WinHttp: How to use a temporary certificate store?

Question

I have a C++ application that makes a HTTPS connection to one of our servers. In my ideal world, I would like the following to occur:

1. App Starts
2. App makes Windows trust the server's root CA (no GUI please, just system calls)
3. App talks to server, does its work, etc.
4. App makes windows forget about the server's root CA
5. done

I do NOT want this root CA to necessarily be trusted by other apps. Therefore I don't want to install the cert system-wide. I also would like it if the user did not need Admin privileges.

My initial plan was to create an in-memory (CERT_STORE_PROV_MEMORY) store, add my cert to that, then add that in-memory store to the system store using CertAddStoreToCollection.

While all the CryptoAPI function calls succeed, WinHttp does not like it.

Here is the skeleton of what I'm doing - perhaps someone knows a trick? Or perhaps this is wrong-headed in the first place?

hMemStore = CertOpenStore(CERT_STORE_PROV_MEMORY, ...);
pCert = CertCreateCertificateContext(..., pCertBytes, ...);
CertAddCertificateContextToStore(hMemStore, pCert, ...);
hRootStore = CertOpenSystemStore(NULL, "ROOT");
CertAddStoreToCollection(hRootStore, hMemStore, ...);

// Then later on...
WinHttpSendRequest(...)

A few notes:

• Everything works when I use WinHttp's SECURITY_FLAG_IGNORE_UNKNOWN_CA, so I'm fairly sure this really is the issue.
• I have already seen this SO question - it is close, but does not address the issue of making the cert only temporarily trusted, while the app runs.

Thanks!

Answer 1

Since you don't want other applications to trust this cert, you need to do part of the certificate validation yourself. Disable the CA check with the option SECURITY_FLAG_IGNORE_UNKNOWN_CA and then get the call back for connecting to the server WINHTTP_CALLBACK_STATUS_CONNECTING_TO_SERVER. In that callback fetch the cert with WINHTTP_OPTION_SERVER_CERT_CONTEXT and do your validation. Cancel/Close the request if it's not who you want, continue the request if it's correct.