I'm communicating by https with a server that needs client authentication.
To make it work I had to import the server root certificate into the Windows' global certificate store using the Microsoft Management Console (mms).
But I'm trying to make it run silently.
So my question is:
How to tell Wininet that a given certificate is the root one, so it can use it to check the whole certificate chain?
(without user handling, nor administrator privilege, nor system level registration)
More details:
I have (a) the certificate + (b) private key of my client.
I have (c) the root certificate of the server.
I built a pfx file containing (a) and (b) :
openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem -certfile root.pem -out test.pfx
Now I can use test.pfx to build a certificate store CS (using PFXImportCertStore).
During the building of my request, I set all the certificates from the CS (using InternetSetOption(INTERNET_OPTION_CLIENT_CERT_CONTEXT))
Here is a very minimalist extract of my code:
CRYPT_INTEGER_BLOB blob ;
blob.pbData = ...pointer to a buffer containing test.pfx
blob.cbData = ...size of this buffer
HCERTSTORE cs = PFXImportCertStore( &blob,L"pw",PKCS12_NO_PERSIST_KEY ) ;
HINTERNET ses = InternetOpen("test",INTERNET_OPEN_TYPE_DIRECT,NULL,NULL,0) ;
HINTERNET con = InternetConnect( ses,"server",4444,NULL,NULL,INTERNET_SERVICE_HTTP,0,NULL ) ;
HINTERNET req = HttpOpenRequest( con,"POST",NULL,NULL,NULL,NULL,INTERNET_FLAG_SECURE,NULL ) ;
PCCERT_CONTEXT pc = CertEnumCertificatesInStore( cs,0 ) ;
for (; pc ; pc = CertEnumCertificatesInStore( cs,pc ))
InternetSetOption( req,INTERNET_OPTION_CLIENT_CERT_CONTEXT,(void*)pc,sizeof( CERT_CONTEXT )) ;
HttpSendRequest( req,NULL,0,NULL,0 ) ;
But it doesn't work as it is.
I have to insert the root certificate (c) in the windows' certificates store.
Furthermore, the certificate (c) inserted within the pfx file is useless.
I may omit it in my openssl command line.
Since I want it to run silently and this root certificate is used just once for this lone request, I wonder if it possible to tag it as root (at the PFXImportCertStore or the InternetSetOption step) ?
PS I'm working with Visual Studio 2017 / Windows 10 x64.
PPS This is the sequel of my previous post: Client authentication (certificat + private key) using WinInet.
