View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001099 | Main CAcert Website | misc | public | 2012-09-13 16:09 | 2013-07-23 22:00 |
| Reporter | barbado | Assigned To | |||
| Priority | normal | Severity | feature | Reproducibility | sometimes |
| Status | closed | Resolution | fixed | ||
| OS Version | 32-bit Windows 7 | ||||
| Product Version | 2012 Q3 | ||||
| Fixed in Version | 2013 Q2 | ||||
| Summary | 0001099: Automatic CAcert's root certificate install on Windows via Internet Explorer. | ||||
| Description | As planned via IRC with Marcus (INOPIAE) and others during one of the last telco meetings, I'm filling this entry, which is somehow related to bug 964 [1]. This is both a report and a request, concerning the fix of automatic CAcert's root cert install on Windows' most recent versions, via Internet Explorer (being executed through a regular user account). And as you'll see, I try to help with some code I've been working on. Manually installing CAcert's root cert (any root cert actually) on Windows is way too painful for end users. CAcert offers a way to streamline this on [2]. Unfortunately, [2] does not work with Microsoft's most recent OSes, that is, Vista and above, which face error messages like the common "Can't start the CEnroll control: 1AD". As for your reference, [2] uses file "/pages/index/17.php", not "/pages/account/17.php" which is bug 964-related. So, focus here is "/pages/index/17.php". RESULTS In my way to solve referred problem, I have initially worked on these two files: * windows-rootcert-install.vbs * windows-rootcert-install.php whose routines, I guess, may be useful for bug 964, and I hope, for this bug as well. I've started on ".vbs" script, mapping CEnroll-based code present on "/pages/index/17.php" to CertEnroll component, and then embedded it on an HTA, present on the ".php" file. That way, I've managed to install both root cert and class 3 on "Intermediate CAs" store, through a local install with the ".vbs" file, and also through web install via HTA (within ".php"). But I could not reach "Trusted Root CAs" certificate store so far with these two files, and that is a problem. Web install with HTA (file "windows-rootcert-install.php") can be tested here [3]. You need to choose "Open" (and maybe "Allow") when asked. Well, since I was not reaching the "Trusted Root" store, I decided to write another VBScript routine, now based on SendKeys(). And then I have finally gotten to something. See file: * plp-urci.vbs SendKeys solution works fine for 32-bit Windows 7 with IE 9, but I'm not sure if it's good enough yet, so I ask community to collaborate on this bug fixing, both with code and testing if possible. Can we somehow really use the SendKeys code ("plp-urci.vbs") I'm proposing herein? Or, is there a way to make "windows-rootcert-install.vbs" and "windows-rootcert-install.php" get to the Trusted Root store? Or, any other suggestion? | ||||
| Steps To Reproduce | Prerequisite i: use a recent 32-bit Windows OS version, that is, Vista and/or above, and Internet Explorer 9. Prerequisite ii: CAcert's root must not be installed on Trusted Root Certification Authorities store. One can check that with "certmgr.msc". 1- Go to CAcert's certificates page at http://www.cacert.org/index.php?id=3 2- click on "Click here if you want to import the root certificate into Microsoft Internet Explorer 5.x/6.x" (actually, [2]'s URL) as to initiate root cert install. 3- Chances are one may face error messages like "Can't start the CEnroll control: 1AD". 4- Again, using "certmgr.msc", check your Trusted Root Certification Authorities store for CAcert's root certificate. | ||||
| Additional Information | SOME CONCLUSIONS i- This entry is *only* about getting CAcert's root to be installed on Windows' Trusted Root Certification Authorities store in an automated manner. ii- Besides helping on bug 964, I'm not sure whether there is a way to turn files "windows-rootcert-install.vbs" and "windows-rootcert-install.php" into useful ones for this bugtracking entry. So far, it seems that whereas CEnroll used to accomplish "Trusted Root" store installs, CertEnroll cannot do the same in recent Windows versions. iii- Before fixing "/pages/index/17.php" itself, I guess it's sensible to think in wscript terms, and then we'll be able to adapt it to web, port it to JavaScript et al. REMARKS i- Provided sources have some comments, and most of them are already in English. If you have any doubt, don't hesitate to contact me. ii- By the way, I'll mention these things I'm working on, and also CAcert as a FAIF option, during my speak on Brazilian CONISLI 2012, to be held in the city of Sao Paulo, in November. REFERENCES [1] Bug 964: https://bugs.cacert.org/view.php?id=964 [2] Install CAcert Root using CEnroll Active-X component and PKCS-7 (Microsoft Internet Explorer 5.x/6.x): http://www.cacert.org/index.php?id=17 [3] Web install of CAcert's root and class 3 (it installs certs on Intermediate store): http://www.bdslabs.com.br/plp/windows-rootcert-install.php | ||||
| Tags | No tags attached. | ||||
| Reviewed by | NEOatNHNG, BenBE | ||||
| Test Instructions | |||||
| related to | 0000964 | closed | VBscript, Weak Keys script 4.php, 17.php to combine / select box key size and lower limit to 2048 |
|
|
|
|
|
NEO deployed a Root-Certificate-Installer revision Wed 26.09.2012 12:27 CAcert_Root_Certificates.msi SHA256: eacdefdcadc7810a286e13681cd2ac0f18174278dca687c7d701e973b8e9007c |
|
|
Testmatrix: ..............|................................ ----------------------------------------------- xp sp3, ie8 ..|..+ vista, .......| win7-32, ie9 .|..+ win7-64, ie9 .| test report: win7 home, 32bit (German version) ---------------------------------- install for all users source installed to: C:\Program Files\CAcert Root Certificates displayes as: C:\Programme\CAcert Root Certificates browser: ie9 (9.0.8112.16421) (9.0.10) root displays as: CAcert Root Certificate_wixCert_1 fingerprint ok to www.cacert.org sha1 13 5c ec 36 f4 9c b8 e9 3b 1a b2 70 cd 80 88 46 76 ce 8f 33 class3 subroot displays as: CAcert Class 3 Subroot Certificate_wixCert_1 serno: 0a 41 8a valid from/to: 2012-05-23 / 2021-05-20 fingerprint ok to www.cacert.org sha1 ad 7c 3f 64 fc 44 39 fe f4 e9 0b e8 f4 7c 6c fa 8a ad fd ce msi package adds record in installed programs list: CAcert Root Certificates bug report https://bugs.cacert.org/view.php?id=1102 WinXP SP3, ie8 --------------- all default root and subroot certs removed except 3 M$ certs install for all users source installed to: D:\Programme\CAcert Root Certificates\ (sysvol is on drive D:) displays as: D:\Programme\CAcert Root Certificates\ browser: ie8 (8.0.6001.18702) root displays as: CAcert Root Certificate_wixCert_1 fingerprint ok to www.cacert.org sha1 13 5c ec 36 f4 9c b8 e9 3b 1a b2 70 cd 80 88 46 76 ce 8f 33 class3 subroot displays as: CAcert Class 3 Subroot Certificate_wixCert_1 serno: 0a 41 8a valid from/to: 2012-05-23 / 2021-05-20 fingerprint ok to www.cacert.org sha1 ad 7c 3f 64 fc 44 39 fe f4 e9 0b e8 f4 7c 6c fa 8a ad fd ce msi package adds record in installed programs list: CAcert Root Certificates sidenote: before testing, I've installed package 0 (from last Tuesday) and later newer revision in software list 2 entries displayed (0,5 Mb, 0,69 Mb) uninstalling both packages, and restarting xp test Hat irgendjemand 'nen Vista zum Testen bzw. win7-64bit ?!? |
|
|
The installer can be found here: https://cacert.nhng.de/CAcert_Root_Certificates.msi Source code for the installer: https://github.com/CAcertOrg/cacert-root-cert-installer I'll write a patch to add it to the website. |
|
|
I've added the patch to the test server. Please test & review. |
|
|
Source review of the installer and the patch to link the installer on the website are okay. And while the installer part itself has been tested twice there's no test yet for the integration on the website. Just on a sidenote: Any particular reason for why the Package-Tag's Description and Comment attributes aren't translated? Or am I missing something here? |
|
|
Looks not good Class 1 PKI Key *** Windows installer package for browsers that use the Windows certificate store (for example Internet Explorer, Chrome on Windows and Safari on Windows) *** Root Certificate (PEM Format) Root Certificate (DER Format) Root Certificate (Text Format) CRL Fingerprint SHA1: 13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33 Fingerprint MD5: A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B Better Deployment for Windows Certificate Store Windows installer package for browsers that use the Windows certificate store (for example Internet Explorer, Chrome on Windows and Safari on Windows) SHA1 Checksum SHA256 Checksum |
|
|
page https://cacert1.it-sls.de/index.php?id=3|Root Certificates displays: "Windows installer package for browsers that use the Windows certificate store (for example Internet Explorer, Chrome on Windows and Safari on Windows)" click popup open CAcert_Root_Certificates.msi What to do? Save file, Cancel save as .. install msi runs as expected |
|
|
The new design with the line break in front of the brackets looks good. The download works. => ok |
|
|
I have overhauled the root certificate download page. Please re-review and do some tests. |
|
|
page index 3 now looks ok english, FF |
|
|
The web site https://cacert1.it-sls.de/index.php?id=3 looks good in recent Firefox, the download of the Windows installer package worked and with it I could install the root certificates in recent WinXP SP3 IE8 successfully. |
|
|
32-bit Windows 7 Professional with Internet Explorer 10. Testing web page [1] looks ok, and ".msi" installation runs fine on a regular user account as well. BTW, anyone able to test it on some Windows 8 regular user account? REFERENCES [1] Windows Installer "testing" page: https://cacert1.it-sls.de/index.php?id=3 |
|
|
The web page works on IE 8/9, FF 19, Chrome. The .msi works Windows XP, Win 7 and Win 8 => ok |
|
|
please deploy as we have at least 4 positive tests. |
|
|
Mail sent to critical admins |
|
|
The patch has been installed on the production server on April 24, 2013. See also: https://lists.cacert.org/wws/arc/cacert-systemlog/2013-04/msg00006.html |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2012-09-13 16:09 | barbado | New Issue | |
| 2012-09-13 16:09 | barbado | File Added: Windows_auto_install.zip | |
| 2012-09-14 21:36 | NEOatNHNG | Relationship added | related to 0000964 |
| 2012-10-04 15:27 | Uli60 | Note Added: 0003237 | |
| 2012-10-04 15:29 | Uli60 | Note Added: 0003238 | |
| 2012-12-12 09:59 | INOPIAE | Assigned To | => NEOatNHNG |
| 2012-12-12 09:59 | INOPIAE | Status | new => fix available |
| 2013-02-12 20:41 | NEOatNHNG | Note Added: 0003746 | |
| 2013-02-12 21:30 | NEOatNHNG | Source_changeset_attached | => cacert-devel testserver-stable a35ff811 |
| 2013-02-12 21:30 | NEOatNHNG | Source_changeset_attached | => cacert-devel testserver-stable ba938fc0 |
| 2013-02-12 21:32 | NEOatNHNG | Reviewed by | => NEOatNHNG |
| 2013-02-12 21:32 | NEOatNHNG | Note Added: 0003747 | |
| 2013-02-12 21:32 | NEOatNHNG | Status | fix available => needs review & testing |
| 2013-03-26 11:50 | BenBE | Reviewed by | NEOatNHNG => NEOatNHNG, BenBE |
| 2013-03-26 11:50 | BenBE | Note Added: 0003846 | |
| 2013-03-26 11:50 | BenBE | Status | needs review & testing => needs testing |
| 2013-03-26 11:50 | BenBE | Product Version | => 2012 Q2 |
| 2013-03-26 20:51 | MartinGummi | Note Added: 0003847 | |
| 2013-03-26 20:52 | MartinGummi | Note Edited: 0003847 | |
| 2013-03-26 21:11 | Uli60 | Note Added: 0003848 | |
| 2013-03-26 23:00 | INOPIAE | Note Added: 0003849 | |
| 2013-03-26 23:00 | NEOatNHNG | Source_changeset_attached | => cacert-devel testserver-stable 0e199113 |
| 2013-03-26 23:00 | NEOatNHNG | Source_changeset_attached | => cacert-devel testserver-stable 42a5187c |
| 2013-03-26 23:00 | NEOatNHNG | Source_changeset_attached | => cacert-devel testserver-stable 0a7f7c4b |
| 2013-03-26 23:00 | NEOatNHNG | Source_changeset_attached | => cacert-devel testserver-stable 85f7fc08 |
| 2013-03-26 23:01 | NEOatNHNG | Reviewed by | NEOatNHNG, BenBE => NEOatNHNG |
| 2013-03-26 23:01 | NEOatNHNG | Note Added: 0003850 | |
| 2013-03-26 23:01 | NEOatNHNG | Status | needs testing => needs review & testing |
| 2013-03-26 23:04 | Uli60 | Note Added: 0003851 | |
| 2013-03-29 11:32 | BenBE | Reviewed by | NEOatNHNG => NEOatNHNG, BenBE |
| 2013-03-29 11:32 | BenBE | Status | needs review & testing => needs testing |
| 2013-03-29 11:32 | BenBE | Product Version | 2012 Q2 => 2012 Q3 |
| 2013-03-29 12:00 | NEOatNHNG | Source_changeset_attached | => cacert-devel testserver-stable 003b8ea0 |
| 2013-03-29 12:00 | NEOatNHNG | Source_changeset_attached | => cacert-devel testserver-stable e25254b2 |
| 2013-04-03 19:37 | Werner Dworak | Note Added: 0003858 | |
| 2013-04-12 15:06 | barbado | Note Added: 0003877 | |
| 2013-04-13 06:14 | INOPIAE | Note Added: 0003878 | |
| 2013-04-13 06:15 | INOPIAE | Note Added: 0003879 | |
| 2013-04-13 06:15 | INOPIAE | Assigned To | NEOatNHNG => BenBE |
| 2013-04-13 06:15 | INOPIAE | Status | needs testing => ready to deploy |
| 2013-04-13 06:16 | INOPIAE | Note Edited: 0003879 | |
| 2013-04-16 16:55 | NEOatNHNG | Note Added: 0003885 | |
| 2013-04-16 22:50 | NEOatNHNG | Source_changeset_attached | => cacert-devel release ceb333fa |
| 2013-04-24 13:07 | wytze | Note Added: 0003920 | |
| 2013-04-24 13:07 | wytze | Status | ready to deploy => solved? |
| 2013-04-24 13:07 | wytze | Fixed in Version | => 2013 Q2 |
| 2013-04-24 13:07 | wytze | Resolution | open => fixed |
| 2013-07-23 22:00 | INOPIAE | Status | solved? => closed |
| 2013-07-23 22:00 | INOPIAE | Assigned To | BenBE => |
