Using CAPICOM on Windows x64

So CAPICOM was one of the project I was responsible for while at Microsoft, its been discontinued but I always find it useful – it is kind of a Swiss Army knife for CryptoAPI certificate stores when paired with its VBS samples.

One of it’s problems is we never shipped with x64 bit version, you can do similar things with PowerShell and the .NET classes (this is why it was discontinued) but I still find this the quickest way to do stuff sometimes so I keep it in my toolbelt.

Here is what you need to know to make it work:

  1. Windows can run 32bit things in 64bit environments.
  2. You cannot have a 64bit thing call a 32bit thing.
  3. Windows ships a 32bit cmd prompt.
  4. Windows ships a 32bit regsrv32.

To use CAPICOM you need to:

  1. Download CAPICOM – http://www.microsoft.com/en-us/download/details.aspx?id=25281
  2. Install CAPICOM
  3. Register CAPICOM
  • Open an administrative command prompt
  • cd to “C:\Program Files (x86)\Microsoft CAPICOM 2.1.0.2 SDK\Lib\X86”
  • copy CAPICOM.DLL %windir%\syswow64
  • %windir%\syswow64\regsvr32.exe %windir%\syswow64\capicom.dll
  • “exit” the command prompt

So what can you do? There are lots of things, tonight I used it to enumerate the extensions included in a PFX file, you can do this with OpenSSL too by looking at the ASN.1 but this way you get some of the Microsoft specific stuff expanded out to human readable things.

I should note that its old, its unsupported and it may have vulnerabilities in it — as such I unregister it when its not in use and I recomend you do the same.

Hope this helps someone,

Ryan

20 thoughts on “Using CAPICOM on Windows x64

  1. Pingback: lucadentella.it – VBScript: gestire certificati SSL

  2. John

    Thanks for that rmhrisk. I’ve been using capicom for years and love it. I’ve hit a wall however as it throws the dreaded error 429 ‘ActiveX component can’t create object’ on 64 bit MSAccess even though it runs fine in x86 VB6 on the same machine, same reference. Do you know any more on this or do you think it is likely dead in Access x64?

    Reply
      1. John

        Hi rmhrisk, sorry for the delay in replying.
        Yes I’ve installed the SDK, copied capicom.dll to c:\windows\syswow64 and successfully registered it using regsvr32 in that directory. 32-bit Access runs capicom fine on 64-bit Windows, however it fails on 64-bit Access because, as you say, “you cannot have a 64-bit thing call a 32-bit thing”.
        Regards

        Reply
    1. rmhrisk Post author

      It has been a very long time but I do not believe so, in general CRL and OCSP is abstracted out and not something people should work with directly. With that said these just get stored in the registry and if all you wanted to do was add or delete you should be able to do this with registry calls on your own. If you choose to do this remember that there is also the CryptNet cache which might re-populate the store at a later date if you do not clear it also.

      Reply
  3. RaTT

    And what’s the alternative to using CAPICOM nowadays, if I want the client to be able to sign some piece of text with his private key in some browser and then send the signed text with the public key to the server?

    Reply
      1. RaTT

        And do all of these libraries: PKIjs, forge and so on, require only modern browsers with WebCrypto support, right? And if I’m left with some legacy IE6-7, then I’m out of luck and have to invent a bicycle?

        Reply
  4. rmhrisk Post author

    Forge does not use webcrypto, or more correctly does not require it. It uses JavaScript implementations of crypto and if available gets random numbers from WebCrypto.

    See :https://tonyarcieri.com/whats-wrong-with-webcrypto

    I have also created a polyfill for webcrypto, that when not present, uses JavaScript webcrypto. This helps provide a solution for the transition to modern browsers.

    See: https://github.com/PeculiarVentures/webcrypto-liner

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *