

Edited by colombeen
colombeen Prodigy

colombeen

Posted
  • Author
Posted (edited)

NOOOO!!!

not at all. we regularly need to grant access for external users to access our domain. to do so we need to install a certificate that allows them to connect.

I want to automate the install process of the cert so that we don't need to make the rdp session etc.

i want to send them the "certificate installer" generated with autoit via email or something else so that they can install the certificate without us needing remote control (because they can't know the password for the cert, that's why we need RDP => security reasons)

if i can automate this into an autoit compiled executable (has to be encrypted) i can speed up the process.

this is what I'm aiming for =>

- generate certificate + password via powershell
- call autoit compiler from powershell, telling it where the certificate is placed and what the password is (and maybe something else to verify the device)
- compiler needs to create an exe that holds both items
- it checks for the hostname (or something else) of the device it will be run on
- if everything checks out, install the certificate
- certificate installer shouldn't work for more then a few hours and then it should just stop working (to make sure it only will be installed on 1 device)
- user get's a message that the installing was a success or a failure

Edited by colombeen
colombeen Prodigy

colombeen

Posted
  • Author
Posted

I know it's not a good way to include a pass in a script, but it's just so time consuming. i was just hoping that i would be possible with encryption on the exe file

orbs Universalist

orbs

Posted
Posted

@colombeen,

yes, this is possible, and i dare say rather easy.

the "embedded password" catch can be easily avoided - do not embed the password. instead, equip your "installer" with an input box for the password, and when you guide the end user throughout the installation process (by phone i assume), read-out the password to the user when the time comes to type it in.

now, here's how you proceed:

1) report your topic and have a moderator move it to the General Help and Support forum, where it truely belongs and will get a more assistive attention.

2) learn the following AutoIt functions:

FileInstall() - to embed and extract an external file (the pfx) in the compiled script

InputBox() - to ask the user for the password

Run() - to launch certutil.exe to install the certificate

MsgBox() - to inform the user of failure or success

3) make a decent attempt at it and come back if you need further assistance.

Signature - my forum contributions:

Spoiler

UDF:

LFN - support for long file names (over 260 characters)

InputImpose - impose valid characters in an input control

TimeConvert - convert UTC to/from local time and/or reformat the string representation

AMF - accept multiple files from Windows Explorer context menu

DateDuration -  literal description of the difference between given dates

WinPose - simultaneous fluent move and resize

Apps:

Touch - set the "modified" timestamp of a file to current time

Show For Files - tray menu to show/hide files extensions, hidden & system files, and selection checkboxes

SPDiff - Single-Pane Text Diff

Magic Math - a math puzzle

Demos:

Title Bar Menu - click the window title to pop-up a menu

 

colombeen Prodigy

colombeen

Posted
  • Author
Posted (edited)
17 hours ago, orbs said:

the "embedded password" catch can be easily avoided - do not embed the password. instead, equip your "installer" with an input box for the password, and when you guide the end user throughout the installation process (by phone i assume), read-out the password to the user when the time comes to type it in.

This is not an option... the user may never hear/read/touch/... the password for the certificate file. otherwise i could just send the certificate with the password and i would be done with it...

Also... the fileinstall etc... I need to be able to add the file on the fly from a command like 

AutoITCompiler.exe -compile -au3file "certinstaller.au3" -outputfile "certinstaller.exe" -includefile "cert6546548979821.pfx" -addvariable "Th1sIsN0tAR34lP4ssw0rd!" -encrypted -somethingsomething

so that i can run the function that creates the certificate with the required params, generates the executable, creates an e-mail and sends it with the steps the user should take.

 

creating a script that can install a certificate will prob not be such a big hastle for me... it's the auto generate part that i don't know/have no experience with

Edited by colombeen
  • Moderators
JLogan3o13 Universalist

JLogan3o13

Posted
  • Moderators
Posted

@colombeen As we discussed via PM I think the suggestion given to you to move this to General Help and Support was incorrect, as this thread is still about the mechanics of accomplishing what you're after rather than a specific issue with an AutoIt script. For that reason I think DEV forum is the perfect place to discuss the how's and why's of what you are trying to accomplish.

If you get to the point of creating the script to install your certificate, as you mention above, and run into issues, then I think it would make sense to create a thread in General Help and Support for specifically that subject. You can even link it back here for someone who wants all the history on it.

"Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball

How to get your question answered on this forum!

orbs Universalist

orbs

Posted
Posted (edited)
3 hours ago, colombeen said:

This is not an option... the user may never hear/read/touch/... the password for the certificate file.

ok, then this is a case of production / security trade-off. consider the following:

1) certificate is bound to a hostname

2) certificate has a limited time before expiration

3) certificate alone is not sufficient for connection, a username/password combination is required as well

4) a script that simple can be safely made with an older version of AutoIt, which supports obfuscating the code

given the above, i'd say the risk of a compromised certificate password is low. if your CISSO agrees, then embed the password. the rest is technicality:

3 hours ago, colombeen said:

Also... the fileinstall etc... I need to be able to add the file on the fly from a command like

this is actually a lot easier than you think. off-hand i'd follow this logic:

the parameters which vary from one certificate to another is the certificate file name and the password. put in your main script a line like this: 

#include <CurrentCertificateInfo.au3>

in your PoweShell script (or batch file), right after you create the certificate (and you know its file name and password), create a new file named CurrentCertificateInfo.au3 and have it contain these two lines: 

FileInstall("cert6546548979821.pfx", @TempDir & '\CurrCert.pfx', 1)
Global $sPassword = "Th1sIsN0tAR34lP4ssw0rd!"

the main script the uses CurrCert.pfx and $sPassword in due time.

now study the correct syntax of compiling from the command line from the AutoIt help file: AutoIt > using AutoIt > Compiling Scripts > Method 3 - The Command Line

you'll find all your requirements are met by the available command line switches (except of the "-encrypted -somethingsomething" part, which i don't understand what it means).

Edited by orbs

Signature - my forum contributions:

Spoiler

UDF:

LFN - support for long file names (over 260 characters)

InputImpose - impose valid characters in an input control

TimeConvert - convert UTC to/from local time and/or reformat the string representation

AMF - accept multiple files from Windows Explorer context menu

DateDuration -  literal description of the difference between given dates

WinPose - simultaneous fluent move and resize

Apps:

Touch - set the "modified" timestamp of a file to current time

Show For Files - tray menu to show/hide files extensions, hidden & system files, and selection checkboxes

SPDiff - Single-Pane Text Diff

Magic Math - a math puzzle

Demos:

Title Bar Menu - click the window title to pop-up a menu

 

mLipok Universalist

mLipok

Posted
Posted

If you want install certs in Windows store (not on Crypto card) you could try to use certutil. For this case you could check my Certutil UDF 

Signature beginning:
Please remember: "AutoIt"..... *  Wondering who uses AutoIt and what it can be used for ? * Forum Rules *
ADO.au3 UDF * POP3.au3 UDF * XML.au3 UDF * IE on Windows 11 * How to ask ChatGPT for AutoIt Codefor other useful stuff click the following button:

Spoiler

Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind. 

My contribution (my own projects): * Debenu Quick PDF Library - UDF * Debenu PDF Viewer SDK - UDF * Acrobat Reader - ActiveX Viewer * UDF for PDFCreator v1.x.x * XZip - UDF * AppCompatFlags UDF * CrowdinAPI UDF * _WinMergeCompare2Files() * _JavaExceptionAdd() * _IsBeta() * Writing DPI Awareness App - workaround * _AutoIt_RequiredVersion() * Chilkatsoft.au3 UDF * TeamViewer.au3 UDF * JavaManagement UDF * VIES over SOAP * WinSCP UDF * GHAPI UDF - modest begining - comunication with GitHub REST APIErrorLog.au3 UDF - A logging Library * Include Dependency Tree (Tool for analyzing script relations) * Show_Macro_Values.au3 *

 

My contribution to others projects or UDF based on  others projects: * _sql.au3 UDF  * POP3.au3 UDF *  RTF Printer - UDF * XML.au3 UDF * ADO.au3 UDF SMTP Mailer UDF * Dual Monitor resolution detection * * 2GUI on Dual Monitor System * _SciLexer.au3 UDF * SciTE - Lexer for console pane

Useful links: * Forum Rules * Forum etiquette *  Forum Information and FAQs * How to post code on the forum * AutoIt Online Documentation * AutoIt Online Beta Documentation * SciTE4AutoIt3 getting started * Convert text blocks to AutoIt code * Games made in Autoit * Programming related sites * Polish AutoIt Tutorial * DllCall Code Generator * 

Wiki: Expand your knowledge - AutoIt Wiki * Collection of User Defined Functions * How to use HelpFile * Good coding practices in AutoIt * 

OpenOffice/LibreOffice/XLS Related: WriterDemo.au3 * XLS/MDB from scratch with ADOX

IE Related:  * How to use IE.au3  UDF with  AutoIt v3.3.14.x * Why isn't Autoit able to click a Javascript Dialog? * Clicking javascript button with no ID * IE document >> save as MHT file * IETab Switcher (by LarsJ ) * HTML Entities * _IEquerySelectorAll() (by uncommon) * IE in TaskSchedulerIE Embedded Control Versioning (use IE9+ and HTML5 in a GUI) * PDF Related:How to get reference to PDF object embeded in IE * IE on Windows 11

I encourage you to read: * Global Vars * Best Coding Practices * Please explain code used in Help file for several File functions * OOP-like approach in AutoIt * UDF-Spec Questions *  EXAMPLE: How To Catch ConsoleWrite() output to a file or to CMD *

I also encourage you to check awesome @trancexx code:  * Create COM objects from modules without any demand on user to register anything. * Another COM object registering stuffOnHungApp handlerAvoid "AutoIt Error" message box in unknown errors  * HTML editor

winhttp.au3 related : * https://www.autoitscript.com/forum/topic/206771-winhttpau3-download-problem-youre-speaking-plain-http-to-an-ssl-enabled-server-port/

"Homo sum; humani nil a me alienum puto" - Publius Terentius Afer
"Program are meant to be read by humans and only incidentally for computers and execute" - Donald Knuth, "The Art of Computer Programming"
:naughty:  :ranting:, be  :) and       \\//_.

Anticipating Errors :  "Any program that accepts data from a user must include code to validate that data before sending it to the data store. You cannot rely on the data store, ...., or even your programming language to notify you of problems. You must check every byte entered by your users, making sure that data is the correct type for its field and that required fields are not empty."

Signature last update: 2023-04-24

colombeen Prodigy

colombeen

Posted
  • Author
Posted
17 hours ago, mLipok said:

If you want install certs in Windows store (not on Crypto card) you could try to use certutil. For this case you could check my Certutil UDF 

I wish that I could use the UDF but it doesn't support passwords for pfx certificates, and that is the most important part of this automation. I'll see how far I can get with my project and maybe I'll try to add some features to the udf

colombeen Prodigy

colombeen

Posted
  • Author
Posted

I'm changing the way I'll be handling the passwords for the certificates.

I'll be using a little webservice that will retrieve the password, and if the certificate is installed correctly, the webservice will be returned an OK to remove the password

 

this is the command i'll be using to install the PFX files :  

certutil -f -user -p "Th1sIsN0tAR34lP4ssw0rd!" -importpfx "C:\Full\Path\To\Certificate.pfx" NoRoot

The biggest issue is that I can't be sure if the install was a succes because certutil always returns 0 as an exit code, and I'm not sure how to retrieve the errorlevel environment variable from a cmd window

mLipok Universalist

mLipok

Posted
Posted

I will Look at this, late night.

Signature beginning:
Please remember: "AutoIt"..... *  Wondering who uses AutoIt and what it can be used for ? * Forum Rules *
ADO.au3 UDF * POP3.au3 UDF * XML.au3 UDF * IE on Windows 11 * How to ask ChatGPT for AutoIt Codefor other useful stuff click the following button:

Spoiler

Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind. 

My contribution (my own projects): * Debenu Quick PDF Library - UDF * Debenu PDF Viewer SDK - UDF * Acrobat Reader - ActiveX Viewer * UDF for PDFCreator v1.x.x * XZip - UDF * AppCompatFlags UDF * CrowdinAPI UDF * _WinMergeCompare2Files() * _JavaExceptionAdd() * _IsBeta() * Writing DPI Awareness App - workaround * _AutoIt_RequiredVersion() * Chilkatsoft.au3 UDF * TeamViewer.au3 UDF * JavaManagement UDF * VIES over SOAP * WinSCP UDF * GHAPI UDF - modest begining - comunication with GitHub REST APIErrorLog.au3 UDF - A logging Library * Include Dependency Tree (Tool for analyzing script relations) * Show_Macro_Values.au3 *

 

My contribution to others projects or UDF based on  others projects: * _sql.au3 UDF  * POP3.au3 UDF *  RTF Printer - UDF * XML.au3 UDF * ADO.au3 UDF SMTP Mailer UDF * Dual Monitor resolution detection * * 2GUI on Dual Monitor System * _SciLexer.au3 UDF * SciTE - Lexer for console pane

Useful links: * Forum Rules * Forum etiquette *  Forum Information and FAQs * How to post code on the forum * AutoIt Online Documentation * AutoIt Online Beta Documentation * SciTE4AutoIt3 getting started * Convert text blocks to AutoIt code * Games made in Autoit * Programming related sites * Polish AutoIt Tutorial * DllCall Code Generator * 

Wiki: Expand your knowledge - AutoIt Wiki * Collection of User Defined Functions * How to use HelpFile * Good coding practices in AutoIt * 

OpenOffice/LibreOffice/XLS Related: WriterDemo.au3 * XLS/MDB from scratch with ADOX

IE Related:  * How to use IE.au3  UDF with  AutoIt v3.3.14.x * Why isn't Autoit able to click a Javascript Dialog? * Clicking javascript button with no ID * IE document >> save as MHT file * IETab Switcher (by LarsJ ) * HTML Entities * _IEquerySelectorAll() (by uncommon) * IE in TaskSchedulerIE Embedded Control Versioning (use IE9+ and HTML5 in a GUI) * PDF Related:How to get reference to PDF object embeded in IE * IE on Windows 11

I encourage you to read: * Global Vars * Best Coding Practices * Please explain code used in Help file for several File functions * OOP-like approach in AutoIt * UDF-Spec Questions *  EXAMPLE: How To Catch ConsoleWrite() output to a file or to CMD *

I also encourage you to check awesome @trancexx code:  * Create COM objects from modules without any demand on user to register anything. * Another COM object registering stuffOnHungApp handlerAvoid "AutoIt Error" message box in unknown errors  * HTML editor

winhttp.au3 related : * https://www.autoitscript.com/forum/topic/206771-winhttpau3-download-problem-youre-speaking-plain-http-to-an-ssl-enabled-server-port/

"Homo sum; humani nil a me alienum puto" - Publius Terentius Afer
"Program are meant to be read by humans and only incidentally for computers and execute" - Donald Knuth, "The Art of Computer Programming"
:naughty:  :ranting:, be  :) and       \\//_.

Anticipating Errors :  "Any program that accepts data from a user must include code to validate that data before sending it to the data store. You cannot rely on the data store, ...., or even your programming language to notify you of problems. You must check every byte entered by your users, making sure that data is the correct type for its field and that required fields are not empty."

Signature last update: 2023-04-24

orbs Universalist

orbs

Posted
Posted
2 hours ago, colombeen said:

 

I'm changing the way I'll be handling the passwords for the certificates.

I'll be using a little webservice that will retrieve the password, and if the certificate is installed correctly, the webservice will be returned an OK to remove the password

 

that's still no guarantee to prevent compromised password, but if that's OK with your CISSO, it's fine by me... ;)

2 hours ago, colombeen said:

... I can't be sure if the install was a succes ...

after you call certutil.exe to import the certificate, call it again with the parameter -store only. this will generate a list of the installed certificates, which you can check for the presence of your certificate.

Signature - my forum contributions:

Spoiler

UDF:

LFN - support for long file names (over 260 characters)

InputImpose - impose valid characters in an input control

TimeConvert - convert UTC to/from local time and/or reformat the string representation

AMF - accept multiple files from Windows Explorer context menu

DateDuration -  literal description of the difference between given dates

WinPose - simultaneous fluent move and resize

Apps:

Touch - set the "modified" timestamp of a file to current time

Show For Files - tray menu to show/hide files extensions, hidden & system files, and selection checkboxes

SPDiff - Single-Pane Text Diff

Magic Math - a math puzzle

Demos:

Title Bar Menu - click the window title to pop-up a menu

 

colombeen Prodigy

colombeen

Posted
  • Author
Posted

I'd rather check the errorlevel code if at all possible... it's alot more code for a verification... the info from the pfx can't be read by the autoit gui so I'd have to provide it some other way (reading out the certutil install info or something but that would take alot more time to code)

issue for me is that if you do the command for the certinstall, and you add " & echo %errorlevel%" it always shows the errorlevel from before the certutil command... it has the be executed on it's own line and not in a oneliner

mLipok Universalist

mLipok

Posted
Posted

Try to use this:
  

Func _CertUtil_ImportPFX()
    Local $sResult = __CertUtil_RunWrapper('-f -user -p "Th1sIsN0tAR34lP4ssw0rd!" -importpfx "C:\Full\Path\To\Certificate.pfx" NoRoot','','')

    ; CertUtil: -delstore command completed successfully.
    If Not StringInStr($sResult, 'CertUtil: -delstore command completed successfully.') Then
        Return SetError($CUTIL_ERR_GENERAL, $CUTIL_EXT_DEFAULT, 0)
    EndIf

    Return SetError($CUTIL_ERR_SUCCESS, $CUTIL_EXT_DEFAULT, $CUTIL_RET_SUCCESS)

EndFunc    ;==>_CertUtil_delstore

 

Here are my results:

Quote

====================================================================
Command: certutil.exe -f -user -p "Th1sIsN0tAR34lP4ssw0rd!" -importpfx "C:\Full\Path\To\Certificate.pfx" NoRoot  
Stdout Read:
CertUtil: -importPFX command FAILED: 0x80070003 (WIN32: 3 ERROR_PATH_NOT_FOUND)
CertUtil: System nie może odnaleźć określonej ścieżki.
====================================================================

>>>>>> Please close the "Report Log Window" to exit <<<<<<<

As you can see:
"System nie może odnaleźć określonej ścieżki."
"System can't  find the specified path."

 

I think this should be all what you need.

Regards
mLipok

Signature beginning:
Please remember: "AutoIt"..... *  Wondering who uses AutoIt and what it can be used for ? * Forum Rules *
ADO.au3 UDF * POP3.au3 UDF * XML.au3 UDF * IE on Windows 11 * How to ask ChatGPT for AutoIt Codefor other useful stuff click the following button:

Spoiler

Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind. 

My contribution (my own projects): * Debenu Quick PDF Library - UDF * Debenu PDF Viewer SDK - UDF * Acrobat Reader - ActiveX Viewer * UDF for PDFCreator v1.x.x * XZip - UDF * AppCompatFlags UDF * CrowdinAPI UDF * _WinMergeCompare2Files() * _JavaExceptionAdd() * _IsBeta() * Writing DPI Awareness App - workaround * _AutoIt_RequiredVersion() * Chilkatsoft.au3 UDF * TeamViewer.au3 UDF * JavaManagement UDF * VIES over SOAP * WinSCP UDF * GHAPI UDF - modest begining - comunication with GitHub REST APIErrorLog.au3 UDF - A logging Library * Include Dependency Tree (Tool for analyzing script relations) * Show_Macro_Values.au3 *

 

My contribution to others projects or UDF based on  others projects: * _sql.au3 UDF  * POP3.au3 UDF *  RTF Printer - UDF * XML.au3 UDF * ADO.au3 UDF SMTP Mailer UDF * Dual Monitor resolution detection * * 2GUI on Dual Monitor System * _SciLexer.au3 UDF * SciTE - Lexer for console pane

Useful links: * Forum Rules * Forum etiquette *  Forum Information and FAQs * How to post code on the forum * AutoIt Online Documentation * AutoIt Online Beta Documentation * SciTE4AutoIt3 getting started * Convert text blocks to AutoIt code * Games made in Autoit * Programming related sites * Polish AutoIt Tutorial * DllCall Code Generator * 

Wiki: Expand your knowledge - AutoIt Wiki * Collection of User Defined Functions * How to use HelpFile * Good coding practices in AutoIt * 

OpenOffice/LibreOffice/XLS Related: WriterDemo.au3 * XLS/MDB from scratch with ADOX

IE Related:  * How to use IE.au3  UDF with  AutoIt v3.3.14.x * Why isn't Autoit able to click a Javascript Dialog? * Clicking javascript button with no ID * IE document >> save as MHT file * IETab Switcher (by LarsJ ) * HTML Entities * _IEquerySelectorAll() (by uncommon) * IE in TaskSchedulerIE Embedded Control Versioning (use IE9+ and HTML5 in a GUI) * PDF Related:How to get reference to PDF object embeded in IE * IE on Windows 11

I encourage you to read: * Global Vars * Best Coding Practices * Please explain code used in Help file for several File functions * OOP-like approach in AutoIt * UDF-Spec Questions *  EXAMPLE: How To Catch ConsoleWrite() output to a file or to CMD *

I also encourage you to check awesome @trancexx code:  * Create COM objects from modules without any demand on user to register anything. * Another COM object registering stuffOnHungApp handlerAvoid "AutoIt Error" message box in unknown errors  * HTML editor

winhttp.au3 related : * https://www.autoitscript.com/forum/topic/206771-winhttpau3-download-problem-youre-speaking-plain-http-to-an-ssl-enabled-server-port/

"Homo sum; humani nil a me alienum puto" - Publius Terentius Afer
"Program are meant to be read by humans and only incidentally for computers and execute" - Donald Knuth, "The Art of Computer Programming"
:naughty:  :ranting:, be  :) and       \\//_.

Anticipating Errors :  "Any program that accepts data from a user must include code to validate that data before sending it to the data store. You cannot rely on the data store, ...., or even your programming language to notify you of problems. You must check every byte entered by your users, making sure that data is the correct type for its field and that required fields are not empty."

Signature last update: 2023-04-24

colombeen Prodigy

colombeen

Posted
  • Author
Posted
5 hours ago, mLipok said:

Try to use this:
  

Func _CertUtil_ImportPFX()
    Local $sResult = __CertUtil_RunWrapper('-f -user -p "Th1sIsN0tAR34lP4ssw0rd!" -importpfx "C:\Full\Path\To\Certificate.pfx" NoRoot','','')

    ; CertUtil: -delstore command completed successfully.
    If Not StringInStr($sResult, 'CertUtil: -delstore command completed successfully.') Then
        Return SetError($CUTIL_ERR_GENERAL, $CUTIL_EXT_DEFAULT, 0)
    EndIf

    Return SetError($CUTIL_ERR_SUCCESS, $CUTIL_EXT_DEFAULT, $CUTIL_RET_SUCCESS)

EndFunc    ;==>_CertUtil_delstore

 

The issue with this check is that  

If Not StringInStr($sResult, 'CertUtil: -delstore command completed successfully.') Then

Will not work on my system because the return information from the error is in dutch on my device. As we need to send out this installer to people all over europe, I can't be checking on every language...

Also it seems that when I run it without comspec i do get the exit code correctly

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...