Solved: I just had to select run as administrator for PyCharm and the executable.
I have a Python program that creates a self-signed certificate, and now I am trying to add a feature that saves that same certificate to the Windows "Trusted Root Certification Authorities" folder in the "Certificates - Local Computer" store. I have it working when saving to the "Current User" certificate store, but that's it. When I try to save the local machine store, I get this access denied message:
(-2147024891, 'PyCERTSTORE::CertAddEncodedCertificateToStore', 'Access is denied.')
Here's the function that takes in a certificate as a string:
CERT_STORE_PROV_SYSTEM = 0x0000000A
CERT_STORE_OPEN_EXISTING_FLAG = 0x00004000
CERT_STORE_MAXIMUM_ALLOWED_FLAG = 0x00001000
CRYPT_STRING_BASE64HEADER = 0x00000000
CERT_SYSTEM_STORE_CURRENT_USER_ACCOUNT = 0x00010000
CERT_SYSTEM_STORE_LOCAL_MACHINE = 0x00020000
X509_ASN_ENCODING = 0x00000001
CERT_STORE_ADD_REPLACE_EXISTING = 3
CERT_CLOSE_STORE_FORCE_FLAG = 0x00000001
def save_cert_to_store(cert_to_save: str) -> None:
cert_byte = win32crypt.CryptStringToBinary(
cert_to_save,
CRYPT_STRING_BASE64HEADER
)[0]
store = win32crypt.CertOpenStore(
CERT_STORE_PROV_SYSTEM,
0,
None,
CERT_SYSTEM_STORE_LOCAL_MACHINE | CERT_STORE_MAXIMUM_ALLOWED_FLAG,
"Root"
)
try:
store.CertAddEncodedCertificateToStore(
X509_ASN_ENCODING,
cert_byte,
CERT_STORE_ADD_REPLACE_EXISTING
)
except Exception as e:
print(e)
finally:
store.CertCloseStore(CERT_CLOSE_STORE_FORCE_FLAG)
I suspect the problem is with this line: CERT_SYSTEM_STORE_LOCAL_MACHINE | CERT_STORE_MAXIMUM_ALLOWED_FLAG
, but I've tried different combinations of things here with the same results. I see that CERT_STORE_MAXIMUM_ALLOWED_FLAG
starts with write permissions, which I assume I want here, since I am adding to the store, so I'm confused as to why it's giving me access denied. I've also tried CERT_SYSTEM_STORE_LOCAL_MACHINE | CERT_STORE_OPEN_EXISTING_FLAG
.
I'm also not sure what the difference is of using "Root" and "My". I've tried both. edit: Never mind, I found the answer to this.
I've looked at all of the other related posts on SO that are similar to this, but none are actually trying to save a new certificate to this store, only reading from.
I'm also wondering if this operation may just be blocked by Windows entirely.
I am referencing Microsoft's documentation here: https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certopenstore
Note: To run this, you will need to pip install pywin32
Solved: I just had to select run as administrator for PyCharm and the executable.
My solution was to run the IDE and the executable as administrator