locked
SChannel certificate stores RRS feed

  • Question

  • With out using the ISC_REQ_MANUAL_CRED_VALIDATION, can I control which stores the Schannel used for certificate validation?

    I want to use my own custom stores as trusted stores.

    Wednesday, March 25, 2020 11:43 AM

All replies

  • Hi Vishnu,

    From Performing Authentication Using Schannelthe default behavior of Schannel is to use the WinVerifyTrust function to verify the integrity and ownership of the server certificate. To disable this feature, specify ISC_REQ_MANUAL_CRED_VALIDATION when calling the InitializeSecurityContext (Schannel) function. For more information, see Manually Validating Schannel Credentials.

    I want to use my own custom stores as trusted stores.

    Do you mean Custom Security Packages?

    The custom security package API supports combined development of custom security support providers (SSPs), which provide Noninteractive Authentication services and secure message exchange to client/server applications, with the development of custom authentication packages, which provide services for applications that perform Interactive Authentication

    Best regards,

    Strive


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Thursday, March 26, 2020 6:57 AM
  • Thank you Strive for the quick reply.

    I am using the SChannel for TLS communication. I want to my own certificate stores(not root) as trusted stores.

    >Manually Validating Schannel Credentials.

    i agree with this. But due to this i cannot do the certificate validate at handshake time and after the handshake only the certificate validation is performed. So the correct error in handshake cannot send to peer.

    >I want to use my own custom stores as trusted stores.

    I want to specify my own certificate store names instead of os default like root..

    Is there any option available for that?

    Thursday, March 26, 2020 8:41 AM
  • Hi Vishnu,

    For this issue, I will contact the relevant engineer to help solve it. Once there is a result, I will reply here.

    Best regards,

    Strive


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Wednesday, April 1, 2020 3:02 AM
  • I didn't try, but perhaps it can be done by setting hRootStore in the SCHANNEL_CRED structure, passing its address as the pAuthData parameter of AcquireCredentialsHandle (SChannel), and then passing the resulting CredHandle as the phCredential parameter of AcceptSecurityContext (SChannel).
    Monday, May 11, 2020 4:53 AM