cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
AaronM
Level 6

Installing an X.509 Certificate

Summary
Need to install an X.509 Certificate into the Windows Certificate Store for a Windows Communication Foundation (WCF) service. This is not the same as signing the install.

Details

  • Client computers will get the certificate with public key (.cer file)
  • Server computer will get the certificate with public and private keys (.pfx file)
  • The private key in .pfx is password protected.
  • Installing requires System context (may be able to get by with just administrator).

Options

  • Create a .NET executable and use X509Store via System.Security.Cryptography.X509Certificates namespace. Launch this executable via custom action (deferred in system context).
  • Create a VBScript deferred custom action to call into CapiCom.dll.
  • Does InstallShield 2008 / Windows Installer natively support adding certificates to the certificate store??? Ideally, it would be no different than adding installing a file during install and automatically removed during uninstall instead of creating custom actions to add/remove.

Any feedback from others on the possible options would be greatly appreciated.

I found a couple of old threads on this topic, but may or may not apply to InstallShield 2008:
http://community.installshield.com/showthread.php?t=142469
http://community.installshield.com/showthread.php?t=129503
Labels (1)
0 Kudos

(3) Replies
Christopher_Pai
Level 16

There is no native support in MSI ( standard actions ) or InstallShield ( standard custom actions ). There is support in WiX via the Certificates element. It should be possible to create a WiX merge module that implements your certificates story and then consume it in an InstallShield project.


However, I recently deployed a VSTO application that had to publish various certificates to the store. I went with the Custom Action route and didn't bother making it data driven since it was only a handful of CA's that will never change and I doubt I'll need to do this again anytime soon.

I used a CLR 2.0 ComVisible C# Class and called it via InstallScript DotNetCoCreateObject(). With IS2009 and I would skip the installscript and go straight for the Managed CA type. I explored the Win32 and COM interfaces and didn't like what I saw. http://blog.deploymentengineering.com/2008/01/capicom-ugh.html

If you would like some sample code, I can provide it tonight.
0 Kudos
mohit_raghav
Level 4

Hey ya,

How did you solve this issue?

thanks

AaronM wrote:
Summary
Need to install an X.509 Certificate into the Windows Certificate Store for a Windows Communication Foundation (WCF) service. This is not the same as signing the install.

Details

  • Client computers will get the certificate with public key (.cer file)
  • Server computer will get the certificate with public and private keys (.pfx file)
  • The private key in .pfx is password protected.
  • Installing requires System context (may be able to get by with just administrator).

Options

  • Create a .NET executable and use X509Store via System.Security.Cryptography.X509Certificates namespace. Launch this executable via custom action (deferred in system context).
  • Create a VBScript deferred custom action to call into CapiCom.dll.
  • Does InstallShield 2008 / Windows Installer natively support adding certificates to the certificate store??? Ideally, it would be no different than adding installing a file during install and automatically removed during uninstall instead of creating custom actions to add/remove.

Any feedback from others on the possible options would be greatly appreciated.

I found a couple of old threads on this topic, but may or may not apply to InstallShield 2008:
http://community.installshield.com/showthread.php?t=142469
http://community.installshield.com/showthread.php?t=129503
0 Kudos
AaronM
Level 6

I create a .NET executable and use X509Store via System.Security.Cryptography.X509Certificates namespace. Launch this executable via custom action (deferred in system context).

C# code...

[CODE]// Open the certificate store
X509Store store = new X509Store( ... );
store.Open( OpenFlags.ReadWrite );

// Add the certificate
string password; // assign accordingly
byte[] buffer; // assign accordingly
X509Certificate2 cert = new X509Certificate2( buffer, password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet );
store.Add( cert );[/CODE]
0 Kudos