EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Accessing system certificates under restricted user accounts (page 1)

First | 1 | 2 | Last | All
A number of applications running in restricted environments face the need to access certificates stored in system certificate stores. While having no problems with accessing certificates themselves (for chain validation purposes, for instance), the use of corresponding private keys is often not permitted to them. Examples of such applications include, but are not limited to, ASP.NET web applications, web services and various network services.

Windows maintains a separate certificate store set for each user account, and one system-wide store set shared by all the user accounts. That is, each user account has its own copy of MY, CA and ROOT stores for keeping certificates for their own purposes (e.g. authentication or validation of certain hosts), and also has access to the system-wide MY, CA and ROOT stores that contain certificates common for all the user accounts (e.g. widely known root CA certificates, such as Verisign's or Thawte's). Particular stores comprising user-specific store set are often referred to as “current user” stores (from the point of view of the user account that uses them), while system-wide stores are known as “local machine” certificate stores.

In most cases, the ideal location for application-specific certificates is current user store set. Usage of local machine stores is a subject for certain security restrictions due to it's importance to the health of the system. In particular, only accounts with administrative privileges can add or delete certificates from local machine stores; and only administrator accounts or accounts with explicitly granted permissions can use private keys associated with certificates residing in such stores. However, sometimes it is technically impossible to use current user stores with applications that should run under specific system accounts such as NetworkService (e.g. ASP.NET websites); other examples do also exist where the use of current user stores is unacceptable. Under such conditions, local machine store set is the only in-system certificates location available for an application.

First | 1 | 2 | Last | All

Return to the list


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!