Getting the Root CA Certificate SHA1 Thumbprint

Question:

(In VB6) One thing we would like to do is to read out the SHA1
fingerprint of the root ca. For example, the programm should read the user
certificate. The user certificate has a certification path. Is it possible
to read out the fingerprint of the top-level root certificate?

Answer:

Here is a sample program. The user certificate is loaded from the current-user registry-based certificate store by common name. Once you have the cert object, you can build the chain of authority and step through it. The root cert is the last in the list.

    Dim cert As New ChilkatCert

    success = cert.LoadByCommonName("Chilkat Software, Inc.")

    Dim certChain As New ChilkatCertChain

    ' Leave the certCollection object empty..
    Dim certCollection As New ChilkatCertColl

    success = certChain.BuildChain(cert, certCollection)

    NumCerts = certChain.NumCerts
    Dim certN As ChilkatCert
    For i = 0 To NumCerts - 1
        Set certN = certChain.GetCert(i)
        MsgBox certN.SubjectDN
    Next

    ' The certificate at index NumCerts - 1 is the root.
    ' get the fingerprint:
    MsgBox "Root Thumbprint: " & certChain.GetCert(NumCerts - 1).Sha1Thumbprint

Microsoft Certificate Support PDF

I found this PDF somewhere on Microsoft’s site, but now I cannot find it anymore.  Therefore, I uploaded it to here:  http://cknotes.com/microsoft-certificate-support.pdf

This contains a collection of how-to procedures for certificates:

  • Install certificate after deleting the pending certificate request (IIS 6.0)
  • Installing Server Certificates (IIS 6.0)
  • How to install a certificate for use with IP Security in Windows Server 2003
  • Key Archival and Management in Windows Server 2003
  • Renew a certificate with the same key
  • Renew a certificate with a new key
  • How To Renew or Create New Certificate Signing Request While Another Certificate Is Currently Installed
  • Request a certificate using a PKCS #10 or PKCS #7 file
  • Renew a root certification authority
  • Importing and exporting certificates
  • Trusted root certification authority policy
  • Object IDs Associated with Microsoft Cryptography
  • Certutil tasks for backing up and restoring certificates

Private Key Warning Dialog

If your application is using a pre-installed certificate for creating a digital signature, or for decrypting, then it needs access to the private key. (By pre-installed, we mean a certificate that has been imported from a PFX (or via the browser) into a Windows registry-based certificate store.)

If you chose to enable strong private key protection, then the Windows operating system will display a warning dialog when any application attempts to access the private key. To disable this warning, you’ll need to re-install the certificate without strong private key protection.

This is what the warning dialog looks like:
Private Key Warning Dialog

When importing the PFX via the Certificate Management Console (cert.msc), do not check the checkbox to enable strong private key protection:
PFX Import