Brendan Burns

Importing a X.509 certificates into a Windows Certificate Store and granting a user access to it can be a real pain. Especially if you have to do it on multiple machines!

Fear not, my friend: it can be automated, for both local and remote machines. I thought I might document how to do it because it took some time to get working.

The below script will:

1. Check whether the certificate (.pfx file) is already in the certificate store
2. If not already there, import the certificate
3. Find the key via its thumbprint, using Microsoft’s FindPrivateKey tool
4. Grant a user access to the key

NOTE: the below script is strictly illustrative – error handling and commenting are left as exercises for the reader ;)

@echo off
SETLOCAL ENABLEEXTENSIONS

:grantaccess
icacls.exe "%certpath%" /grant %user%:R

And that’s it.

If you cut and paste the above into a .bat file and name it something like install.bat, you can invoke it like this:
install.bat user_name footprint certificate_filename certificate_password
For example:
install.bat "IIS App Pool\AppPool1" bc4da1aa2b7116abe33277a44eaab2135210e23b certificate.pfx password

Some pre-requisites/gotchas:

1. You will need Microsoft’s FindPrivateKey tool which will locate the certificate in the store. You can obtain FindPrivateKey in the WCF samples: download
2. The script will locate the certificate by its footprint, which you will need to determine in advance by importing the certificate manually
3. You can also use FindPrivateKey to locate the certificate by subject name, but I found that locating it by footprint was more reliable for multi-line subjects
4. To grant access an IIS app pool access to the certificate, you need to specify the app pool name in the format
   "IIS App Pool\app_pool_name"

Installing the certificate on a remote machine

I used the SysInternals tool PSExec to run the script on remote machines, using the below parameters:
PSExec.exe /accepteula \\hostname -i -s -w remote_working_folder cmd /c "script_with_parameters"
Where:

• hostname: the hostname on which the script will run
• remote_working_folder: folder on the host which contains the certificate to import and the FindPrivateKey tool exe
• script_with_parameters: the batch file to run with all parameters specified

For example:
PSExec.exe /accepteula \\myhost -i -s -w c:\temp cmd /c install.bat "IIS App Pool\AppPool1" bc4da1aa2b7116abe33277a44eaab2135210e23b certificate.pfx password"

This week I had a great question from a reader, Kevin Parisot:

“I am a team leader of a small app dev team and I came across your blog articles on the use of wikis. I am very interested in setting up a wiki for my team for many of the reasons you have noted. Hoping you could give me a little advice.

I’m hoping to find something that’s very easy to use and …free!

What wiki engine do you use and how did you choose it.”

My preferred wiki is MediaWiki – it’s fast, easy to use & install… and free! It’s the same software used by Wikipedia and is well supported with extensions. I’ve used it at two workplaces before with great success.

Where I work now we use TWiki, which is also very good and has plenty of extensions available, but I find it a little slower and clunkier to use than MediaWiki. On the other hand, it has access control (which we currently don’t use).

If you can get budget for it (because it’s not free) I would also recommend Confluence, by Atlassian. A wonderful feature it is has is cutting and pasting of images into the WYSIWYG editor; otherwise, uploading images can be a little tedious with wikis.

But for something free, and depending on your specific requirements and whether you need access control, I’d recommend MediaWiki or TWiki.

– if anybody else has any questions, please feel free to email them to me!

What’s the biggest waste in software development?

It’s pretty easy to come up with many different answers to this question – defects, technical debt, project overruns, projects cancellations – even company failures. There is so much waste in software development it’s hard to know where to start!

According to Mary Poppendieck, thought leader in Lean Software Development, the answer is simple: the biggest waste in software development is building the wrong thing!

Similarly, when Steve Jobs returned to Apple in 1997, he famously said, “focusing is about saying no”. By ruthlessly cutting the product range, Apple’s talent was then free to work on products like the iPod, a device with a brilliantly simple user interface, with no wasted features.

I’d like to combine Mary and Steve’s ideas and say that we can help build the right thing by saying no. By cutting wasted time, effort, energy, and money, we can channel our resources to produce the best we are capable of.

Here are 5 ways it can be done:

1. Say No to New Feature Waste

New feature waste includes new features that don’t give enough value to justify their cost.

The Agile methodology helps us here. By breaking work down into stories, and by engaging product owners and prioritising stories, our team should be working on the most valuable thing possible at any point in time.

Every time we de-prioritise or de-scope a story, or a whole project for that matter, we make a conscious decision not to do something right now. This allows us to focus our immediate efforts on the work that add the most value.

2. Say No to Legacy Feature Waste

It’s not enough just to look at new features – we should also review products and features we already have.

According to Mary Poppendieck, 64% of software features are never or rarely used. Unused features add overhead to new development work via increased system complexity and additional testing.

I have a rule that if I haven’t used a piece of clothing in over a year, I donate it to charity; perhaps if a feature also hasn’t been used for a similar length of time, it too can be shown the door.

3. Say No to Frilled Waste

Frilled waste is waste due to developing more than was required, by adding bells and whistles, or over-engineering the solution.

We should only implement the minimum to satisfy the requirement.

This can be counter-intuitive. Naturally, we should aim to product quality solutions, and minimise technical debt. But if we go over-the-top in what we deliver, we are probably diverting our resources from higher priority stories, whilst possibly adding complexity.

4. Say No to Automated Test Waste

Automated tests can add huge value to the team and greatly enhance quality. But every test comes at a development and maintenance cost, so we need to be careful to ensure that each test adds value relative to its cost.

We should review our test suite continually to ensure the tests still add value, they are correct, and are free of duplication. Keeping redundant automated test code adds complexity, maintenance and execution time.

5. Say No to Fluffy Waste

The “just say no” concept can be extended to almost any part of the software development process. Think about your daily work, such as emails and meetings. Is that meeting or email completely necessary? What are the alternatives, or how could it be rationalised to provide the most “bang for buck”?

Our work should be a continual process of asking ourselves why are we doing this? Because it’s what we choose not to do that cuts through, simplifies and allows us to focus on what makes us and our software successful.

Installing a Microsoft .NET assembly into the GAC used to be fairly trivial. Unfortunately, I just spent some frustrating time learning that things have changed quite a bit with .NET 4.

I began with my .NET 4 assembly and tried to install it via the usual approach, dragging and dropping it into the %windir%\assembly folder via the Explorer shell extension. Strange; nothing happened.

A quick search revealed that for .NET 4, Microsoft, for reasons which do not seem to be well documented, have created a new GAC location, in the %windir%\Microsoft.NET folder.

Well, that was annoying, I thought: but I could deal with it. I tried dropping the file into the new GAC folder… but there is no nice Explorer shell extension for the new GAC. Doh! (for the second time)

Ok, time to drop to the command line and fire up good ol’ gacutil.exe.

FAIL

I received this error message:
“Failure adding assembly to the cache: This assembly is built by a runtime newer than the currently loaded runtime and cannot be loaded.”

Sigh. Ok, I thought, I’ll just use the .NET 4 version of gacutil.exe. After a quick search of my PC I learned that it’s not installed with Version 4 of framework, nor with Visual Studio 10.

Yet another brick wall! But no worries – I would just download it. I found out via Matt Whetton’s Blog that I needed to download Microsoft Windows SDK for Windows 7 and .NET Framework 4 to get it, so I did (while wondering why I need to download that whole SDK to get gacutil??)

So then I found gacutil in the bin folder of the SDK and I ran it. Arrgh, it returned the same error message again!

Eventually I found the .NET 4 version of GACUtil in the SDK – it’s nestled in
C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\NETFX 4.0 Tools.

Sigh. Could Microsoft really make things any more difficult? I just wanted to install an assembly into the GAC!

By the way, if you need to copy gacutil onto a server, you will need to copy the following files to it: gacutil.exe, gacutil.exe.config and gacutlrc.dll (the last one located in the 1033 sub folder containing gacutil).