View Issue Details

IDProjectCategoryView StatusLast Update
0001099Main CAcert Websitemiscpublic2013-07-23 22:00
Reporterbarbado Assigned To 
PrioritynormalSeverityfeatureReproducibilitysometimes
Status closedResolutionfixed 
OS Version32-bit Windows 7 
Product Version2012 Q3 
Fixed in Version2013 Q2 
Summary0001099: Automatic CAcert's root certificate install on Windows via Internet Explorer.
DescriptionAs planned via IRC with Marcus (INOPIAE) and others during one of the last telco meetings, I'm filling this entry, which is somehow related to bug 964 [1].

This is both a report and a request, concerning the fix of automatic CAcert's root cert install on Windows' most recent versions, via Internet Explorer (being executed through a regular user account).

And as you'll see, I try to help with some code I've been working on.

Manually installing CAcert's root cert (any root cert actually) on Windows is way too painful for end users. CAcert offers a way to streamline this on [2].

Unfortunately, [2] does not work with Microsoft's most recent OSes, that is, Vista and above, which face error messages like the common "Can't start the CEnroll control: 1AD".

As for your reference, [2] uses file "/pages/index/17.php", not "/pages/account/17.php" which is bug 964-related.

So, focus here is "/pages/index/17.php".

RESULTS
In my way to solve referred problem, I have initially worked on these two files:

  * windows-rootcert-install.vbs
  * windows-rootcert-install.php

whose routines, I guess, may be useful for bug 964, and I hope, for this bug as well.

I've started on ".vbs" script, mapping CEnroll-based code present on "/pages/index/17.php" to CertEnroll component, and then embedded it on an HTA, present on the ".php" file.

That way, I've managed to install both root cert and class 3 on "Intermediate CAs" store, through a local install with the ".vbs" file, and also through web install via HTA (within ".php").

But I could not reach "Trusted Root CAs" certificate store so far with these two files, and that is a problem.

Web install with HTA (file "windows-rootcert-install.php") can be tested here [3]. You need to choose "Open" (and maybe "Allow") when asked.

Well, since I was not reaching the "Trusted Root" store, I decided to write another VBScript routine, now based on SendKeys(). And then I have finally gotten to something. See file:

  * plp-urci.vbs

SendKeys solution works fine for 32-bit Windows 7 with IE 9, but I'm not sure if it's good enough yet, so I ask community to collaborate on this bug fixing, both with code and testing if possible.

Can we somehow really use the SendKeys code ("plp-urci.vbs") I'm proposing herein?

Or, is there a way to make "windows-rootcert-install.vbs" and "windows-rootcert-install.php" get to the Trusted Root store?

Or, any other suggestion?
Steps To ReproducePrerequisite i: use a recent 32-bit Windows OS version, that is, Vista and/or above, and Internet Explorer 9.

Prerequisite ii: CAcert's root must not be installed on Trusted Root Certification Authorities store. One can check that with "certmgr.msc".

1- Go to CAcert's certificates page at http://www.cacert.org/index.php?id=3

2- click on "Click here if you want to import the root certificate into Microsoft Internet Explorer 5.x/6.x" (actually, [2]'s URL) as to initiate root cert install.

3- Chances are one may face error messages like "Can't start the CEnroll control: 1AD".

4- Again, using "certmgr.msc", check your Trusted Root Certification Authorities store for CAcert's root certificate.
Additional InformationSOME CONCLUSIONS
i- This entry is *only* about getting CAcert's root to be installed on Windows' Trusted Root Certification Authorities store in an automated manner.

ii- Besides helping on bug 964, I'm not sure whether there is a way to turn files "windows-rootcert-install.vbs" and "windows-rootcert-install.php" into useful ones for this bugtracking entry.
        So far, it seems that whereas CEnroll used to accomplish "Trusted Root" store installs, CertEnroll cannot do the same in recent Windows versions.

iii- Before fixing "/pages/index/17.php" itself, I guess it's sensible to think in wscript terms, and then we'll be able to adapt it to web, port it to JavaScript et al.


REMARKS
i- Provided sources have some comments, and most of them are already in English. If you have any doubt, don't hesitate to contact me.

ii- By the way, I'll mention these things I'm working on, and also CAcert as a FAIF option, during my speak on Brazilian CONISLI 2012, to be held in the city of Sao Paulo, in November.


REFERENCES

[1] Bug 964:
https://bugs.cacert.org/view.php?id=964

[2] Install CAcert Root using CEnroll Active-X component and PKCS-7 (Microsoft Internet Explorer 5.x/6.x):
http://www.cacert.org/index.php?id=17

[3] Web install of CAcert's root and class 3 (it installs certs on Intermediate store):
http://www.bdslabs.com.br/plp/windows-rootcert-install.php
TagsNo tags attached.
Attached Files
Windows_auto_install.zip (15,906 bytes)
Reviewed byNEOatNHNG, BenBE
Test Instructions

Relationships

related to 0000964 closed VBscript, Weak Keys script 4.php, 17.php to combine / select box key size and lower limit to 2048 

Activities

Uli60

2012-10-04 15:27

updater   ~0003237

NEO deployed a Root-Certificate-Installer
revision
Wed 26.09.2012 12:27

CAcert_Root_Certificates.msi
SHA256: eacdefdcadc7810a286e13681cd2ac0f18174278dca687c7d701e973b8e9007c

Uli60

2012-10-04 15:29

updater   ~0003238

Testmatrix:
..............|................................
-----------------------------------------------
xp sp3, ie8 ..|..+
vista, .......|
win7-32, ie9 .|..+
win7-64, ie9 .|


test report:

win7 home, 32bit (German version)
----------------------------------
install for all users

source installed to: C:\Program Files\CAcert Root Certificates
displayes as: C:\Programme\CAcert Root Certificates

browser: ie9 (9.0.8112.16421) (9.0.10)

root displays as:
CAcert Root Certificate_wixCert_1
fingerprint ok to www.cacert.org
sha1 13 5c ec 36 f4 9c b8 e9 3b 1a b2 70 cd 80 88 46 76 ce 8f 33

class3 subroot displays as:
CAcert Class 3 Subroot Certificate_wixCert_1

serno: 0a 41 8a
valid from/to: 2012-05-23 / 2021-05-20
fingerprint ok to www.cacert.org
sha1 ad 7c 3f 64 fc 44 39 fe f4 e9 0b e8 f4 7c 6c fa 8a ad fd ce


msi package adds record in installed programs list:
CAcert Root Certificates

bug report
https://bugs.cacert.org/view.php?id=1102



WinXP SP3, ie8
---------------
all default root and subroot certs removed
except 3 M$ certs

install for all users

source installed to: D:\Programme\CAcert Root Certificates\
   (sysvol is on drive D:)
displays as: D:\Programme\CAcert Root Certificates\

browser: ie8 (8.0.6001.18702)

root displays as:
CAcert Root Certificate_wixCert_1
fingerprint ok to www.cacert.org
sha1 13 5c ec 36 f4 9c b8 e9 3b 1a b2 70 cd 80 88 46 76 ce 8f 33

class3 subroot displays as:
CAcert Class 3 Subroot Certificate_wixCert_1

serno: 0a 41 8a
valid from/to: 2012-05-23 / 2021-05-20
fingerprint ok to www.cacert.org
sha1 ad 7c 3f 64 fc 44 39 fe f4 e9 0b e8 f4 7c 6c fa 8a ad fd ce

msi package adds record in installed programs list:
CAcert Root Certificates

sidenote:
before testing, I've installed package 0 (from last Tuesday)
 and later newer revision
 in software list 2 entries displayed (0,5 Mb, 0,69 Mb)
 uninstalling both packages, and restarting xp test


Hat irgendjemand 'nen Vista zum Testen
bzw. win7-64bit ?!?

NEOatNHNG

2013-02-12 20:41

administrator   ~0003746

The installer can be found here: https://cacert.nhng.de/CAcert_Root_Certificates.msi
Source code for the installer: https://github.com/CAcertOrg/cacert-root-cert-installer

I'll write a patch to add it to the website.

NEOatNHNG

2013-02-12 21:32

administrator   ~0003747

I've added the patch to the test server. Please test & review.

BenBE

2013-03-26 11:50

updater   ~0003846

Source review of the installer and the patch to link the installer on the website are okay.

And while the installer part itself has been tested twice there's no test yet for the integration on the website.

Just on a sidenote: Any particular reason for why the Package-Tag's Description and Comment attributes aren't translated? Or am I missing something here?

MartinGummi

2013-03-26 20:51

updater   ~0003847

Last edited: 2013-03-26 20:52

Looks not good

Class 1 PKI Key
*** Windows installer package for browsers that use the Windows certificate store (for example Internet Explorer, Chrome on Windows and Safari on Windows) ***
Root Certificate (PEM Format)
Root Certificate (DER Format)
Root Certificate (Text Format)
CRL
Fingerprint SHA1: 13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33
Fingerprint MD5: A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B

Better

Deployment for Windows Certificate Store
    Windows installer package for browsers that use the Windows certificate store (for example Internet Explorer, Chrome on Windows and Safari on Windows)

SHA1 Checksum
SHA256 Checksum

Uli60

2013-03-26 21:11

updater   ~0003848

page https://cacert1.it-sls.de/index.php?id=3|Root Certificates
displays: "Windows installer package for browsers that use the Windows certificate store (for example Internet Explorer, Chrome on Windows and Safari on Windows)"
click
popup
open CAcert_Root_Certificates.msi
What to do? Save file, Cancel
save as ..
install msi
runs as expected

INOPIAE

2013-03-26 23:00

updater   ~0003849

The new design with the line break in front of the brackets looks good.
The download works.
=> ok

NEOatNHNG

2013-03-26 23:01

administrator   ~0003850

I have overhauled the root certificate download page. Please re-review and do some tests.

Uli60

2013-03-26 23:04

updater   ~0003851

page index 3 now looks ok
english, FF

Werner Dworak

2013-04-03 19:37

updater   ~0003858

The web site https://cacert1.it-sls.de/index.php?id=3 looks good in recent Firefox, the download of the Windows installer package worked and with it I could install the root certificates in recent WinXP SP3 IE8 successfully.

barbado

2013-04-12 15:06

reporter   ~0003877

32-bit Windows 7 Professional with Internet Explorer 10.

Testing web page [1] looks ok, and ".msi" installation runs fine on a regular user account as well.

BTW, anyone able to test it on some Windows 8 regular user account?


REFERENCES

[1] Windows Installer "testing" page:
https://cacert1.it-sls.de/index.php?id=3

INOPIAE

2013-04-13 06:14

updater   ~0003878

The web page works on IE 8/9, FF 19, Chrome.
The .msi works Windows XP, Win 7 and Win 8
=> ok

INOPIAE

2013-04-13 06:15

updater   ~0003879

Last edited: 2013-04-13 06:16

please deploy as we have at least 4 positive tests.

NEOatNHNG

2013-04-16 16:55

administrator   ~0003885

Mail sent to critical admins

wytze

2013-04-24 13:07

developer   ~0003920

The patch has been installed on the production server on April 24, 2013. See also:
https://lists.cacert.org/wws/arc/cacert-systemlog/2013-04/msg00006.html

Issue History

Date Modified Username Field Change
2012-09-13 16:09 barbado New Issue
2012-09-13 16:09 barbado File Added: Windows_auto_install.zip
2012-09-14 21:36 NEOatNHNG Relationship added related to 0000964
2012-10-04 15:27 Uli60 Note Added: 0003237
2012-10-04 15:29 Uli60 Note Added: 0003238
2012-12-12 09:59 INOPIAE Assigned To => NEOatNHNG
2012-12-12 09:59 INOPIAE Status new => fix available
2013-02-12 20:41 NEOatNHNG Note Added: 0003746
2013-02-12 21:30 NEOatNHNG Source_changeset_attached => cacert-devel testserver-stable a35ff811
2013-02-12 21:30 NEOatNHNG Source_changeset_attached => cacert-devel testserver-stable ba938fc0
2013-02-12 21:32 NEOatNHNG Reviewed by => NEOatNHNG
2013-02-12 21:32 NEOatNHNG Note Added: 0003747
2013-02-12 21:32 NEOatNHNG Status fix available => needs review & testing
2013-03-26 11:50 BenBE Reviewed by NEOatNHNG => NEOatNHNG, BenBE
2013-03-26 11:50 BenBE Note Added: 0003846
2013-03-26 11:50 BenBE Status needs review & testing => needs testing
2013-03-26 11:50 BenBE Product Version => 2012 Q2
2013-03-26 20:51 MartinGummi Note Added: 0003847
2013-03-26 20:52 MartinGummi Note Edited: 0003847
2013-03-26 21:11 Uli60 Note Added: 0003848
2013-03-26 23:00 INOPIAE Note Added: 0003849
2013-03-26 23:00 NEOatNHNG Source_changeset_attached => cacert-devel testserver-stable 0e199113
2013-03-26 23:00 NEOatNHNG Source_changeset_attached => cacert-devel testserver-stable 42a5187c
2013-03-26 23:00 NEOatNHNG Source_changeset_attached => cacert-devel testserver-stable 0a7f7c4b
2013-03-26 23:00 NEOatNHNG Source_changeset_attached => cacert-devel testserver-stable 85f7fc08
2013-03-26 23:01 NEOatNHNG Reviewed by NEOatNHNG, BenBE => NEOatNHNG
2013-03-26 23:01 NEOatNHNG Note Added: 0003850
2013-03-26 23:01 NEOatNHNG Status needs testing => needs review & testing
2013-03-26 23:04 Uli60 Note Added: 0003851
2013-03-29 11:32 BenBE Reviewed by NEOatNHNG => NEOatNHNG, BenBE
2013-03-29 11:32 BenBE Status needs review & testing => needs testing
2013-03-29 11:32 BenBE Product Version 2012 Q2 => 2012 Q3
2013-03-29 12:00 NEOatNHNG Source_changeset_attached => cacert-devel testserver-stable 003b8ea0
2013-03-29 12:00 NEOatNHNG Source_changeset_attached => cacert-devel testserver-stable e25254b2
2013-04-03 19:37 Werner Dworak Note Added: 0003858
2013-04-12 15:06 barbado Note Added: 0003877
2013-04-13 06:14 INOPIAE Note Added: 0003878
2013-04-13 06:15 INOPIAE Note Added: 0003879
2013-04-13 06:15 INOPIAE Assigned To NEOatNHNG => BenBE
2013-04-13 06:15 INOPIAE Status needs testing => ready to deploy
2013-04-13 06:16 INOPIAE Note Edited: 0003879
2013-04-16 16:55 NEOatNHNG Note Added: 0003885
2013-04-16 22:50 NEOatNHNG Source_changeset_attached => cacert-devel release ceb333fa
2013-04-24 13:07 wytze Note Added: 0003920
2013-04-24 13:07 wytze Status ready to deploy => solved?
2013-04-24 13:07 wytze Fixed in Version => 2013 Q2
2013-04-24 13:07 wytze Resolution open => fixed
2013-07-23 22:00 INOPIAE Status solved? => closed
2013-07-23 22:00 INOPIAE Assigned To BenBE =>