Re: Certificate added to the local machine store is implicitly added t
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 7 Jun 2009 15:09:19 -0500
It may be worth pointing out that generally speaking, regular users have read access to HKLM, just not write access. So, the behavior here is consistent.
It IS possible to ACL a private key associated with a cert in the local machine store such that only specific users can access it. However, if the cert in question was just being used to build a trust chain (installed in intermediates or trusted roots), it will be available to everyone.
You didn't specify whether the cert being installed had a private key and whether it was the key you were interested in protecting.
If you do want a cert to only be available to a certain user, you would need to install it only in their store.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Innokentiy Ivanov" <ivanov@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:u2YTOcu5JHA.3592@xxxxxxxxxxxxxxxxxxxxxxx
Hello Laszlo,
Thanks for your answer.
It was a bit strange to find this stuff work in such way. First, this behaviour is not documented anywhere. MSDN states that local machine and current user stores are independent and are kept in different registry branches. Second, it is hard to imagine whether the user who has no access to HKLM will be able to access common certificates contained in local machine stores. The third, and the worst, is that this rule does not affect the predefined system stores (at least, the Personal, or "MY", one). One can import certificates to MY store under local machine account without having them added to the current user MY store.
With best wishes,
Innokentiy Ivanov
"lelteto" <lelteto@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:C39B6B54-8C7B-4DA0-A56E-3101F4C6D384@xxxxxxxxxxxxxxxxThink about it as "what's available for this user". Both the user's stuff and
the "everybodY" stuff is available.
This is similar how the Start Menu works: If you add a shortcut to "All
Users" the same shortcut will appear to the current user's Start Menu.
So yes, this is by design.
Laszlo Elteto
SafeNet, Inc.
"Innokentiy Ivanov" wrote:
Hello,
Is it possible to import a certificate into the local machine system store,
having it not implicitly imported to the current user one? I open a local
machine store (my own, not of the predefined ones, such as My or Root) with
CertOpenStore(), specifying the CERT_SYSTEM_STORE_LOCAL_MACHINE flag. Then I
import a certificate to it with CertAddEncodedCertificateToStore() call.
However, the certificate becomes available in both local machine and current
user instances of the store.
MMC exposes the same behaviour when importing certificates to the local
machine instance of the store. Is that by design?
With best wishes,
Innokentiy Ivanov
.
- Follow-Ups:
- Re: Certificate added to the local machine store is implicitly added t
- From: Innokentiy Ivanov
- Re: Certificate added to the local machine store is implicitly added t
- References:
- Certificate added to the local machine store is implicitly added to the current user one as well?
- From: Innokentiy Ivanov
- RE: Certificate added to the local machine store is implicitly added t
- From: lelteto
- Re: Certificate added to the local machine store is implicitly added t
- From: Innokentiy Ivanov
- Certificate added to the local machine store is implicitly added to the current user one as well?
- Prev by Date: problem with registering a Smart Card CSP
- Next by Date: Re: Certificate added to the local machine store is implicitly added t
- Previous by thread: Re: Certificate added to the local machine store is implicitly added t
- Next by thread: Re: Certificate added to the local machine store is implicitly added t
- Index(es):
Relevant Pages
|
