I'm writing some SSL code, and I've found that it can only open and use the necessary certificate if the current user has administrative privileges, and our client is adamant that this code must work for ordinary users (and they don't want to move the certificate).
1. The certificate is installed in the personal store of CERT_SYSTEM_STORE_LOCAL_MACHINE. It has a private key.
2. This line of code:
CertOpenStore( CERT_STORE_PROV_SYSTEM, 0, NULL, CERT_SYSTEM_STORE_LOCAL_MACHINE, L"MY" );
Works fine and dandy for Administrator, but for other users fails, and GetErrorCode returns 5 (ERROR_ACCESS_DENIED).
3. I can get CertOpenStore to work for non-admin users by adding the flag CERT_OPEN_READONLY_FLAG. If I do that I can also apply the context and all that without problems.
However, when I actually try to send an SSL message like this:
OK, well, if anyone's following this thread because they have a similar problem, I haven't solved the problem but it really does seem that ordinary, non-admin users cannot use the CERT_SYSTEM_STORE_LOCAL_MACHINE store.
Regular users only have read access to HKEY_LOCAL_MACHINE, but read-write to HKEY_CURRENT_USER (where the certificate system stores are actually located http://msdn.microsoft.com/en-us/libr...36(VS.85).aspx).
Erm, and it looks like WinHttpSendRequest needs read-write access to the certificate store? That's the only explanation I can come up with for why WinHttpSendRequest fails even when I use the READONLY flag when opening the certificate.
The 'solution' was just to move the certificate to HKEY_CURRENT_USER and change the code accordingly. Despite our client's objections that they really, really wanted the cert to be in HKEY_LOCAL_MACHINE, for no given reason.