How can I install a “dangerous” Russian certificate in Windows

This is not an article, but just a note that appeared in connection with the upcoming expiration of TSL certificates from Sberbank and some seething associated with this event. In the comments to another article on the same topic, I suggested a possible solution, and I was asked to describe it in detail, so I do it.

I didn’t like the proposed solutions with raising a virtual machine exclusively for a browser with a savings bank or downloading a second browser with a separate certificate store – all the same, this takes a long time to do, and extra resources will be spent. The option with creating your own certificate and re-signing the NCA certificates is probably the most professional, but it was lazy to figure it out and do it.

It seems to me that it is quite simple to set up the system so that the browser with the savings account is launched on behalf of a special user, in whose environment you can install the certificates of the NCA of the Ministry of Digital Development.

Everything is done in four and a half steps:

We create a user account.

1. We launch our favorite browser in the new account, in which we download certificates from the State Services and install them in the user storage (CurrentUser)

2. In the main work account, we make a shortcut to your favorite browser, launched on behalf of the new user.

3. We check the result. So far, Sberbank is still working on an American certificate, so egisz.rosminzdrav.ru can become an experimental site. On a working account, where the NCA certificates were not installed, a TLS error should appear when opening it. In a browser opened as a new user, everything should open normally.

All these movements can be performed traditionally for windows, with the mouse, according to the instructions on the Sberbank website and on the State Services, but it can also be done from Powershell (in admin mode)

#                        Копипастим и выполняем команды одну за одной:
#
#Создаем пользователя с хорошим паролем
net user sber MyStrongPassword /add
# Качаем корневой сертификат
runas /user:sber /savecred "powershell.exe wget -UseBasicParsing https://gu-st.ru/content/Other/doc/russian_trusted_root_ca.cer -OutFile ~\Downloads\russian_trusted_root_ca.cer"
# И ставим его в пользовательское хранилище
runas /user:sber /savecred "powershell.exe  Import-Certificate -FilePath ~\Downloads\russian_trusted_root_ca.cer -CertStoreLocation cert:\CurrentUser\Root"
# Качаем sub сертификат
runas /user:sber /savecred "powershell.exe wget -UseBasicParsing https://gu-st.ru/content/Other/doc/russian_trusted_sub_ca.cer -OutFile ~\Downloads\russian_trusted_sub_ca.cer"
# И также, ставим его 
runas /user:sber /savecred "powershell.exe  Import-Certificate -FilePath ~\Downloads\russian_trusted_sub_ca.cer -CertStoreLocation cert:\CurrentUser\CA"

The code for the target field of the label depends on the browser used, of course, in my case it is MSEdge, so the target is:

C:\Windows\System32\runas.exe /user:sber /savecred "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe https://sberbank.ru"

Of course, this solution has its downsides. For example, if you need to download files from the site, by default they will be downloaded to the new user’s home directory, which is probably not very convenient.

What else to do? You can prevent the new user’s browser from opening anything other than the Sber website, so as not to accidentally open Gmail and become a victim of a major in the middle class attack.

I’m sure there are different ways how to do it according to all the rules. I like the quick&dirty way – Log in as a new user, go to the Control Panel (the old one) and configure a fake SOCKS proxy server, adding *.sberbank.ru domains to the exclusion list; *.sber.ru.