So CAPICOM was one of the project I was responsible for while at Microsoft, its been discontinued but I always find it useful – it is kind of a Swiss Army knife for CryptoAPI certificate stores when paired with its VBS samples.
One of it’s problems is we never shipped with x64 bit version, you can do similar things with PowerShell and the .NET classes (this is why it was discontinued) but I still find this the quickest way to do stuff sometimes so I keep it in my toolbelt.
Here is what you need to know to make it work:
- Windows can run 32bit things in 64bit environments.
- You cannot have a 64bit thing call a 32bit thing.
- Windows ships a 32bit cmd prompt.
- Windows ships a 32bit regsrv32.
To use CAPICOM you need to:
- Download CAPICOM – http://www.microsoft.com/en-us/download/details.aspx?id=25281
- Install CAPICOM
- Register CAPICOM
- Open an administrative command prompt
- cd to “C:\Program Files (x86)\Microsoft CAPICOM 2.1.0.2 SDK\Lib\X86”
- copy CAPICOM.DLL %windir%\syswow64
- %windir%\syswow64\regsvr32.exe %windir%\syswow64\capicom.dll
- “exit” the command prompt
So what can you do? There are lots of things, tonight I used it to enumerate the extensions included in a PFX file, you can do this with OpenSSL too by looking at the ASN.1 but this way you get some of the Microsoft specific stuff expanded out to human readable things.
I should note that its old, its unsupported and it may have vulnerabilities in it — as such I unregister it when its not in use and I recomend you do the same.
Hope this helps someone,
Ryan
So is there a cmdlet for signing an EXE? What classes would you use in .NET ?
Thanks a lot, it was very useful!
Does this work in Windows 8 64 bit?
Should
yes it is working, thanks lot.
Pingback: lucadentella.it – VBScript: gestire certificati SSL
How would I know when it is needed? How would I un/re-register it?
You know when a script your using says it requires it. You can I register it using the /u switch.
Thanks for that rmhrisk. I’ve been using capicom for years and love it. I’ve hit a wall however as it throws the dreaded error 429 ‘ActiveX component can’t create object’ on 64 bit MSAccess even though it runs fine in x86 VB6 on the same machine, same reference. Do you know any more on this or do you think it is likely dead in Access x64?
Have you followed the steps in this post?
Hi rmhrisk, sorry for the delay in replying.
Yes I’ve installed the SDK, copied capicom.dll to c:\windows\syswow64 and successfully registered it using regsvr32 in that directory. 32-bit Access runs capicom fine on 64-bit Windows, however it fails on 64-bit Access because, as you say, “you cannot have a 64-bit thing call a 32-bit thing”.
Regards
You can have a 64-bit thing call a 32-bit thing, especially CAPICOM. It involves loading CAPICOM into a COM+ application.
Here are 2 references:
https://support.microsoft.com/en-us/kb/281335
http://stackoverflow.com/questions/768336/wrap-32-bit-dll-for-64-bit-operating-system-to-work-with-regsvr32-exe
It is true by abstracting the 32 bit component into a COM+ application you abstract the problem away.
Is there a way to manage localy stored CRLs with CAPICOM, like importing and deleting?
It has been a very long time but I do not believe so, in general CRL and OCSP is abstracted out and not something people should work with directly. With that said these just get stored in the registry and if all you wanted to do was add or delete you should be able to do this with registry calls on your own. If you choose to do this remember that there is also the CryptNet cache which might re-populate the store at a later date if you do not clear it also.
And what’s the alternative to using CAPICOM nowadays, if I want the client to be able to sign some piece of text with his private key in some browser and then send the signed text with the public key to the server?
I have created this : https://pkijs.org
Today this is what I would use.
And do all of these libraries: PKIjs, forge and so on, require only modern browsers with WebCrypto support, right? And if I’m left with some legacy IE6-7, then I’m out of luck and have to invent a bicycle?
Forge does not use webcrypto, or more correctly does not require it. It uses JavaScript implementations of crypto and if available gets random numbers from WebCrypto.
See :https://tonyarcieri.com/whats-wrong-with-webcrypto
I have also created a polyfill for webcrypto, that when not present, uses JavaScript webcrypto. This helps provide a solution for the transition to modern browsers.
See: https://github.com/PeculiarVentures/webcrypto-liner
Works fine for me, very useful. Thanks!
Thanks for the information! Been searching for months on why this certain site (Dubai Customs) that uses capicom doesn’t work. Now everything ok.