• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1763
  • Last Modified:

Enumeration of values for CertOpenStore() pvPara parameter

I need to programmatically add some CA certificates and CRLs to two different local computer certificate stores.

Adding certificates is simple:

If the certificate is self-signed, then we add it to Third-party Root Certification Authorities.  Otherwise, add it to Intermediate Certification Authorities.

This is easily done with .NET because the certificate stores are enumerated:

// Try/catch blocks removed for readability

string storeType = string.Empty;
string subject = string.Empty;
string issuer = string.Empty;

rootStore = new X509Store(StoreName.AuthRoot, StoreLocation.LocalMachine);
rootStore.Open(OpenFlags.OpenExistingOnly | OpenFlags.ReadWrite);
rootCollection = new X509Certificate2Collection();

intermediateStore = new X509Store(StoreName.CertificateAuthority, StoreLocation.LocalMachine);
intermediateStore.Open(OpenFlags.OpenExistingOnly | OpenFlags.ReadWrite);
intermediateCollection = new X509Certificate2Collection();

issuer = x509Certificate2.Issuer;
subject = x509Certificate2.Subject;

// Try to put self-signed certs in the Third Party Root Certification 
// Authorities store and all others in the Intermediate Certification Authorities
// store.
if (issuer == subject)
    storeType = "Third Party Root Certification Authorities";
    storeType = "Intermediate Certification Authorities";

Open in new window

Adding CRLs is not as easy, as there is no .NET class for X.509 CRLs.  We must revert to the Win32  CertOpenStore() function via PInvoke.

IntPtr hLocalCertStore = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, IntPtr.Zero, CERT_SYSTEM_STORE_LOCAL_MACHINE, storeName);

In scouring the Internet for the last parameter of CertOpenStore, there only appears to be only one clue to the enumeration of certificate store names in Win32:

http://msdn.microsoft.com/en-us/library/windows/desktop/aa376559%28v=vs.85%29.aspx says:

 // Other common system stores include "Root", "Trust", and "Ca".

"Root" maps to "Trusted Root Certification Authorities".  "CA" seems to map to "Intermediate Certification Authorities".  The question is, what is the correct system Win32 store name for "Third-Party Root Certification Authorities"?
1 Solution
I'd have a look at this example (in C) which enumerates stores:


there are other samples around there which might be helpful
cgi-binAuthor Commented:
That's exactly what I needed.  Thanks very much!

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now