Active Directory, C#, Certificates, Programming

Programmatically Install A Root CA Certificate So Users Don’t Have To (C#)

Jared Meredith

So here’s the backstory: I received the task of improving certificate enrollment so that users can

1) Be verified via username, password, captcha & verification pin

2) Auto Enroll without an external approval

3) Simplify the process

As some of you already know, ADCS via web enrollment is…how can we say…dated. So I wrote an application that sits in front of ADCS to first verify the user. Once they are through then the web enrollment is configured to let them run the wizard through to installing their cert. The issue that came to me is that most end-users will not take the time to ensure the root CA makes it to the trusted store (thus giving the classic CA cert is not installed message). So I received the order from on-high to “do it for them”. At first I struggled, attempting to understand how this could be done. I spoke with Microsoft and as I already was aware they indicated that having the user choose the trusted root store for the CA is by design. So what to do…ah I know, let’s just script it out.

So this is as simple as it gets. Download the cert, store it on the local drive and use the built-in certmgr.exe to perform the root CA to trusted store installation. Here it is (this code is just one a basic console app):

Code:

using System.Security.Cryptography.X509Certificates;

WebClient webClient = new WebClient();
webClient.DownloadFile("https://yourserver.domain.com/CertSrv/certnew.cer?ReqID=CACert&Renewal=0&Mode=inst&Enc=b64", @"C:\Temp\certnew.cer");

X509Store store = new X509Store(StoreName.Root,
StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadWrite);
X509Certificate2Collection collection = new X509Certificate2Collection();
X509Certificate2 cert = new X509Certificate2(@"C:\Temp\certnew.cer");
byte[] encodedCert = cert.GetRawCertData();
Console.WriteLine("We are now installing the CA certificate into the Trusted Root Certificate store ...");
store.Add(cert);
Console.WriteLine("Done! The CA certificate was successfully. Press any key to close.");
Console.ReadKey();
store.Close();

This finishes the root CA portion so they can fly through the rest of web enrollment. Hope this helps.

Published by Jared Meredith

Principal Architect with 15+ years’ experience with expertise in all things Enterprise Architecture.