Install time certificate validation#1782
Conversation
Let maintainers know that an action is required on their side
|
There was a problem hiding this comment.
Pull request overview
This PR enhances the Windows managed installer’s certificate handling by adding deeper certificate validation (leaf/chain/usage checks), improving localized user-facing messages, and ensuring the Gateway service account can read the selected certificate’s private key when using a system-store certificate.
Changes:
- Added certificate validation helpers (certificate issues + chain status) and updated the certificate dialog to surface validation results to the user.
- Added a new elevated custom action to grant NETWORK SERVICE read access to the selected system certificate’s private key, and sequenced it into the install flow.
- Expanded/updated localized installer strings (EN/FR/DE) for certificate validation and remediation guidance.
Reviewed changes
Copilot reviewed 13 out of 14 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| package/WindowsManaged/Resources/Strings.g.cs | Adds new resource IDs/constants for certificate issue and chain validation messaging. |
| package/WindowsManaged/Resources/Strings_en-US.json | Adds/updates EN strings for certificate validation warnings and remediation. |
| package/WindowsManaged/Resources/Strings_fr-FR.json | Adds/updates FR strings for certificate validation warnings and remediation. |
| package/WindowsManaged/Resources/Strings_de-DE.json | Adds/updates DE strings for certificate validation warnings and remediation. |
| package/WindowsManaged/Resources/DevolutionsGateway_en-us.wxl | Adds/updates WiX EN strings corresponding to the new validation messages. |
| package/WindowsManaged/Resources/DevolutionsGateway_fr-fr.wxl | Adds/updates WiX FR strings corresponding to the new validation messages. |
| package/WindowsManaged/Resources/DevolutionsGateway_de-de.wxl | Adds/updates WiX DE strings corresponding to the new validation messages. |
| package/WindowsManaged/Helpers/PrivateKeyPermissions.cs | New helper to detect/grant NETWORK SERVICE read access to a cert private key file. |
| package/WindowsManaged/Helpers/CertificateChain.cs | New helper to load certs from PFX/PEM/DER and evaluate leaf issues + chain status. |
| package/WindowsManaged/Helpers/CertificateChain.usage.md | New usage reference documenting intended validation flow and severity. |
| package/WindowsManaged/Dialogs/CertificateDialog.Designer.cs | UI changes: removes warning icon usage, adjusts control state defaults, and enables “View” only when a cert is selected. |
| package/WindowsManaged/Dialogs/CertificateDialog.cs | Implements validation/warning aggregation for external and system certificates and prompts on validation failures. |
| package/WindowsManaged/Actions/GatewayActions.cs | Adds and sequences the deferred elevated action to set private-key permissions before public-key configuration. |
| package/WindowsManaged/Actions/CustomActions.cs | Implements the custom action that locates the selected system-store cert and grants key-file ACL access. |
Files not reviewed (1)
- package/WindowsManaged/Dialogs/CertificateDialog.Designer.cs: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Richard Markiewicz (thenextman)
force-pushed
the
feat/installer-certificate-validation
branch
6 times, most recently
from
ca91076 to
5af7ade
Compare
Richard Markiewicz (thenextman)
changed the title
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Richard Markiewicz (thenextman)
force-pushed
the
feat/installer-certificate-validation
branch
from
5af7ade to
0a88f79
Compare
Richard Markiewicz (thenextman)
deleted the
feat/installer-certificate-validation
branch
First, system certificate selection in the installer now matches runtime behaviour. Previously the user would search for and choose a specific certificate by subject or thumbprint. Now we match the runtime behaviour of Gateway: the user choses the location, store and subject (which can be a fuzzy match) and a matching certificate is shown to the user based on their criteria. There is a "results" label that communicates if multiple certificates were found.
The missing SAN or Server Auth EKU is enforced because this will only occur on a new install, where strict verification is the default. So install time experience matches runtime expectation.
If certificates were matched but no suitable candidate is found, the user is informed of the reason(s) for the that.
Second, the only exception to matching is the read permission for the private key for NETWORK SERVICE. The installer will now attempt to correct that scenario at install time.
Thirdly, we now perform a more comprehensive validation of the chosen certificate. Previously when using the "System" certificate option, we would ask .NET to validate the certificate and, if it could not, a "warning" triangle was display with a tooltip explaining that the certificate "may not be valid".
Now, instead; we perform validation of the chosen (System or External) certificate to the best of our ability:
For external (file) certificates:
BasicConstraintssaysCA=true)For system certificates:
Quality checks for both External (file) and System certificates:
Note that the quality checks in general won't be shown for the System certificates, as they're largely caught and filtered during certificate selection.
Permission checks (System certificates):
When clicking "Next" on the dialog, the user is prompted with the validation reasons. Importantly this is a soft-validation, the user is never blocked and can proceed with the installation.
In general, when choosing a system certificate, the installer will call out the permission prompt but acknowledge we will try to fix it: