I just stumbled upon this old question. I wish I had seen this before.
Many years ago, I wrote a sample that shows how to do this with CAPICOM. Unfortunately, CAPICOM is being phased out by Microsoft, although it still works.
I found an old isapiCertPolicy sample on Koders:
http://www.koders.com/cpp/fid977D79B2C51AD2423E4F57B6B36C3806F167CF79.aspx
Here are the relevant code snippets:
#import "capicom.dll" char CertificateBuf[8192]; CERT_CONTEXT_EX ccex; ccex.cbAllocated = sizeof(CertificateBuf); ccex.CertContext.pbCertEncoded = (BYTE*)CertificateBuf; ccex.dwCertificateFlags = 0; DWORD dwSize = sizeof(ccex); fOk = pCtxt->ServerSupportFunction( (enum SF_REQ_TYPE)HSE_REQ_GET_CERT_INFO_EX, (LPVOID)&ccex, &dwSize, NULL); _bstr_t bstrCert( SysAllocStringLen( (OLECHAR * )ccex.CertContext.pbCertEncoded, (ccex.CertContext.cbCertEncoded+1)/2), FALSE); CAPICOM::ICertificate2Ptr Cert(__uuidof(CAPICOM::Certificate)); Cert->Import(bstrCert); CAPICOM::IChainPtr Chain(__uuidof(CAPICOM::Chain)); BOOL fOk = Chain->Build(Cert); CAPICOM::ICertificatesPtr Certs(NULL); Certs = Chain->Certificates; CAPICOM::ICertificate2Ptr ParentCert(Certs->Item[2])
The Chain object creates a certificate chain. If you cannot use CAPICOM, you can get a certificate chain using the Crypto API CertGetCertificateChain function, but it works more.