RE: How to enable certificate purpose programmatically?

Hi Vlad,

Sorry for letting you wait.

I have found some sample code snippet in script, I have not tested it, just
posted below for your information:

'***********************************************************************
*******
'
' THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY
KIND,
' EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
' WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
'
' Copyright (C) 1999- 2002. Microsoft Corporation. All rights reserved.
'
'***********************************************************************
*******
'
' SetMetaEKU.vbs
'
' This script removes sets the "meta eku" on a particular certificate.
'
'
' Note: For simplicity, this script does not handle exception.
'
'***************************************************************************
***

Option Explicit
' CAPICOM Constants
Const CAPICOM_LOCAL_MACHINE_STORE = 1
Const CAPICOM_CURRENT_USER_STORE = 2
Const CAPICOM_STORE_OPEN_READ_WRITE = 1
Const CAPICOM_STORE_OPEN_MAXIMUM_ALLOWED = 2
Const CAPICOM_STORE_OPEN_EXISTING_ONLY = 128
Const CAPICOM_ROOT_STORE = "ROOT"
Const CAPICOM_THIRD_PARTY_STORE = "AUTHROOT"
Const CAPICOM_CERT_INFO_SUBJECT_SIMPLE_NAME = 0
Const CAPICOM_CERTIFICATE_FIND_SHA1_HASH = 0
Const CAPICOM_PROPID_ENHKEY_USAGE = 9


' First make sure the script is executed by CScript.exe.
If InStr(1, UCase(Wscript.FullName), "CSCRIPT.EXE", vbTextCompare) = 0 Then
Wscript.Echo "This script can only be executed by CScript.exe." & vbCRLF
& vbCRLF &_
"You can either:" & vbCRLF & vbCRLF & _
"1. Set CScript.exe as the default (Run CScript
//h:cscript), or" & vbCRLF & _
"2. Run CScript.exe directly as in, CScript " &
Wscript.ScriptName & "."
Wscript.Quit(-1)
End If


' We must be an administrator to do this
If IsAdmin = False Then
Wscript.Echo ("Error: You must be an administrator to run this script")
Wscript.Quit(-1)
End If


' Open the store.
Dim Store
Set Store = CreateObject("CAPICOM.Store")

'Store.Open CAPICOM_LOCAL_MACHINE_STORE, CAPICOM_ROOT_STORE,
CAPICOM_STORE_OPEN_MAXIMUM_ALLOWED Or CAPICOM_STORE_OPEN_EXISTING_ONLY
Store.Open CAPICOM_LOCAL_MACHINE_STORE, CAPICOM_THIRD_PARTY_STORE,
CAPICOM_STORE_OPEN_MAXIMUM_ALLOWED Or CAPICOM_STORE_OPEN_EXISTING_ONLY

' Now enumerate all of the certificates.
Dim Certificate, Certificates

Set Certificates = ToBeModified(Store.Certificates)


For Each Certificate in Certificates
If HasEKU(Certificate) Then
' If they have a EKU Remove it
Certificate.Display
Certificate.ExtendedProperties.Remove(CAPICOM_PROPID_ENHKEY_USAGE)
Else
'If they do not have a EKU add one
' MY_DESIRED_EKUS include: Server Authentication, Client Authentication,
Code Signing, Secure Email, Encrypting File System, Smart Card Login
' This is a ASN1 encoded blob, to get this value configure a certificate
the way you want; print it out and include its base64 encoded value bellow.
Dim MY_DESIRED_EKUS:MY_DESIRED_EKUS =
"MEAGCisGAQQBgjcUAgIGCisGAQQBgjcKAwQGCCsGAQUFBwMEBggrBgEFBQcDAwYIKwYBBQUHAwI
GCCsGAQUFBwMB"
Dim ExtendedProperty
Set ExtendedProperty = CreateObject("CAPICOM.ExtendedProperty")
ExtendedProperty.PropID = CAPICOM_PROPID_ENHKEY_USAGE
ExtendedProperty.Value = MY_DESIRED_EKUS
Certificate.ExtendedProperties.Add(ExtendedProperty)
End If
Next

' Free resources.
Set Store = Nothing
Set Certificate = Nothing
Set Certificates = Nothing


'***************************************************************************
***
'
' Function: ToBeModified
'
' Synopsis : Because find gives us a snapshot, we must implement our own
find.
' This function searches a collection for those that should be
' modified.
'
' Parameter : Certificates - The certificate collection to be checked
'
'***************************************************************************
***
Function ToBeModified(Certificates)
Dim CAsToModify(3), Thumbprint, Certificate, CertificatesToModify
CAsToModify(0) = "dbac3c7aa4254da1aa5caad68468cb88eeddeea8" 'CyberTrust
2004
CAsToModify(1) = "90dede9e4c4e9f6fd88617579dd391bc65a68964" 'CyberTrust
2006
CAsToModify(2) = "97817950d81c9670cc34d809cf794431367ef474" 'CyberTrust
Global Root

Set CertificatesToModify = CreateObject("CAPICOM.Certificates")

For Each Certificate in Certificates
For Each Thumbprint in CAsToModify
If LCase(Certificate.Thumbprint) = LCase(Thumbprint) Then
CertificatesToModify.Add Certificate
End If
Next
Next

Set ToBeModified = CertificatesToModify
End Function


'***************************************************************************
***
'
' Function: IsAdmin
'
' Synopsis : Check to see if the current user is an Administrator
'
' Parameter : None
'
'***************************************************************************
***
Function IsAdmin()
Dim Temp, UserName, Line
Dim FSO, FO, WshShell, WshNetwork
Const ForReading = 1

on Error Resume Next

Set WshShell = WScript.CreateObject("WScript.Shell")
Temp = WshShell.ExpandEnvironmentStrings("%TEMP%")
Set WshNetwork = WScript.CreateObject("WScript.Network")
Username = LCase(WshNetwork.UserName)

WshShell.Run "cmd.exe /c %windir%\system32\net localgroup
administrators > %temp%\isadmin.tmp 2>&1", 0, True

Set FSO = Wscript.CreateObject("Scripting.FileSystemObject")
Set FO = FSO.OpenTextFile (Temp + "\isadmin.tmp", ForReading)

Do While FO.AtEndOfStream <> True
Line = LCase(Trim(FO.ReadLine))
If InStr(Line, UserName) >= 1 then
IsAdmin=True
Exit Do
End If
Loop

FO.Close

If IsAdmin <> True Then IsAdmin=False

'Clean Up
FSO.DeleteFile(Temp+"\isadmin.tmp")

' Free resources.
Set FSO = Nothing
Set FO = Nothing
Set WshShell = Nothing
Set WshNetwork = Nothing
End Function

Function HasEKU(Certificate)
Dim ExtendedProperty, ExtendedProperties

For Each ExtendedProperty in Certificate.ExtendedProperties
If ExtendedProperty.PropID=CAPICOM_PROPID_ENHKEY_USAGE Then
HasEKU=True
End If
Next
End Function

Hope this helps!

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

.

Relevant Pages

  • Re: how to bypass a known-bad SSL certificate
    ... Is this script just for running on one machine that you control? ... might be able to just disable certificate checking in IE Advanced Options. ... > this warning for a specific certificate and/or webserver? ... Set objHTTP = WScript.CreateObject ...
    (microsoft.public.scripting.vbscript)
  • Re: how to bypass a known-bad SSL certificate
    ... Is this script just for running on one machine that you control? ... might be able to just disable certificate checking in IE Advanced Options. ... > this warning for a specific certificate and/or webserver? ... Set objHTTP = WScript.CreateObject ...
    (microsoft.public.scripting.wsh)
  • Re: SSL/TLS - am I doing it right?
    ... Signing a certificate request is easier: ... Why do people feel the need to wrap that up in some Perl script? ... you were using OpenSSL or M2Crypto in a way that takes care of that. ... The problem with the world is stupidity. ...
    (comp.lang.python)
  • Re: Re-enrollment of Certificate on Win 2000
    ... require certificate manager approval. ... In fact, autoenrollment in Windows ... If you are requiring CA certficate manager approval with the Windows ... > Use of included script samples are subject to the terms specified at ...
    (microsoft.public.windows.server.security)