Advanced certificate install question

[colombeen]

Hi guys,

I have a pretty advanced question...

 

This is the issue i'm facing :

On a regular basis we need to install pfx certificates (with password protection) on devices from external companies.

To install the certificate we always have to contact the user, setup a really dull and long process to get an RDP session to that device, install the certificate.

 

I'm looking for :

a way to generate exe files on the fly, that will include the pfx file and password, and automatically install them without any interaction from the user, and the user not being able to retrieve the password to install the certificate.

 

Question :

Is this possible with AutoIT? And if so, does anyone have a working example for the certificate installation part or the auto generate with file include?

 

Thx in advance

colombeen

Edited February 27, 2017 by colombeen

[JohnOne]

You want way to access users device without their knowledge or consent?

[colombeen]

NOOOO!!!

not at all. we regularly need to grant access for external users to access our domain. to do so we need to install a certificate that allows them to connect.

I want to automate the install process of the cert so that we don't need to make the rdp session etc.

i want to send them the "certificate installer" generated with autoit via email or something else so that they can install the certificate without us needing remote control (because they can't know the password for the cert, that's why we need RDP => security reasons)

if i can automate this into an autoit compiled executable (has to be encrypted) i can speed up the process.

this is what I'm aiming for =>

- generate certificate + password via powershell
- call autoit compiler from powershell, telling it where the certificate is placed and what the password is (and maybe something else to verify the device)
- compiler needs to create an exe that holds both items
- it checks for the hostname (or something else) of the device it will be run on
- if everything checks out, install the certificate
- certificate installer shouldn't work for more then a few hours and then it should just stop working (to make sure it only will be installed on 1 device)
- user get's a message that the installing was a success or a failure

Edited February 27, 2017 by colombeen

[JohnOne]

Thanks for clarification.

I'm sorry I don't know about solution, but I do know it is never safe or secure to have a password embedded in a script, AutoIt or anything else, it can without exception be retrieved.

[colombeen]

I know it's not a good way to include a pass in a script, but it's just so time consuming. i was just hoping that i would be possible with encryption on the exe file

[orbs]

@colombeen,

yes, this is possible, and i dare say rather easy.

the "embedded password" catch can be easily avoided - do not embed the password. instead, equip your "installer" with an input box for the password, and when you guide the end user throughout the installation process (by phone i assume), read-out the password to the user when the time comes to type it in.

now, here's how you proceed:

1) report your topic and have a moderator move it to the General Help and Support forum, where it truely belongs and will get a more assistive attention.

2) learn the following AutoIt functions:

FileInstall() - to embed and extract an external file (the pfx) in the compiled script

InputBox() - to ask the user for the password

Run() - to launch certutil.exe to install the certificate

MsgBox() - to inform the user of failure or success

3) make a decent attempt at it and come back if you need further assistance.

[JohnOne]

Before you read a password over the phone, make sure your client is unable to operate a pen or use a keyboard, in case they copy it down. That way it will remain secret.

[colombeen]

  On 2/27/2017 at 7:28 PM, orbs said:

the "embedded password" catch can be easily avoided - do not embed the password. instead, equip your "installer" with an input box for the password, and when you guide the end user throughout the installation process (by phone i assume), read-out the password to the user when the time comes to type it in.

Expand  

This is not an option... the user may never hear/read/touch/... the password for the certificate file. otherwise i could just send the certificate with the password and i would be done with it...

Also... the fileinstall etc... I need to be able to add the file on the fly from a command like

AutoITCompiler.exe -compile -au3file "certinstaller.au3" -outputfile "certinstaller.exe" -includefile "cert6546548979821.pfx" -addvariable "Th1sIsN0tAR34lP4ssw0rd!" -encrypted -somethingsomething

so that i can run the function that creates the certificate with the required params, generates the executable, creates an e-mail and sends it with the steps the user should take.

 

creating a script that can install a certificate will prob not be such a big hastle for me... it's the auto generate part that i don't know/have no experience with

Edited February 28, 2017 by colombeen

[JLogan3o13]

@colombeen As we discussed via PM I think the suggestion given to you to move this to General Help and Support was incorrect, as this thread is still about the mechanics of accomplishing what you're after rather than a specific issue with an AutoIt script. For that reason I think DEV forum is the perfect place to discuss the how's and why's of what you are trying to accomplish.

If you get to the point of creating the script to install your certificate, as you mention above, and run into issues, then I think it would make sense to create a thread in General Help and Support for specifically that subject. You can even link it back here for someone who wants all the history on it.

[colombeen]

thx @JLogan3o13

[orbs]

  On 2/28/2017 at 12:44 PM, colombeen said:

This is not an option... the user may never hear/read/touch/... the password for the certificate file.

Expand  

ok, then this is a case of production / security trade-off. consider the following:

1) certificate is bound to a hostname

2) certificate has a limited time before expiration

3) certificate alone is not sufficient for connection, a username/password combination is required as well

4) a script that simple can be safely made with an older version of AutoIt, which supports obfuscating the code

given the above, i'd say the risk of a compromised certificate password is low. if your CISSO agrees, then embed the password. the rest is technicality:

  On 2/28/2017 at 12:44 PM, colombeen said:

Also... the fileinstall etc... I need to be able to add the file on the fly from a command like

Expand  

this is actually a lot easier than you think. off-hand i'd follow this logic:

the parameters which vary from one certificate to another is the certificate file name and the password. put in your main script a line like this:

#include <CurrentCertificateInfo.au3>

in your PoweShell script (or batch file), right after you create the certificate (and you know its file name and password), create a new file named CurrentCertificateInfo.au3 and have it contain these two lines:

FileInstall("cert6546548979821.pfx", @TempDir & '\CurrCert.pfx', 1)
Global $sPassword = "Th1sIsN0tAR34lP4ssw0rd!"

the main script the uses CurrCert.pfx and $sPassword in due time.

now study the correct syntax of compiling from the command line from the AutoIt help file: AutoIt > using AutoIt > Compiling Scripts > Method 3 - The Command Line

you'll find all your requirements are met by the available command line switches (except of the "-encrypted -somethingsomething" part, which i don't understand what it means).

Edited February 28, 2017 by orbs

[colombeen]

Thx for the info @orbs

I'll check into it

[mLipok]

If you want install certs in Windows store (not on Crypto card) you could try to use certutil. For this case you could check my Certutil UDF 

[colombeen]

  On 3/1/2017 at 4:12 PM, mLipok said:

If you want install certs in Windows store (not on Crypto card) you could try to use certutil. For this case you could check my Certutil UDF 

Expand  

I wish that I could use the UDF but it doesn't support passwords for pfx certificates, and that is the most important part of this automation. I'll see how far I can get with my project and maybe I'll try to add some features to the udf

[colombeen]

I'm changing the way I'll be handling the passwords for the certificates.

I'll be using a little webservice that will retrieve the password, and if the certificate is installed correctly, the webservice will be returned an OK to remove the password

 

this is the command i'll be using to install the PFX files : 

certutil -f -user -p "Th1sIsN0tAR34lP4ssw0rd!" -importpfx "C:\Full\Path\To\Certificate.pfx" NoRoot

The biggest issue is that I can't be sure if the install was a succes because certutil always returns 0 as an exit code, and I'm not sure how to retrieve the errorlevel environment variable from a cmd window

[mLipok]

I will Look at this, late night.

[orbs]

  On 3/2/2017 at 1:24 PM, colombeen said:

 

I'm changing the way I'll be handling the passwords for the certificates.

I'll be using a little webservice that will retrieve the password, and if the certificate is installed correctly, the webservice will be returned an OK to remove the password

 

Expand  

that's still no guarantee to prevent compromised password, but if that's OK with your CISSO, it's fine by me... 

  On 3/2/2017 at 1:24 PM, colombeen said:

... I can't be sure if the install was a succes ...

Expand  

after you call certutil.exe to import the certificate, call it again with the parameter -store only. this will generate a list of the installed certificates, which you can check for the presence of your certificate.

[colombeen]

I'd rather check the errorlevel code if at all possible... it's alot more code for a verification... the info from the pfx can't be read by the autoit gui so I'd have to provide it some other way (reading out the certutil install info or something but that would take alot more time to code)

issue for me is that if you do the command for the certinstall, and you add " & echo %errorlevel%" it always shows the errorlevel from before the certutil command... it has the be executed on it's own line and not in a oneliner

[mLipok]

Try to use this:
 

Func _CertUtil_ImportPFX()
    Local $sResult = __CertUtil_RunWrapper('-f -user -p "Th1sIsN0tAR34lP4ssw0rd!" -importpfx "C:\Full\Path\To\Certificate.pfx" NoRoot','','')

    ; CertUtil: -delstore command completed successfully.
    If Not StringInStr($sResult, 'CertUtil: -delstore command completed successfully.') Then
        Return SetError($CUTIL_ERR_GENERAL, $CUTIL_EXT_DEFAULT, 0)
    EndIf

    Return SetError($CUTIL_ERR_SUCCESS, $CUTIL_EXT_DEFAULT, $CUTIL_RET_SUCCESS)

EndFunc    ;==>_CertUtil_delstore

 

Here are my results:

  Quote

====================================================================
Command: certutil.exe -f -user -p "Th1sIsN0tAR34lP4ssw0rd!" -importpfx "C:\Full\Path\To\Certificate.pfx" NoRoot  
Stdout Read:
CertUtil: -importPFX command FAILED: 0x80070003 (WIN32: 3 ERROR_PATH_NOT_FOUND)
CertUtil: System nie może odnaleźć określonej ścieżki.
====================================================================

>>>>>> Please close the "Report Log Window" to exit <<<<<<<

Expand  

As you can see:
"System nie może odnaleźć określonej ścieżki."
"System can't  find the specified path."

 

I think this should be all what you need.

Regards
mLipok

[colombeen]

  On 3/3/2017 at 1:57 AM, mLipok said:

Try to use this:
 

Func _CertUtil_ImportPFX()
    Local $sResult = __CertUtil_RunWrapper('-f -user -p "Th1sIsN0tAR34lP4ssw0rd!" -importpfx "C:\Full\Path\To\Certificate.pfx" NoRoot','','')

    ; CertUtil: -delstore command completed successfully.
    If Not StringInStr($sResult, 'CertUtil: -delstore command completed successfully.') Then
        Return SetError($CUTIL_ERR_GENERAL, $CUTIL_EXT_DEFAULT, 0)
    EndIf

    Return SetError($CUTIL_ERR_SUCCESS, $CUTIL_EXT_DEFAULT, $CUTIL_RET_SUCCESS)

EndFunc    ;==>_CertUtil_delstore

 

Expand  

The issue with this check is that 

If Not StringInStr($sResult, 'CertUtil: -delstore command completed successfully.') Then

Will not work on my system because the return information from the error is in dutch on my device. As we need to send out this installer to people all over europe, I can't be checking on every language...

Also it seems that when I run it without comspec i do get the exit code correctly