I have a C ++ application that makes an HTTPS connection to one of our servers. In my ideal world, I would like the following to happen:
- Application start
- The application makes Windows a trusted root CA server (no GUI, just system calls)
- The application talks to the server, does its job, etc.
- Application makes windows forget CA root server
- done
I do NOT want other applications to not trust this root CA. Therefore, I do not want to install the certificate throughout the system. I would also like the user to not need administrator rights.
My initial plan was to create an in-memory store (CERT_STORE_PROV_MEMORY), add my certificate to it, and then add this store in memory to the system store using CertAddStoreToCollection.
As long as all calls to the CryptoAPI function succeed, WinHttp does not like it.
Here's the skeleton of what I'm doing - maybe someone knows a trick? Or perhaps this is primarily wrong?
hMemStore = CertOpenStore(CERT_STORE_PROV_MEMORY, ...);
pCert = CertCreateCertificateContext(..., pCertBytes, ...);
CertAddCertificateContextToStore(hMemStore, pCert, ...);
hRootStore = CertOpenSystemStore(NULL, "ROOT");
CertAddStoreToCollection(hRootStore, hMemStore, ...);
// Then later on...
WinHttpSendRequest(...)
A few notes:
- Everything works when I use WinHttp SECURITY_FLAG_IGNORE_UNKNOWN_CA, so I'm sure this is really a problem.
- I already saw this SO question - it is close, but it does not address the question of how to make a certificate only temporarily trusted while the application is running.
Thanks!
jw
source
share