pythonwinapicertificatepywin32

Python/win32crypt, "Access is denied" when trying to save a certificate to "local machine" Windows store, but working with "current user" store


Solved: I just had to select run as administrator for PyCharm and the executable.

I have a Python program that creates a self-signed certificate, and now I am trying to add a feature that saves that same certificate to the Windows "Trusted Root Certification Authorities" folder in the "Certificates - Local Computer" store. I have it working when saving to the "Current User" certificate store, but that's it. When I try to save the local machine store, I get this access denied message:

(-2147024891, 'PyCERTSTORE::CertAddEncodedCertificateToStore', 'Access is denied.')

Here's the function that takes in a certificate as a string:

CERT_STORE_PROV_SYSTEM = 0x0000000A
CERT_STORE_OPEN_EXISTING_FLAG = 0x00004000
CERT_STORE_MAXIMUM_ALLOWED_FLAG = 0x00001000
CRYPT_STRING_BASE64HEADER = 0x00000000
CERT_SYSTEM_STORE_CURRENT_USER_ACCOUNT = 0x00010000
CERT_SYSTEM_STORE_LOCAL_MACHINE = 0x00020000
X509_ASN_ENCODING = 0x00000001
CERT_STORE_ADD_REPLACE_EXISTING = 3
CERT_CLOSE_STORE_FORCE_FLAG = 0x00000001

def save_cert_to_store(cert_to_save: str) -> None:
    cert_byte = win32crypt.CryptStringToBinary(
        cert_to_save,
        CRYPT_STRING_BASE64HEADER
    )[0]

    store = win32crypt.CertOpenStore(
        CERT_STORE_PROV_SYSTEM,
        0,
        None,
        CERT_SYSTEM_STORE_LOCAL_MACHINE | CERT_STORE_MAXIMUM_ALLOWED_FLAG,
        "Root"
    )

    try:
        store.CertAddEncodedCertificateToStore(
            X509_ASN_ENCODING,
            cert_byte,
            CERT_STORE_ADD_REPLACE_EXISTING
        )
    except Exception as e:
        print(e)
    finally:
        store.CertCloseStore(CERT_CLOSE_STORE_FORCE_FLAG)

I suspect the problem is with this line: CERT_SYSTEM_STORE_LOCAL_MACHINE | CERT_STORE_MAXIMUM_ALLOWED_FLAG, but I've tried different combinations of things here with the same results. I see that CERT_STORE_MAXIMUM_ALLOWED_FLAG starts with write permissions, which I assume I want here, since I am adding to the store, so I'm confused as to why it's giving me access denied. I've also tried CERT_SYSTEM_STORE_LOCAL_MACHINE | CERT_STORE_OPEN_EXISTING_FLAG.

I'm also not sure what the difference is of using "Root" and "My". I've tried both. edit: Never mind, I found the answer to this.

I've looked at all of the other related posts on SO that are similar to this, but none are actually trying to save a new certificate to this store, only reading from.

I'm also wondering if this operation may just be blocked by Windows entirely.

I am referencing Microsoft's documentation here: https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certopenstore

Note: To run this, you will need to pip install pywin32

Solved: I just had to select run as administrator for PyCharm and the executable.


Solution

  • My solution was to run the IDE and the executable as administrator