Important: |
---|
This is retired content. This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
A system store is a collection consisting of one or more physical sibling stores. For each system store, there are predefined physical sibling stores. After opening a system store such as MY at CERT_SYSTEM_STORE_CURRENT_USER, the store provider calls CertOpenStoreto open each of the physical stores in the system store collection. For each system store location, the predefined systems stores are:
- MY
- Root
- Trust
- CA
In CERT_SYSTEM_STORE_CURRENT_USER, there is also a predefined UserDS store. A smart card store is planned for this location.
CERT_SYSTEM_STORE_CURRENT_USER system stores are at registry location HKEY_CURRENT_USER\Comm\Security\SystemCertificates.
The predefined physical stores associated with those system stores are as follows.
System store | Physical store |
---|---|
MY |
.Default |
Root |
.Default .LocalMachine |
Trust |
.Default .LocalMachine |
CA |
.Default .LocalMachine |
CERT_SYSTEM_LOCAL_MACHINE system stores are at registry location HKEY_LOCAL_MACHINE\Comm\Security\SystemCertificates.
The predefined physical stores are associated with those system stores are as follows.
System store | Physical store |
---|---|
MY |
.Default |
Root |
.Default |
Trust |
.Default |
CA |
.Default |
For Windows CE .NET 4.2 and later, the system root store is initialized with the most common public certificate authority in sysroots.p7b file. The following registry key example shows the default registry value:
Copy Code | |
---|---|
[HKEY_LOCAL_MACHINE\Comm\Security\SystemCertificates\Root] "InitFile"="\windows\sysroots.p7b" |
Adding Certificates to System Stores
For Windows CE .NET 4.2 and later, the addition of PKCS #7 format allows an easier way to add certificates to system stores. Only OEMs can add certificates to system stores using the registry. Application developers cannot use this procedure.
-
Create a list of authority certificates as a PKCS#7 formatted file.
-
Add the file to the Windows Embedded CE-based OS design by editing the project.bib file.
-
Add the registry value to the project.reg file.
The registry value is InitFilein HKEY_CURRENT_USER\Comm\Security\SystemCertificates\Rootregistry subkey. The InitFilespecifies the local path and the name of the PCKS#7 formatted file.
For example, to initialize the current user root store with the file userroots.p7b, add the following code to the project.reg file:
Copy Code [HKEY_CURRENT_USER\Comm\Security\SystemCertificates\Root] "InitFile"="\windows\userroots.p7b"
To initialize the local machine store, with the same file, add the following code to the project.reg file:
Copy Code [HKEY_LOCAL_MACHINE\Comm\Security\SystemCertificates\Root] "InitFile"="\windows\userroots.p7b"
To initialize other system stores, replace the last path of the subkey with the name of the store. For example, to initialize the local machine CA store with certs.p7b, add the following code to the project.reg file:
Copy Code [HKEY_LOCAL_MACHINE\Comm\Security\SystemCertificates\CA] "InitFile"="\windows\certs.p7b"
On first use of a CryptoAPI to access the system certificate store by an application, the CryptoAPI initializes the store using the specified file in the registry. After initialization, the registry value is deleted so that initialization does not repeat.