| UID | title | description | helpviewer_keywords | old-location | tech.root | ms.assetid | ms.date | ms.keywords | req.header | req.include-header | req.target-type | req.target-min-winverclnt | req.target-min-winversvr | req.kmdf-ver | req.umdf-ver | req.ddi-compliance | req.unicode-ansi | req.idl | req.max-support | req.namespace | req.assembly | req.type-library | req.lib | req.dll | req.irql | targetos | req.typenames | req.redist | ms.custom | f1_keywords | dev_langs | topic_type | api_type | api_location | api_name | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
NS:wincrypt._CERT_CHAIN_ENGINE_CONFIG |
CERT_CHAIN_ENGINE_CONFIG (wincrypt.h) |
Sets parameters for building a non-default certificate chain engine. The engine used determines the ways that certificate chains are built. |
|
security\cert_chain_engine_config.htm |
security |
9e010eb9-2cbb-4fca-ba5c-4a5a50f23786 |
12/05/2018 |
*PCERT_CHAIN_ENGINE_CONFIG, CERT_CHAIN_CACHE_END_CERT, CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL, CERT_CHAIN_DISABLE_AIA, CERT_CHAIN_ENABLE_CACHE_AUTO_UPDATE, CERT_CHAIN_ENABLE_SHARE_STORE, CERT_CHAIN_ENGINE_CONFIG, CERT_CHAIN_ENGINE_CONFIG structure [Security], CERT_CHAIN_EXCLUSIVE_ENABLE_CA_FLAG, CERT_CHAIN_USE_LOCAL_MACHINE_STORE, PCERT_CHAIN_ENGINE_CONFIG, PCERT_CHAIN_ENGINE_CONFIG structure pointer [Security], _crypto2_cert_chain_engine_config, security.cert_chain_engine_config, wincrypt/CERT_CHAIN_ENGINE_CONFIG, wincrypt/PCERT_CHAIN_ENGINE_CONFIG |
wincrypt.h |
Windows |
Windows XP [desktop apps only] |
Windows Server 2003 [desktop apps only] |
Windows |
CERT_CHAIN_ENGINE_CONFIG, *PCERT_CHAIN_ENGINE_CONFIG |
19H1 |
|
|
|
|
|
|
The CERT_CHAIN_ENGINE_CONFIG structure sets parameters for building a non-default certificate chain engine. The engine used determines the ways that certificate chains are built.
Size of this structure in bytes.
This configuration parameter can be used to restrict the root store. If used, it can be the handle of any HCERTSTORE containing only a proper subset of the certificates in the root store.
Store handle. If used, restricts the stores searched to find CTLs.
Store handle. If used, restricts the stores searched for certificates and CRLs.
Count of additional stores to be searched for certificates and CRLs needed to build chains.
A pointer to an array of store handles for any additional stores to be searched in building chains.
The following flags are defined.
Number of milliseconds before a time-out for network based–URL object retrievals. Can be set to zero to use the default limit.
Limit on the number of certificates that can be cached as a chain is built. Can be set to 0 to use the default limit.
Number of certificates added to the chain before a check is made to determine whether there is a cycle of certificates in the chain. A cycle may be defined as having the same certificate in two different places in a chain.
The lower the number, the more frequently checks will be made. Extra checking for cycles of certificates will slow the process considerably. This parameter can be set to zero to use the default limit.
Handle to a certificate store that contains exclusive trust anchors. If either the hExclusiveRoot or hExclusiveTrustedPeople member points to a valid store, exclusive trust mode is used for the chain building.
Windows 7 and Windows Server 2008 R2: Support for this member begins.
Handle to a certificate store that contains application-specific peer trusted certificates. If either the hExclusiveRoot or hExclusiveTrustedPeople member points to a valid store, exclusive trust mode is used for the chain building.
Windows 7 and Windows Server 2008 R2: Support for this member begins.
The following flag can be set. The flag applies only if the hExclusiveRoot or hExclusiveTrustedPeople or both are not NULL.
Windows 8 and Windows Server 2012: Support for this member begins.
| Value | Meaning |
|---|---|
|
Indicates that a non-self-signed intermediate CA certificate in the hExclusiveRoot store should be treated as a trust anchor during certificate validation. If a certificate chains up to this CA, chain building is terminated and the certificate is considered trusted. No signature verification or revocation checking is performed on the CA certificate.
By default, if this flag is not set, only self-signed certificates in the hExclusiveRoot store are treated as trust anchors. See also the CERT_TRUST_IS_CA_TRUSTED value in the CERT_TRUST_STATUS structure. |
The chain-building engine uses four certificate stores in building chains. These are hRoot, hWorld, hTrust, and hOther. These stores' handles are established by using information in this structure when a chain engine is created.
hRoot is the store handle from hRestrictedRoot or, if hRestrictedRoot is NULL, the handle for System Store "Root."
hWorld is a collection certificate store including sibling stores hRoot, "CA," "My," "Trust," and any additional stores whose handles are in the array pointed to by rghAdditionalStore.
hTrust is the store handle from hRestrictedTrust or, if hRestrictedTrust is NULL, hWorld.
hOther is hRestrictedOther plus hRoot or, if hRestrictedTrust is non-NULL, the hWorld collection store plus the store handle from hRestrictedTrust.
Exclusive trust mode allows applications to specify trust anchors and peer-trusted certificates for certificate chain validation. In the exclusive trust mode, the root store and the trusted people store on the system are ignored, and the anchors and certificates pointed to by the hExclusiveRoot and hExclusiveTrustedPeople members are used instead.