Menu
▾
▴
#1173 DeleteMachineCertificate action fails
Installing a certificate via the <iis:certificate> CA works well, but uninstalling fails.</iis:certificate>
The first attempt at uninstall seems to actually remove the certificate, but the uninstall is rolled back. The second attempt at uninstall succeeds.
Discussion
Uninstall Logs for Certificate issue
Logged In: YES
user_id=991639
Originator: NO
I believe this was caused by incorrect usage of CompareStringW(). I've fixed all the incorrect usages and hopefully this bug goes away. If not, please do re-open it and if you can a few details that would be great since I'm not reproing the issue.
Logged In: YES
user_id=1939857
Originator: YES
Cracked open the source for this CA and did a bit of investigating. The PCCERT_CONTEXT is being doubly-freed, which means it fails after the first cert - so if it finds the cert on the first go around the loop, it successfully deletes it; if not, it blows up at the end of the loop.
Here is the offending code (in UnInstallCertificate() in src\ca\serverca\scaexec\scacertexec.cpp):
// Loop through all certificates in the store, deleting the ones that match our friendly name.
pCertContext = ::CertFindCertificateInStore(hStore, PKCS_7_ASN_ENCODING | X509_ASN_ENCODING, 0, CERT_FIND_ANY, NULL, NULL);
while (pCertContext)
{
// REMOVED CODE
// Next certificate in the store.
PCCERT_CONTEXT pNext = ::CertFindCertificateInStore(hStore, PKCS_7_ASN_ENCODING | X509_ASN_ENCODING, 0, CERT_FIND_ANY, NULL, pCertContext);
::CertFreeCertificateContext(pCertContext);
pCertContext = pNext;
}
The call to CertFreeCertificateContext() is doubly-freeing pCertContext. See http://msdn.microsoft.com/en-us/library/aa376064(VS.85).aspx where it says:
"A non-NULLCERT_CONTEXT that CertFindCertificateInStore returns must be freed by CertFreeCertificateContext or by being passed as the pPrevCertContext parameter on a subsequent call to CertFindCertificateInStore."
Remove that extra call to CertFreeCertificateContext, and it works fine.
Thanks!
Logged In: YES
user_id=1939857
Originator: YES
As a quick followup to this, wouldn't it be better to delete the Certificate using the IssuerName & SerialNo? The friendly name is just an unverified string, and if I manually import a cert into the store (via mmc) it doesn't get set at all.
From my point of view, this CA now works with this fix, so I don't strongly care one way or another, I just thought I'd mention it.
Thanks for the good work!
Logged In: YES
user_id=991639
Originator: NO
Good catch. Simplified the logic even more. I swear the documentation has gotten much better since I last tried to fix the cert custom actions.
This Tracker item was closed automatically by the system. It was
previously set to a Pending status, and the original submitter
did not respond within 15 days (the time period specified by
the administrator of this Tracker).