CertificateInfo

CertificateInfo is a Total Commander content plugin (WDX) that provides various pieces of information about certificate files like CER, CRT, DER, PEM, P7B, PFX, P12 and SST. It supports binary encoded files as well as Base64 encoded ones.

Just like any content plugin it can be used in TC's custom columns, search function, tooltips and so on. See TC Wiki for more information.

It can also be used as a packer plugin (WCX) with which it's possible to extract single certificates from certificate files and to convert between binary and Base64 formats.

Contents

1. Features
2. System Requirements
3. Registration as a packer plugin (WCX)
4. Plugin settings
   1. Location of plugin settings files
   2. Detect string (WDX)
   3. The settings in detail
   4. Filenames in archives (WCX)
5. Certificate verification
6. Known Issues and limitations
   1. Known issues
   2. Limitations
7. Frequently Asked Questions
8. License
9. Thanks to
10. Contact

---

1. Features

• Supports binary encoded X.509 certificate files, Base64 encoded X.509 certificate files, PKCS#7 messages, PKCS#12 messages and serialized certificate stores
• Supports multiple certificates in Base64 encoded files (PEM)
• Provides over a dozen information fields for each certificate including Subject, Issuer, Valid from/to, Signature algorithm, Pubkey Length, Serial, Thumbprint, and many more
• Check if a certificate is considered valid by the system the check is run on
• Show number of certificates contained within a certificate file
• Supports PFX files, with and without private key, but only those with an empty password
• Extract certificates from certificate files containing one or multiple certificates (WCX)
• Convert certificates from binary to Base64 or vice versa (WCX)
• Supports Unicode and long paths (> 259 characters)

2. System Requirements

• Windows 2000 or later, both 32 and 64 bit
• Total Commander 7.50 or later, both 32 and 64 bit

3. Registration as a packer plugin (WCX)

Extract the plugin archive to a directory of your choice. The extraction can be skipped if the plugin has been installed as a content plugin already. To use this plugin as a packer plugin it needs to be associated with the extensions of certificate files, one extension per line. This is done in section [PackerPlugins] of wincmd.ini. Here's an example of what it could look like:

[PackerPlugins]
crt=260,%COMMANDER_PATH%\Plugins\CertificateInfo\CertificateInfo.wdx
cer=260,%COMMANDER_PATH%\Plugins\CertificateInfo\CertificateInfo.wdx
der=260,%COMMANDER_PATH%\Plugins\CertificateInfo\CertificateInfo.wdx
pem=260,%COMMANDER_PATH%\Plugins\CertificateInfo\CertificateInfo.wdx
p7b=260,%COMMANDER_PATH%\Plugins\CertificateInfo\CertificateInfo.wdx
p12=260,%COMMANDER_PATH%\Plugins\CertificateInfo\CertificateInfo.wdx
pfx=260,%COMMANDER_PATH%\Plugins\CertificateInfo\CertificateInfo.wdx
sst=260,%COMMANDER_PATH%\Plugins\CertificateInfo\CertificateInfo.wdx
cabundle=260,%COMMANDER_PATH%\Plugins\CertificateInfo\CertificateInfo.wdx

You can copy the content of the box above and paste it into your wincmd.ini and add or remove any extensions/lines as you see fit. Change the path of CertificateInfo.wdx as needed.

The number 260 is the sum of these two flags:
4 - Archive can contain multiple files
256 - Don't show packer icon, don't open archive with Enter but with Ctrl+PgDn

More information about the flags can be found in the TC Wiki for function GetPackerCaps.
If you want to show certificate files as archives and open them with Enter set the number to 4. Note that this plugin does not support any changes to existing archives nor can it create new ones.

4. Plugin settings

4.1. Location of plugin settings files

As a content plugin (WDX) this plugin returns a so-called detect string to TC. This string is saved in wincmd.ini and can be edited and customized if necessary. See next section below.

The plugin has additional settings which are saved in a different file. If you want to change any plugin settings you can do so in either

• CertificateInfo.ini in the plugin's directory, or
• contplug.ini (WDX) or pkplugin.ini (WCX) in the directory where wincmd.ini is located (default).

The first option is good for portable mode, the latter option is useful on systems where Total Commander is installed in a directory where users can't write to (like %ProgramFiles%).

Important: If CertificateInfo.ini exists in the plugin's directory it takes precedence over contplug.ini and pkplugin.ini!

4.2. Detect string (WDX)

A detect string contains all extensions for which TC makes calls to a plugin. Exemplary detect string:

n_detect="SIZE < 1048576 & (EXT = "CRT" | EXT="CER"....)"

where n is the number assigned by TC to the plugin. If you need to add or remove file extensions, you can do so in wincmd.ini. Open wincmd.ini in your favorite editor, look for the plugin number assigned by TC in section [ContentPlugins], then look for the detect string starting with that same number, and make changes to the plugin's detect string as you see fit. Note that opening a new TC instance (or a TC restart) is required for any changes to take effect.
The TC Wiki article ContentGetDetectString is a good starting point if you need to make major changes to the detect string.

4.3. The settings in detail

The settings are explained in the CertificateInfo.sample.ini file, but they're also listed here for reference.

Section [CertificateInfo] (WDX only)

Setting and default	Description
CertCount = 3	Defines the number of certificates to provide in TC's interface. Values smaller than 1 are internally reset to 1. The plugin doesn't enforce an upper limit currently. Setting this to a larger value allows access to more certificates contained in files like PEM and SST, but it may also make the field selection in TC cumbersome and/or confusing since there are more than a dozen content fields for each certificate.
SerialCase = 0	0 - Don't change the case of the certificate's serial, i.e. leave it to the OS or plugin functions (usually uppercase) 1 - Always show the certificate's serial in uppercase characters -1 - Always show the certificate's serial in lowercase characters
ThumbprintCase = 0	Set Thumbprint case. Same values as for SerialCase setting, see above.
CacheSize = 4000	Set the maximum number of items to cache in memory to allow TC fast access to the plugin field values. Values equal to or smaller than 0 are ignored.
ClearCacheOnRefresh = 1	1 - Flush the cache when the cm_RereadSource command is issued in TC, e.g. by pressing Ctrl+R. This forces a refresh on all plugin field values, including the certificate's verification status if this field is present in a custom column. 0 - Don't clear the cache on cm_RereadSource. Note that, even with cache flushing disabled, items will still be removed from the cache once CacheSize is reached.
VerificationAllUsagesValid = 1	1 - Don't perform the default verification of the policy provider, i.e. consider all certificate usages valid for the certificate verification. 0 - Perform the default verification of the policy provider, e.g. code signing for Authenticode. This may make certificates to be considered not valid for the intended usage.
CriticalExtensionPrefix = "(!)"	Sets the prefix that is shown for the "Cert Extensions" fields if an extension's critical flag is set. By default the value is an exclamation mark in parentheses, more or less a textual representationn of the warning icon shown by Windows in the certificate properties. Set to an empty string to disable the prefix completely.
CleanUpTempDir = 0	If set to a value larger than 0, delete files named "tmp*.tmp" from user's %TEMP% directory that are left there due to a Windows bug (see Known Issues section). This setting is disabled by default for security reasons, and because it's only useful/relevant on older Windows versions. The value defines how many seconds old a file can be at most to be considered for deletion. Example: A value of 5 deletes only files whose last write time is within the last 5 seconds.

Section [CertificateInfo.Packer] (WCX only)

Setting and default	Description
PrependNumber = 0	1 - Prepend a number to the certificate subject. Filenames will be shown as "<nr>. <cert_subject>", i.e. the the number is used as the filename and the cert subject as extension. This mode is best used in conjunction with a custom filename extension (see Extension setting). 0 - Append a number to the certificate subject. Filenames will be shown as "<cert_subject>.<nr>", i.e. certificate subject is used as filename and the number as extension.
Extension = ""	Extension to append to the filenames. Some users might want to add ".crt" or similar. The value can be given with or without a leading dot. See section Filenames in archives (WCX) below for the pros and cons of appending an extension.
UnpackLastWriteTime = 1	Set the last write time (last modified) of extracted files to what is shown within the archive. Set to 0 to leave the last write time untouched, i.e. current time.
DateTimeValidTo = 0	When enabled (set to 1) the plugin uses the certificate's "Valid to" value instead of "Valid from". This applies to archive listing as well as extraction of files/certificates (if UnpackLastWriteTime=1)
CleanUpTempDir = 0	See setting of the same name in section [CertificateInfo] above for explanation.

4.4. Filenames in archives (WCX)

The settings PrependNumber and Extension control how filenames in archives look like. Each combination of these settings has its pros and cons.

Settings and Resulting filenames	Pros	Cons
PrependNumber = 0 Extension = "" <cert_subject>.<nr>	Sort by Subject/Name or Number/Extension No infinite archive recursion	No simple double-clicking on files after extraction to show certificate properties dialog without renaming TC plugins registered for such file extensions may want to act on them
PrependNumber = 1 Extension = "" <nr>. <cert_subject>	Sort by Subject/Name or Number/Extension No infinite archive recursion	No simple double-clicking on files after extraction to show certificate properties dialog without renaming Subject is shown as file extension (usually a narrow column)
PrependNumber = 0 Extension = ".crt" <cert_subject>.<nr>.crt	Simple double-clicking on extracted files to show certificate properties without renaming TC Lister plugins that work with certificate files can be used directly	No sorting by Number Infinite archive recursion (if .crt is associated with this plugin)
PrependNumber = 1 Extension = ".crt" <nr>. <cert_subject>.crt	Simple double-clicking on extracted files to show certificate properties without renaming TC Lister plugins that work with certificate files can be used directly	No sorting by Name/Subject Infinite archive recursion (if .crt is associated with this plugin)

5. Certificate verification

Certificate verification can take a long time in some cases, especially when that verification requires an internet connection. Thus, the values of the verification fields are returned to TC in a background thread.

The hex error codes given by the plugin are system error codes, and as such, are defined in the Windows API header file winerror.h. This header file isn't particularly user-friendly because it's meant for software developers. Here's an example of this file at GitHub, where you can look up the error codes if you really want to.

Unfortunately, I haven't found a Microsoft source listing the error codes in a user-friendly way. But I have found a third-party source. All error codes related to certificates should be listed on the following two pages:
FACILITY_SSPI: the Security API layer.
FACILITY_CERT: a certificate client or server?

6. Known issues and limitations

6.1. Known Issues

• Using the plugin might create several temporary files named "tmp*.tmp" in the user's %TEMP% directory. This is due to a Windows bug affecting Windows 2000, XP, Server 2003/2008, and probably Windows Vista.
  Since Microsoft already removed the article regarding the bug and the hotfix that is available for Server 2003/2008 (KB931908), the first-party information about this issue is gone. There are a couple of third-party sources quoting the original KB article, e.g. from PKI Solutions and BetaArchive.
  Quote from the original KB article:

  On a Windows Server 2003-based or Windows Server 2008-based client computer, the system does not delete a temporary file that is created when an application calls the "CryptQueryObject" function

  To solve this issue, you can install the hotfix, if available. The plugin provides a setting that acts as a workaround for cases where the hotfix isn't available; see CleanUpTempDir in Plugin settings for more information.

6.2. Limitations

• On some Windows systems the field "Pubkey Len2" is empty. Officially, it's supposed to work on Windows 8 and later. In my tests it worked just fine on Windows 7 SP1 (with KB4474419 installed), but not on WinXP or older.
• [WCX]
  On Windows 2000 the plugin won't provide Base64 (PEM) files via its packer interface due to the CryptBinaryToString API function not being available.
• [WCX]
  The sizes shown for Base64 encoded (PEM) files are based on a calculation approximating their real size. Showing correct file sizes would require the plugin to convert the binary data to Base64 already when TC requests the directory listing, which would slow things down unnecessarily. According to my tests, the size of an extracted certificate file can be up to two bytes larger compared to what is shown in TC. This is an acceptable deviation (considering the tiny file sizes).

7. Frequently Asked Questions

Why is the plugin showing a different value for the Public Key Length, e.g. 4208 instead of 4096 or 2160 instead of 2048?

There are some good explanations in the answers of the following thread on StackExchange: RSA public key and private key lengths.

The gist of it is this: A public key consists of a so-called modulus, an exponent and some other values. What is usually called a "4096 bit key" is a key having a 4096 bit modulus, and some additional bytes. That's why most (if not all) of the keys are longer in reality.
To show the traditional value, the plugin provides an additional field "Pubkey Len2". However, that field has its own set of problems, see Limitations for more information.

Why is the field "Pubkey Len2" empty, not providing any value?

See Limitations in section "Known issues and limitations" above.

Why doesn't the plugin show any information about larger certificate files?

The plugin returns a detect string to Total Commander which includes a file size specification. Currently only files up to one MiB (roughly 1 MB) are considered. If you need to process larger files, you can change the value after SIZE in the plugin's detect string in wincmd.ini.
Example: If you want to process files up to five MiB and the detect string looks like this

1_detect="SIZE < 1048576 & (EXT = "CRT" | EXT="CER"....)"

change it into this:

1_detect="SIZE < 5242880 & (EXT = "CRT" | EXT="CER"....)"

Keep in mind that larger files take a longer time to process.

Why is the plugin creating lots of temporary files in the %TEMP% directory?

The files are created (and not deleted) by the system because of a Windows bug affecting older Windows versions. See Known Issues section for more details and a solution/workaround.

8. License

This software is provided "as is". No warranty provided. You use this program at your own risk. The author will not be responsible for data loss, damages, etc. while using or misusing this software.

The software must not be modified, you may not decompile or disassemble it.

This plugin is copyrighted freeware.

9. Thanks to

• Christian Ghisler, the author of Total Commander, for developing this great program that I use every day
• The members of the Delphi-PRAXiS forum that helped me understand and fix and optimize some things
• Project JEDI for translating the Windows API header files to Delphi

10. Contact

If you have found a bug, have a suggestion, improvement, criticism, translation, you can contact me, Dalai, in English or German, at:
Mail: dalai82@gmx.net

Please put "CertificateInfo" somewhere in the subject.

There is a discussion thread in the official TC forum which can be used, too: https://ghisler.ch/board/viewtopic.php?t=77340