Re: Certificate added to the local machine store is implicitly added t

Hello Laszlo,

Thanks for your answer.

It was a bit strange to find this stuff work in such way. First, this
behaviour is not documented anywhere. MSDN states that local machine and
current user stores are independent and are kept in different registry
branches. Second, it is hard to imagine whether the user who has no access
to HKLM will be able to access common certificates contained in local
machine stores. The third, and the worst, is that this rule does not affect
the predefined system stores (at least, the Personal, or "MY", one). One can
import certificates to MY store under local machine account without having
them added to the current user MY store.

With best wishes,
Innokentiy Ivanov


"lelteto" <lelteto@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C39B6B54-8C7B-4DA0-A56E-3101F4C6D384@xxxxxxxxxxxxxxxx
Think about it as "what's available for this user". Both the user's stuff
and
the "everybodY" stuff is available.
This is similar how the Start Menu works: If you add a shortcut to "All
Users" the same shortcut will appear to the current user's Start Menu.
So yes, this is by design.

Laszlo Elteto
SafeNet, Inc.

"Innokentiy Ivanov" wrote:

Hello,

Is it possible to import a certificate into the local machine system
store,
having it not implicitly imported to the current user one? I open a local
machine store (my own, not of the predefined ones, such as My or Root)
with
CertOpenStore(), specifying the CERT_SYSTEM_STORE_LOCAL_MACHINE flag.
Then I
import a certificate to it with CertAddEncodedCertificateToStore() call.
However, the certificate becomes available in both local machine and
current
user instances of the store.

MMC exposes the same behaviour when importing certificates to the local
machine instance of the store. Is that by design?

With best wishes,
Innokentiy Ivanov





.

Relevant Pages

  • Re: Certificate added to the local machine store is implicitly added t
    ... It IS possible to ACL a private key associated with a cert in the local machine store such that only specific users can access it. ... However, if the cert in question was just being used to build a trust chain, it will be available to everyone. ... it is hard to imagine whether the user who has no access to HKLM will be able to access common certificates contained in local machine stores. ...
    (microsoft.public.platformsdk.security)
  • RE: Certificate added to the local machine store is implicitly added t
    ... Is it possible to import a certificate into the local machine system store, ... the certificate becomes available in both local machine and current ... user instances of the store. ...
    (microsoft.public.platformsdk.security)
  • Certificate added to the local machine store is implicitly added to the current user one as well?
    ... Is it possible to import a certificate into the local machine system store, ... the certificate becomes available in both local machine and current ... user instances of the store. ...
    (microsoft.public.platformsdk.security)
  • Re: .NET RSACryptoServiceProvider Class
    ... "Local Machine" is as secure as the machine itself and how trustworthy the ... Is this a secure place to store them on my Web Server? ... Private Keys it uses and where the Keys are stored / distributed. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Active Directory User Object certificate store to personal certificate store
    ... Active Directory doesn't store private keys. ... the keys and certificates are stored in the user profile - you can ... > Is there a way to move AD published certs to from the Active Directory ... I can see the certs in the AD User Object cert store for ...
    (microsoft.public.windows.server.security)