November 6th, 2008, 01:01 PM
CertOpenStore and non-admin users
I'm writing some SSL code, and I've found that it can only open and use the necessary certificate if the current user has administrative privileges, and our client is adamant that this code must work for ordinary users (and they don't want to move the certificate).
1. The certificate is installed in the personal store of CERT_SYSTEM_STORE_LOCAL_MACHINE. It has a private key.
2. This line of code:
CertOpenStore( CERT_STORE_PROV_SYSTEM, 0, NULL, CERT_SYSTEM_STORE_LOCAL_MACHINE, L"MY" );
Works fine and dandy for Administrator, but for other users fails, and GetErrorCode returns 5 (ERROR_ACCESS_DENIED).
3. I can get CertOpenStore to work for non-admin users by adding the flag CERT_OPEN_READONLY_FLAG. If I do that I can also apply the context and all that without problems.
However, when I actually try to send an SSL message like this:
WinHttpSendRequest( hRequest, WINHTTP_NO_ADDITIONAL_HEADERS, 0, NULL, 0, dwPostSize, NULL);
It fails, and I get the generic error 12175 (ERROR_WINHTTP_SECURE_FAILURE).
Note though, as Administrator, it makes no difference whether I use CERT_OPEN_READONLY_FLAG -- it always works fine.
Any help massively appreciated.
As well as solutions, something that proves it is not possible for a non-admin to use this kind of certificate is equally helpful for me.
Click Here to Expand Forum to Full Width