private void PerformCAMaintenance() { if (_useWindowsNativeFeatures) { try { foreach (var ca in _certificateAuthorities.Values) { if (ca.DisabledIntermediates?.Any() == true) { // check we have disabled usage on all required intermediates foreach (var i in ca.DisabledIntermediates) { try { if (CertificateManager.DisableCertificateUsage(i, "CA")) { _serviceLog?.Information("CA Maintenance: Intermediate CA certificate usage disabled. {thumb}", i); } else { _serviceLog?.Warning("CA Maintenance: Could not disable CA certificate usage, may already be disabled. {thumb}", i); } } catch (Exception ex) { _serviceLog?.Error(ex, "CA Maintenance: Failed to disable CA certificate usage. {thumb}", i); } /*if (CertificateManager.MoveCertificate(i, "CA", "Disallowed")) * { * _serviceLog?.Information("CA Maintenance: Intermediate CA certificate moved to Disallowed store. {thumb}", i); * }*/ } } } } catch (Exception ex) { _serviceLog?.Error(ex, "Failed to perform CA maintenance"); } } }
/// <summary> /// If applicable, perform CA trust store maintenance relevant to our supported set of certificate authorities /// </summary> private void PerformCAMaintenance() { if (_useWindowsNativeFeatures) { try { foreach (var ca in _certificateAuthorities.Values) { // check for any intermediate to disable (by thumbprint) if (ca.DisabledIntermediates?.Any() == true) { // check we have disabled usage on all required intermediates foreach (var i in ca.DisabledIntermediates) { try { // local machine store CertificateManager.DisableCertificateUsage(i, CertificateManager.CA_STORE_NAME, useMachineStore: true); // local user store (service user) CertificateManager.DisableCertificateUsage(i, CertificateManager.CA_STORE_NAME, useMachineStore: false); } catch (Exception ex) { _serviceLog?.Error(ex, "CA Maintenance: Failed to disable CA certificate usage. {thumb}", i); } try { // local machine store if (CertificateManager.MoveCertificate(i, CertificateManager.CA_STORE_NAME, CertificateManager.DISALLOWED_STORE_NAME, useMachineStore: true)) { _serviceLog?.Information("CA Maintenance: Intermediate CA certificate moved to Disallowed (machine) store. {thumb}", i); } if (CertificateManager.MoveCertificate(i, CertificateManager.CA_STORE_NAME, CertificateManager.DISALLOWED_STORE_NAME, useMachineStore: false)) { _serviceLog?.Information("CA Maintenance: Intermediate CA certificate moved to Disallowed (user) store. {thumb}", i); } } catch (Exception ex) { _serviceLog?.Error(ex, "CA Maintenance: Failed to move intermediate to Disallowed store. {thumb}", i); } } } // check for any trusted roots to add if (ca.TrustedRoots?.Any() == true) { foreach (var root in ca.TrustedRoots) { if (CertificateManager.GetCertificateByThumbprint(root.Key, CertificateManager.ROOT_STORE_NAME, useMachineStore: true) == null) { CertificateManager.StoreCertificateFromPem(root.Value, CertificateManager.ROOT_STORE_NAME, useMachineStore: true); } } } // check for any intermediates to add if (ca.Intermediates?.Any() == true) { foreach (var intermediate in ca.Intermediates) { if (CertificateManager.GetCertificateByThumbprint(intermediate.Key, CertificateManager.CA_STORE_NAME, useMachineStore: true) == null) { CertificateManager.StoreCertificateFromPem(intermediate.Value, CertificateManager.CA_STORE_NAME, useMachineStore: true); } } } } } catch (Exception ex) { _serviceLog?.Error(ex, "Failed to perform CA maintenance"); } } }