Cannot add Root Certificate with CAPICOM

From: Johannes Verelst (usenet@filter.verelst.net)
Date: 06/28/02 

From: "Johannes Verelst" <usenet@filter.verelst.net>
Date: Fri, 28 Jun 2002 21:07:22 +0200

Hi,

According to the MSDN, I can do the following:

===
Minding the Store
Windows stores certificates in Certificate Stores. User certificates are
stored in the "MY" store. Root certificates are stored in the "Root" store.
Intermediate CA certificates are stored in the "CA" store. A developer can
enumerate, add, or remove certificates from a certificate store or examine
certificates in the Active Directory. With CAPICOM it is easy to add your
root certificate to a machine in your enterprise using a simple Visual Basic
Script.
According to this text, I should be able to add a certificate.
Unfortunately, I get an 'Access is Denied' error every time I try to add a
new certificate to the 'Root' store.
===

My code is:

Dim newCert as new Certificate
Dim certStore as new Store
Dim encodedCert as String
encodedCert = "MIIDI ..." (base64 encoded certificate, it's quite long :-)
Call newCert.Import(encodedCert)
Call certStore.Open(CAPICOM_CURRENT_USER_STORE, CAPICOM_ROOT_STORE)
Call certStore.Add(newCert)

The error number I get is '80070005', "Access is denied."
I get that there are security risks concerning the possibility for programs
to add new certificates, but is there any (other) way to do this? According
to the documentation it should be possible, but it apparently isnt.

My environment:
- tested CAPICOM 1.0.0.1 & 2.0
- OS: WIndows XP (could this be the problem? Better security than previous
Windows OS-es?)
- Visual Basic 6.0

Kind regards,

Johannes Verelst

Relevant Pages

  • Re: Active Directory User Object certificate store to personal certificate store
    ... Active Directory doesn't store private keys. ... the keys and certificates are stored in the user profile - you can ... > Is there a way to move AD published certs to from the Active Directory ... I can see the certs in the AD User Object cert store for ...
    (microsoft.public.windows.server.security)
  • RE: EAP-TLS Client enrollment recovery.
    ... the private keys are not restored when you ... only restore the certificates. ... store in order to extract certificates and keys from it and then putting them ...
    (microsoft.public.platformsdk.security)
  • Re: Shared Certificate Store in Active Directory
    ... There is no need to store IPSEC certs in the AD for IPSEC, ... > Active Directory so you can make Certificates and their ... > Certificates rather than Kerberos? ...
    (microsoft.public.win2000.security)
  • Re: Microsoft CA not installing trusted root path in local computer store
    ... > I installed a standalone root CA, I use it to validate vpn l2tp/IPSec> conections, the problem is that when I try to install the root ... > certification path for the CA in the client machine > using the web page, it is installed in te user certificates store, and> not in the local computer certificates store. ...
    (microsoft.public.win2000.security)
  • Re: Using smartcard as certificate store
    ... It allows the user to perform secure operations like web ... we want to put the certificates we acquire when browsing ... You should still not need to store certificates from arbitrary websites ... that isn't a smartcard but is treated by CAPI as though it were one"! ...
    (microsoft.public.platformsdk.security)