microsoft/Windows-Containers

Allow importing trusted root certificates into the per-user root store as ContainerUser

Opened this issue · 1 comments

fschmied commented

Is your feature request related to a problem? Please describe.
When developing container-based distributed applications (e.g., based on microservices), it's often required to import custom trusted root certificates at container startup time. It's considered best practice to run such containers under the ContainerUser account, not the ContainerAdministrators account. As the ContainerUser account cannot import certificates into the machine store, the certificate must be imported into the user store.

However, this fails with the following error:

The operation was canceled by the user. 0x800704c7 (WIN32: 1223 ERROR_CANCELLED)

This is probably due to Windows trying to present an interactive dialog box (which you can see on a desktop system). Of course, this doesn't work in a container or in any other non-interactive setting.

Describe the solution you'd like
Importing trusted root certificates into the user store should just work. Or at least there should be a switch to make it possible.

Describe alternatives you've considered

  • Importing the certificate into the machine store works when the container entrypoint is running under the ContainerAdministrator account. However, this is considered bad practice from a security point of view.
  • Importing the certificate into the machine store as ContainerAdministrator during the image build phase (from the Dockerfile), then switching to ContainerUser works, but is not an option for us, as the certificates aren't known at image build time. On the one hand, for our own deployments, the lifecycle of those certificates is different from that of our containers/container images. On the other hand, we distribute our container images to external users and we cannot know what certificates they use.
  • Starting the container entrypoint under ContainerAdministrator, then, after importing the certificates into the machine store, switching to ContainerUser somehow might be an option, but we don't know how to implement that.

Additional context
Here's a repro sample with certoc.exe (must be in the current directory):

Host> docker run -it --rm -v .:C:/Certificates mcr.microsoft.com/dotnet/sdk:8.0-nanoserver-ltsc2022

Microsoft Windows [Version 10.0.20348.2461]
(c) Microsoft Corporation. All rights reserved.

C:\>cd certificates

C:\certificates>copy con mycertificate.cer
-----BEGIN CERTIFICATE-----
MIIEuTCCA6GgAwIBAgIQQBrEZCGzEyEDDrvkEhrFHTANBgkqhkiG9w0BAQsFADCB
vTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwOCBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MTgwNgYDVQQDEy9W
ZXJpU2lnbiBVbml2ZXJzYWwgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAe
Fw0wODA0MDIwMDAwMDBaFw0zNzEyMDEyMzU5NTlaMIG9MQswCQYDVQQGEwJVUzEX
MBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0
IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAyMDA4IFZlcmlTaWduLCBJbmMuIC0gRm9y
IGF1dGhvcml6ZWQgdXNlIG9ubHkxODA2BgNVBAMTL1ZlcmlTaWduIFVuaXZlcnNh
bCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAx2E3XrEBNNti1xWb/1hajCMj1mCOkdeQmIN65lgZOIzF
9uVkhbSicfvtvbnazU0AtMgtc6XHaXGVHzk8skQHnOgO+k1KxCHfKWGPMiJhgsWH
H26MfF8WIFFE0XBPV+rjHOPMee5Y2A7Cs0WTwCznmhcrewA3ekEzeOEz4vMQGn+H
LL729fdC4uW/h2KJXwBL38Xd5HVEMkE6HnFuacsLdUYI0crSK5XQz/u5QGtkjFdN
/BMReYTtXlT2NJ8IAfMQJQYXStrxHXpma5hgZqTZ79IugvHw7wnqRMkVauIDbjPT
rJ9VAMf2CGqUuV/c4DPxhGD5WycRtPwW8rtWaoAljQIDAQABo4GyMIGvMA8GA1Ud
EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMG0GCCsGAQUFBwEMBGEwX6FdoFsw
WTBXMFUWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFI/l0xqGrI2Oa8PPgGrUSBgs
exkuMCUWI2h0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28uZ2lmMB0GA1Ud
DgQWBBS2d/ppSEefUxLVwuoHMnYH0ZcHGTANBgkqhkiG9w0BAQsFAAOCAQEASvj4
sAPmLGd75JR3Y8xuTPl9Dg3cyLk1uXBPY/ok+myDjEedO2Pzmvl2MpWRsXe8rJq+
seQxIcaBlVZaDrHC1LGmWazxY8u4TB1ZkErvkBYoH1quEPuBUDgMbMzxPcP1Y+Oz
4yHJJDnp/RVmRvQbEdBNc6N9Rvk97ahfYtTxP/jgdFcrGJ2BtMQo2pSXpXDrrB2+
BxHw1dvd5Yzw1TKwg+ZX4o+/vqGqvz0dtdQ46tewXDpPaj+PwGZsY6rp2aQW9IHR
lRQOfc2VNNnSj3BzgXucfr2YYdhFh5iQxeuGMMY1v/D/w1WIg0vvBZIGcfK4mJO3
7M2CYfE45k+XmCpajQ==
-----END CERTIFICATE-----
^Z
        1 file(s) copied.

C:\certificates>certoc -addstore -User root mycertificate.cer
Store(root) User:
The operation was canceled by the user. 0x800704c7 (WIN32: 1223 ERROR_CANCELLED)

And here is a follow-up trying the same with PowerShell:

C:\certificates>pwsh
PowerShell 7.4.2
PS C:\certificates> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("mycertificate.cer")
PS C:\certificates> $rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("root", "CurrentUser")
PS C:\certificates> $rootStore.Open("MaxAllowed")
PS C:\certificates> $rootStore.Add($cert)
MethodInvocationException: Exception calling "Add" with "1" argument(s): "The operation was canceled by the user."
PS C:\certificates> $rootStore.Close()
ntrappe-msft commented

Created internal thread to discuss this feature request: 🔖 51838093.

  • ❤️2