hMyCertStore = CertOpenSystemStore(0, "MY");
In the stand alone exe it works as expected.
When the same code is used in an ATL DLL through a web application it
fails. The error number is 5 and description is "Access is denied".
Since all web access occurs through the security context of
IUSR_MACHINENAME adding this user to the administrators group confirms
this is related to permissions. The question:
How does one make this work? MS indicates that wininet should not be
used in server applications and points to the SDK sample which,
disappointing enough, does not demonstrate usage in a web server
environment.
Thanks for any assistance you can offer,
Dave
The way to get around this is to use CertOpenStore and pass the
(CERT_STORE_READONLY_FLAG | CERT_SYSTEM_STORE_CURRENT_USER) flags. It's
essentially the same, except for the permissions being asked for.
Mind you, I don't think you'll find any certificates in the default profile
unless you have already have certificates in there. Another thing you might
try is adding the certificates to the local machine(requires adimistrative
access) and have the application look in that store.
thanks
Carlos
Thanks for the information. What store would contain the certificate
required to initiate an SSL connection to a remote web server? How
would the following line look in such a case assuming the security
context of IUSR_MACHINENAME is being used?
hMyCertStore = CertOpenSystemStore(0, "MY");
Thanks,
Dave
How you place the certificate in the store depends on how you are getting
the certificate. If you have a pfx file you can use mmc.exe and select the
certificate snapin to store the certificate in the Personal store. You have
to select the "Computer Account" option in the first dialog when you load
the snapin.
CertOpenStore would look like:
CertOpenStore(CERT_STORE_PROV_SYSTEM_A,
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
0,
CERT_SYSTEM_STORE_LOCAL_MACHINE
|CERT_STORE_READONLY_FLAG,
"MY");
thanks
Carlos