win-ca icon indicating copy to clipboard operation
win-ca copied to clipboard
verified publisher icon ukoloff

Instead of roots.exe which now has volnerability fetch certs with powershell and node.js?

Open OZZlE opened this issue 1 year ago • 3 comments

This is Work in Progress, my enterprise computer decided that roots.exe is dangerous and just removes it so I started looking into an alternative way of getting the root certificates for doing a proper node fetch on windows with ssl.

const fetchAllRootCertificates = async (): Promise<string> => {
  const cliPSCommand = `
    $env:PSModulePath = [Environment]::GetEnvironmentVariable('PSModulePath', 'Machine');
    Get-ChildItem -Path Cert:\\LocalMachine\\Root | ForEach-Object {
      "-----BEGIN CERTIFICATE-----"
      [System.Convert]::ToBase64String($_.RawData, "InsertLineBreaks")
      "-----END CERTIFICATE-----"
    }
  `;

  const util = require("util");
  const exec = util.promisify(require("child_process").exec);
  const { stdout } = await exec(`powershell -Command "${cliPSCommand}"`);
  return stdout;
};

I know to little about Certificates however to finish this, maybe it's not possible? Using the above it still says "unable to get local issuer certificate" .. but maybe the names of the certs needs to be included?? or some other

OZZlE avatar Oct 30 '24 08:10 OZZlE

Well, this is PowerShell one-liner, drop-in replacement for roots.exe:

Get-ChildItem Cert:\LocalMachine\Root | ForEach-Object { -join $_.RawData.Foreach({ $_.ToString('x2') }) }

ukoloff avatar Oct 30 '24 09:10 ukoloff

This is Work in Progress, my enterprise computer decided that roots.exe is dangerous and just removes it so I started looking into an alternative way of getting the root certificates for doing a proper node fetch on windows with ssl.

const fetchAllRootCertificates = async (): Promise<string> => {
  const cliPSCommand = `
    $env:PSModulePath = [Environment]::GetEnvironmentVariable('PSModulePath', 'Machine');
    Get-ChildItem -Path Cert:\\LocalMachine\\Root | ForEach-Object {
      "-----BEGIN CERTIFICATE-----"
      [System.Convert]::ToBase64String($_.RawData, "InsertLineBreaks")
      "-----END CERTIFICATE-----"
    }
  `;

  const util = require("util");
  const exec = util.promisify(require("child_process").exec);
  const { stdout } = await exec(`powershell -Command "${cliPSCommand}"`);
  return stdout;
};

I know to little about Certificates however to finish this, maybe it's not possible? Using the above it still says "unable to get local issuer certificate" .. but maybe the names of the certs needs to be included?? or some other

cobra377 avatar Dec 04 '24 21:12 cobra377

And what is your purpose? Do you need a list of all root certificates? Or just connect to some Web server? Or what?

As for me, I cannot run PowerShell from Node.js due to our Enterprise policies :-(

ukoloff avatar Dec 05 '24 06:12 ukoloff