| Platform SDK: Logon Authentication |
Schannel uses and maintains several certificate stores to store lists of trusted CAs as well as user certificate chains. These stores all reside in the LSA process.
| Certificate store | Comments |
|---|---|
| Root Store | When a credential is created, Schannel creates an in-memory certificate store to store a list of self-signed certificates belonging to all of the trusted CAs. The entries in this store are the union of all of the certificates in the system ROOT store and the certificates in the application root store. A handle to the application root store is passed in as one of the fields in a version 3 credential. This will most often be NULL, but some applications can trust CAs that are not trusted by the system. The application is responsible for validating the remote credentials. This store is only used by the server code that creates the CertificateRequest message. |
| Application Certificate Store |
When a credential is created, Schannel creates an in-memory certificate store for each application certificate chain. This certificate store will be populated either directly from the application's legacy credentials or by copying the certificate context in the application's modern credentials along with any intermediate certificates. Any relevant properties on the certificate context are also copied. |
| Remote Certificate Store |
Schannel maintains a certificate store for each context containing the certificate store belonging to the remote machine. Applications can get a copy of this store by calling QueryContextAttributes with SECPKG_ATTR_REMOTE_CERT_CONTEXT. |