CertFindCertificateInStore() in HKLM cryptstore returns HKCU certificate ?!?!

From: Roelof Berg (rberg_at_berg-solutions.de)
Date: 09/11/03 

Date: Thu, 11 Sep 2003 05:50:59 -0700

ooops, sorry, ignore that ... my fault ...

(The described behavior doesn't occur ...)

>-----Original Message-----
>Hello,
>
>Description: CertFindCertificateInStore(HKLM-Store-
>Handle,....) returns certificates that only exist in
>HKCU !
>
>What I do: I open the default HKLM "My"-systemstore:
>
>h=CertOpenStore(CERT_STORE_PROV_SYSTEM,0,NULL,
>CERT_STORE_OPEN_EXISTING_FLAG |
>CERT_SYSTEM_STORE_LOCAL_MACHINE, L"MY");
>
>Then I call:
>
>pCert=CertFindCertificateInStore(h, X509_ASN_ENCODING,
0,
>CERT_FIND_ISSUER_NAME, szIssuersSubject, *pCert);
>
>I (definitely !) have only one Certificate in my
>HKLM "My" store. I call it "Cert A" here. In my HKCU
>store I additionally have several other test-
>certificates. Call it "Cert B" and "Cert C".
>
>The strange thing is: CertFindCertificateInStore()
>returns one of the HKCU certs (e.g. "Cert B"). How can
>that be, when I perform the search in the HKLM
>CertStore ? Is this behavior by design, is it a bug, is
>it known ? What can I do to only find only certificates
>in the HKLM CertStore ?
>
>Note: B and C were generated by Non-MS CSPs (Siemens
>Sicrypt and GemPlus IKey 1000 CSPs).
>
>.
>

Relevant Pages

  • Re: Active Directory User Object certificate store to personal certificate store
    ... Active Directory doesn't store private keys. ... the keys and certificates are stored in the user profile - you can ... > Is there a way to move AD published certs to from the Active Directory ... I can see the certs in the AD User Object cert store for ...
    (microsoft.public.windows.server.security)
  • RE: EAP-TLS Client enrollment recovery.
    ... the private keys are not restored when you ... only restore the certificates. ... store in order to extract certificates and keys from it and then putting them ...
    (microsoft.public.platformsdk.security)
  • Re: Shared Certificate Store in Active Directory
    ... There is no need to store IPSEC certs in the AD for IPSEC, ... > Active Directory so you can make Certificates and their ... > Certificates rather than Kerberos? ...
    (microsoft.public.win2000.security)
  • Re: Microsoft CA not installing trusted root path in local computer store
    ... > I installed a standalone root CA, I use it to validate vpn l2tp/IPSec> conections, the problem is that when I try to install the root ... > certification path for the CA in the client machine > using the web page, it is installed in te user certificates store, and> not in the local computer certificates store. ...
    (microsoft.public.win2000.security)
  • Re: Using smartcard as certificate store
    ... It allows the user to perform secure operations like web ... we want to put the certificates we acquire when browsing ... You should still not need to store certificates from arbitrary websites ... that isn't a smartcard but is treated by CAPI as though it were one"! ...
    (microsoft.public.platformsdk.security)