As I am sure you are aware, there is at least one fraudulent digital certificate released by DigiNotar that is causing security concerns with domains associated with google.com. With Windows Vista/ 7/2008, certificates are checked using the Certificate Trust List built in to the operating system. For Windows XP/2003, users are not as lucky. Either way, it may be a good idea to remove the certificate from your store. Manually, this is easy; load up mmc. If you need to accomplish this on many machines, one method would be the example below.
http://www.microsoft.com/technet/security/advisory/2607712.mspx
Before you continue with creating your own solution to removign DigiNotar, review this recent update from Microsoft for an out-of-band update: http://support.microsoft.com/kb/2607712.
The code below will remove certificates containing the word “DigiNotar” in the SubjectName field. The code iterates all certificates in the following stores, in this order, using nearly identical blocks of code:
- REMOVES *DigiNotar* in the Intermediate certificates store for Current User
- REMOVES *DigiNotar*in the Intermediate certificates store on Local Machine
- REMOVES *DigiNotar*in the Trusted “Root” certificate store for Current User
- REMOVES *DigiNotar*in the Trusted “Root” certificate store on Local Machine
The code removes certificates from both the current user and local machine. Obviously, the local machine will require administrative permissions and the current user will need to be ran on every user. For deployment, you would need to run for each user in their context on every system and once for each system for the root certificate. If you are only concerned with the root certificate, then remove the blocks of code that reference current user.
As with all of my blog articles, there is no warranty or guarantee from the sample provided below. The security of your environment is your responsibility. If the code does not work or causes other issues in your environment, it is your responsibility. You should thorough test prior to release to a production environment.
Removing DigiNotar certificates .NET Framework 2.0 code example:
Imports System
Imports System.Security.Cryptography
Imports System.Security.Cryptography.X509Certificates
Imports System.IOModule Module1
Dim certsRemoved As Boolean = False
Dim myExitCode As Integer = 0
‘exit code table
’0 = cert removed
’1 = nothing removed
’2 = errorSub Main()
Console.WriteLine(“devtrends.com — September 2, 2011″)
Console.WriteLine(“Removes DigiNotar* from the Root and CertificateAuthority (Intermediate) certificate store.”)
Console.WriteLine(“”)’1. REMOVES DigiNotar in the Intermediate certificates store for Current User
Try
‘open a connection to the X509 local certificate store.
Dim store As X509Store = New X509Store(X509Certificates.StoreName.CertificateAuthority, StoreLocation.CurrentUser)
store.Open(OpenFlags.ReadWrite)‘loop through and find the cert we want to work with
For Each cert As X509Certificate2 In store.Certificates
‘Console.WriteLine(cert.SubjectName.Name)
If (cert.SubjectName.Name.Contains(“DigiNotar”)) Then
Console.WriteLine(“User Intermediate Removed: ” & cert.SubjectName.Name)
store.Remove(cert)
certsRemoved = True
End If
Next‘close the store object
store.Close()‘did we remove anything?
If certsRemoved Then
myExitCode = 0
Else
myExitCode = 1
Console.WriteLine(“User Intermediate: DigiNotar not found. Nothing removed.”)
End If
Catch ex As Exception
Console.WriteLine(“User Intermediate Error: ” & ex.Message)
myExitCode = 2
End Try’2. REMOVES DigiNotar in the Intermediate certificates store on Local Machine
Try
‘open a connection to the X509 local certificate store.
Dim store As X509Store = New X509Store(X509Certificates.StoreName.CertificateAuthority, StoreLocation.LocalMachine)
store.Open(OpenFlags.ReadWrite)‘loop through and find the cert we want to work with
For Each cert As X509Certificate2 In store.Certificates
‘Console.WriteLine(cert.SubjectName.Name)
If (cert.SubjectName.Name.Contains(“DigiNotar”)) Then
Console.WriteLine(“Local Machine Intermediate Removed: ” & cert.SubjectName.Name)
store.Remove(cert)
certsRemoved = True
End If
Next‘close the store object
store.Close()‘did we remove anything?
If certsRemoved Then
myExitCode = 0
Else
myExitCode = 1
Console.WriteLine(“Local Machine Intermediate: DigiNotar not found. Nothing removed.”)
End If
Catch ex As Exception
Console.WriteLine(“Local Machine Intermediate Error: ” & ex.Message)
myExitCode = 2
End Try’3. REMOVES DigiNotar in the Trusted “Root” certificate store for Current User
Try
‘open a connection to the X509 local certificate store.
Dim store As X509Store = New X509Store(X509Certificates.StoreName.Root, StoreLocation.CurrentUser)
store.Open(OpenFlags.ReadWrite)‘loop through and find the cert we want to work with
For Each cert As X509Certificate2 In store.Certificates
If (cert.SubjectName.Name.Contains(“DigiNotar”)) Then
Console.WriteLine(“User Root Removed: ” & cert.SubjectName.Name)
store.Remove(cert)
certsRemoved = True
End If
Next
‘close the store objectstore.Close()
‘did we remove anything?
If certsRemoved Then
myExitCode = 0
Else
myExitCode = 1
Console.WriteLine(“User Root: DigiNotar not found. Nothing removed.”)
End If
Catch ex As Exception
Console.WriteLine(“User Root Error: ” & ex.Message)
myExitCode = 2
End Try’4. REMOVES DigiNotar in the Trusted “Root” certificate store on Local Machine
Try
‘open a connection to the X509 local certificate store.
Dim store As X509Store = New X509Store(X509Certificates.StoreName.Root, StoreLocation.LocalMachine)
store.Open(OpenFlags.ReadWrite)‘loop through and find the cert we want to work with
For Each cert As X509Certificate2 In store.Certificates
If (cert.SubjectName.Name.Contains(“DigiNotar”)) Then
Console.WriteLine(“Local Machine Root Removed: ” & cert.SubjectName.Name)
store.Remove(cert)
certsRemoved = True
End If
Next‘close the store object
store.Close()‘did we remove anything?
If certsRemoved Then
myExitCode = 0
Else
myExitCode = 1
Console.WriteLine(“Local Machine Root: DigiNotar not found. Nothing removed.”)
End If
Catch ex As Exception
Console.WriteLine(“Local Machine Root Error: ” & ex.Message)
myExitCode = 2
End Try‘exit with specific exit code
Console.WriteLine(“”)
Console.WriteLine(“Exit code: (” & myExitCode & “)”)
Environment.Exit(myExitCode)
End SubEnd Module
