Unified Certificate Store Overview

Certificate storage uses the interface defined by the crypto token framework. The unified certificate store (unified certstore) unifies all the available implementations of the certstore interface. If a product manufacturer implements one of the certstore interfaces using, for example, a WIM, then it will automatically be picked up by the unified certstore.

The unified certstore offers:

  • The CUnifiedCertStore API to access the certificates stored on the device

  • Assignment of trust status to a certificate on an application by application basis

  • Certificate chain construction and validation.

Supported certificate types

The certstore APIs support X.509, WTLS, and X.968 certificates. Certificates can be physically present in the store (as is normally the case), or they can be referenced by a URL. When clients retrieve or add certificates they have to indicate which kind of certificate they are interested in retrieving or which kind of certificate they are adding. They do this using TCertificateFormat, an enumeration which currently has one of the following (self-descriptive) values:

Value

EX509Certificate

EWTLSCertificate

EX968Certificate

EX509CertificateUrl

EWTLSCertificateUrl

EX968CertificateUrl

EUnknownCertificate

This enables the certstore to commit only to the interface offered by crypto.dll, so that new certificate specifications can be kept in the store without changing it.

Also, there are three supported owner types defined by the TCertificateOwnerType enumeration:

Owner type Description

ECACertificate

CA certificates are used as trust roots when validating certificate chains

EUserCertificate

User certificates are used to establish the user's identity with a remote server

EPeerCertificate

Peer certificates are a third party's user certificates