CertificateInfoCertificateInfo is a content plugin that can show various information about certificate files like CER, CRT, DER, PEM, P7B, PFX, P12 and SST. It supports binary encoded files as well as Base64 encoded ones.
- Supports binary encoded X.509 certificate files, Base64 encoded X.509 certificate files, PKCS#7 messages, PKCS#12 messages and serialized certificate stores
- Supports multiple certificates in Base64 encoded files (PEM)
- Provides information fields like Subject, Issuer, Valid from/to, Signature algorithm, Serial, Thumbprint, and many more
- Check if a certificate is considered valid by the system the check is run on
- Show number of certificates contained within a certificate file
- Supports PFX files, with and without private key, but only those with an empty password
- Supports Unicode and long paths
- Windows 2000 or later, both 32 and 64 bit
- Total Commander 7.50 or later, both 32 and 64 bit
Since this plugin is a content plugin, it returns a so-called detect string to TC. This string is saved in wincmd.ini and
can be edited if necessary. See next section below.
The plugin also has additional settings which are saved in a different file. If you want to change any plugin settings you can use either
a) CertificateInfo.ini in the plugin's directory, orb) contplug.ini in the directory where wincmd.ini is located (default).
Option a) is good for portable mode, option b) is useful on systems where Total Commander is installed in a directory where users can't write to (like %ProgramFiles%).
Important: If CertificateInfo.ini exists in the plugin's directory it is preferred over contplug.ini!
A detect string contains all extensions for which TC makes calls to a plugin. Exemplary detect string:
n_detect="SIZE < 1048576 & (EXT = "CRT" | EXT="CER"....)"where n is the number assigned by TC to the plugin. If you need to add or remove file extensions, you can do so in wincmd.ini. Open wincmd.ini in your favorite editor, look for the plugin number assigned by TC in section [ContentPlugins], then look for the detect string starting with that same number, and make changes to the plugin's detect string as you see fit. Note that opening a new TC instance (or a TC restart) is required for any changes to take effect.
The TC Wiki article ContentGetDetectString is a good starting point if you need to make major changes to the detect string.
The settings are explained in the CertificateInfo.sample.ini file, but they're listed here for the sake of completeness.
|Setting and default||Description|
|CertCount = 3||Defines the number of certificates to provide in TC's interface. Values smaller than 1 are internally reset to 1. The plugin doesn't enforce an upper limit currently. Setting this to a larger value will allow access to more certificates contained in files like PEM and SST, but it may also make the field selection in TC cumbersome and/or confusing since each certificate provides more than a dozen content fields.|
|SerialCase = 0||0 - Don't change the case of the certificate's serial,
i.e. leave it to the OS or plugin functions (usually uppercase)
1 - Always show the certificate's serial in uppercase characters
-1 - Always show the certificate's serial in lowercase characters
|ThumbprintCase = 0||Set Thumbprint case. Same values as for SerialCase setting, see above.|
|CacheSize = 4000||Set the maximum number of items to cache in memory to allow TC fast access to the plugin field values. Values equal to or smaller than 0 are ignored.|
|ClearCacheOnRefresh = 1||1 - Flush the cache when the cm_RereadSource command is issued in TC, e.g. by pressing Ctrl+R. This
forces a refresh on all plugin field values, including the certificate's verification status if
this field is present in a custom column.
0 - Don't clear cache on cm_RereadSource.
|VerificationAllUsagesValid = 1||1 - Don't perform the default verification of the policy provider, i.e. consider all certificate
usages valid for the certificate verification.
0 - Perform the default verification of the policy provider, e.g. code signing for Authenticode. This may make certificates to be considered not valid for the intended usage.
|CriticalExtensionPrefix = "(!)"||Sets the prefix that is shown for the "Cert Extensions" fields if such an extension is set to critical in the certificate. By default the value is an exclamation mark in parentheses, more or less a textual representationn of the warning icon shown by Windows in the certificate properties. Set to an empty string to disable the prefix completely.|
|CleanUpTempDir = 0||If set to a value larger than 0, delete files named "tmp*.tmp" from user's %TEMP% directory that are left there due to a
Windows bug (see Known Issues section). This setting is disabled by default for security reasons,
and because it's only useful/relevant on older Windows versions. The value defines how many seconds old a file can be at
most to be considered for deletion.
Example: A value of 5 deletes only files whose last write time is within the last 5 seconds.
Certificate verification can take a long time in some cases, especially when that verification requires an internet connection. Thus, the values of the verification fields are returned to TC in a background thread.
The hex error codes given by the plugin are system error codes, and as such, are defined in the Windows API header file
winerror.h. This header file isn't particularly user-friendly because it's meant for software developers.
Here's an example of this
file at GitHub, where you can look up the error codes if you really want to.
Unfortunately, I haven't found a Microsoft source listing the error codes in a user-friendly way. But I have found a third-party source. All error codes related to certificates should be listed on the following two pages:
FACILITY_SSPI: the Security API layer.
FACILITY_CERT: a certificate client or server?
- Using the plugin might create several temporary files named "tmp*.tmp" in the user's %TEMP% directory. This is due
to a Windows bug affecting Windows 2000, XP, Server 2003/2008, and probably Windows Vista.
Since Microsoft already removed the article regarding the bug and the hotfix that is available for Server 2003/2008 (KB931908), the first-party information about this issue is gone. There are a couple of third-party sources quoting the original KB article, e.g. from PKI Solutions and BetaArchive.
Quote from the original KB article:
On a Windows Server 2003-based or Windows Server 2008-based client computer, the system does not delete a temporary file that is created when an application calls the "CryptQueryObject" functionTo solve this issue, you can install the hotfix, if available. The plugin provides a setting that acts as a workaround for cases where the hotfix isn't available; see CleanUpTempDir in Plugin settings for more information.
- On some Windows systems the field "Pubkey Len2" is empty. Officially, it's supposed to work on Windows 8 and later. In my tests it worked just fine on Windows 7 SP1, but not on WinXP or older.
Why is the plugin showing a different value for the Public Key Length, e.g. 4208 instead of 4096 or 2160 instead of 2048?
There are some good explanations in the answers of the following thread on StackExchange:
RSA public key and private key lengths.
The gist of it is this: A public key consists of a so-called modulus, an exponent and some other values. What is usually called a "4096 bit key" is a key having a 4096 bit modulus, and some additional bytes. That's why most (if not all) of the keys are longer in reality.
To show the traditional value, the plugin provides an additional field "Pubkey Len2". However, that field has its own set of problems, see Limitations for more information.
Why is the field "Pubkey Len2" empty, not providing any value?
See Limitations in section "Known issues and limitations" above.
Why doesn't the plugin show any information about larger certificate files?
The plugin returns a detect string to Total Commander which includes a file size specification. Currently only files up to
one MiB (roughly 1 MB) are considered. If you need to process larger files, you can change the value after SIZE in the
plugin's detect string in wincmd.ini.
Example: If you want to process files up to five MiB and the detect string looks like this
1_detect="SIZE < 1048576 & (EXT = "CRT" | EXT="CER"....)"change it into this:
1_detect="SIZE < 5242880 & (EXT = "CRT" | EXT="CER"....)"
Keep in mind that larger files take a longer time to process.
Why is the plugin creating lots of temporary files in the %TEMP% directory?
The files are created (and not deleted) by the system because of a Windows bug affecting older Windows versions. See Known Issues section for more details and a solution/workaround.
This software is provided "as is". No warranty provided. You use this program at your own risk. The author will not be responsible for data loss, damages, etc. while using or misusing this software.
The software must not be modified, you may not decompile or disassemble it.
This plugin is copyrighted freeware.
- Christian Ghisler, the author of Total Commander, for developing this great program that I use every day
- The members of the Delphi-PRAXiS forum that helped me understand and fix and optimize some things
If you have found a bug, have a suggestion, improvement, criticism, translation, you can contact me, Dalai,
in English or German, at:
Please put "CertificateInfo" somewhere in the subject.
There is a discussion thread in the official TC forum which can be used, too: https://ghisler.ch/board/viewtopic.php?t=77340