| |
The SECURITYCREDENTIALS structure specifies the information
needed by the library to specify additional security credentials,
such as a client certificate, when establishing a
secure connection.
typedef struct _SECURITYCREDENTIALS
{
DWORD dwSize;
DWORD dwProtocol;
DWORD dwOptions;
DWORD dwReserved;
LPCTSTR lpszHostName;
LPCTSTR lpszUserName;
LPCTSTR lpszPassword;
LPCTSTR lpszCertStore;
LPCTSTR lpszCertName;
LPCTSTR lpszKeyFile;
} SECURITYCREDENTIALS, *LPSECURITYCREDENTIALS;
Members
- dwSize
- Size of this structure. If the structure is being allocated
dynamically, this member must be set to the size of the structure
and all other unused structure members must be initialized to a
value of zero or NULL.
- dwProtocol
- A bitmask of supported security protocols. The value of this
structure member is constructed by using a bitwise operator with any
of the following values:
| Value |
Description |
| SECURITY_PROTOCOL_DEFAULT |
The default security protocol will be used when establishing
a connection. This option will always request the latest version
of the preferred security protocol and is the recommended
value. Currently the default security protocol is TLS 1.2. |
| SECURITY_PROTOCOL_TLS |
Either the TLS 1.2 or 1.3 protocol should be used when
establishing a secure connection. The correct protocol is
automatically selected, based on what version of the protocol is
supported by the server. If this is the only protocol specified,
SSL will be excluded from the list of supported protocols. This
may be necessary for some servers which reject any attempt to use
the older SSL protocol and require that only TLS be used. |
| SECURITY_PROTOCOL_TLS10 |
The TLS 1.0 protocol should be used when establishing a
secure connection. This version is supported on all Windows
platforms, however some servers may reject connections using
version 1.0 in favor of using version 1.2. This version should
only be used for backwards compatibility with older servers that
have not been updated to use the current version of TLS. |
| SECURITY_PROTOCOL_TLS11 |
The TLS 1.1 protocol should be used when establishing a
secure connection. This version is supported on Windows 7 and
later desktop platforms, and Windows Server 2008 R2 and later
server platforms. Some servers may reject connections using
version 1.1 in favor of using version 1.2. This version should
only be used for backwards compatibility with older servers that
have not been updated to use the current version of TLS. |
| SECURITY_PROTOCOL_TLS12 |
The TLS 1.2 protocol should be used when establishing a
secure connection. This version is supported on Windows 7 and
later desktop platforms, and Windows Server 2008 R2 and later
server platforms. This version of TLS offers the broadest
compatibility with most servers. |
| SECURITY_PROTOCOL_TLS13 |
The TLS 1.3 protocol should be used when establishing a
secure connection. This is the newest version of the protocol
and is only supported on Windows 11, Windows Server 2022 and
later versions of Windows. If this version is not supported
by the operating system, TLS 1.2 will be used instead. |
- dwOptions
- A value which specifies one or options. This member is
constructed by using a bitwise operator with any of the following
values:
| Value |
Description |
| CREDENTIAL_STORE_CURRENT_USER |
The library will attempt to open a store for the current
user using the certificate store name provided in this
structure. If no options are specified, then this is the
default behavior. |
| CREDENTIAL_STORE_LOCAL_MACHINE |
The library will attempt to open a local machine store
using the certificate store name provided in this structure. If
this option is specified, the library will always search for a
local machine store before searching for the store by that name
for the current user. |
| CREDENTIAL_STORE_FILENAME |
The certificate store name is a file that contains the
certificate and private key that will be used. |
- dwReserved
- This structure member is reserved for future use and should
always be initialized to zero.
- lpszHostName
- A pointer to a null terminated string which specifies the
hostname that will be used when validating the server certificate.
If this member is NULL, then the server certificate will be
validated against the hostname used to establish the
connection.
- lpszUserName
- A pointer to a null terminated string which identifies the
owner of client certificate. Currently this member is not used by
the library and should always be initialized as a NULL
pointer.
- lpszPassword
- A pointer to a null terminated string which specifies the
password needed to access the certificate. Currently this member is
only used if the CREDENTIAL_STORE_FILENAME option has been
specified. If there is no password associated with the certificate,
then this member should be initialized as a NULL pointer.
- lpszCertStore
- A pointer to a null terminated string which specifies the name
of the certificate store to open. A certificate store is a
collection of certificates and their private keys, typically
organized by how they are used. If this value is NULL or points to
an empty string, the default certificate store "MY" will
be used.
| Store Name |
Description |
| CA |
Certification authority certificates. These are
certificates that are issued by entities which are entrusted to
issue certificates to other individuals or organizations.
Companies such as Comodo and DigiCert act as certification
authorities. |
| MY |
Personal certificates and their associated private keys for
the current user. This store typically holds the client
certificates used to establish a user's credentials. This
corresponds to the "Personal" store that is displayed
by the certificate manager utility and is the default store
used by the library. |
| ROOT |
Certificates that have been self-signed by a certificate
authority. Root certificates for a number of different
certification authorities such as Comodo and DigiCert are
installed as part of the operating system and periodically
updated by Microsoft. |
- lpszCertName
- A pointer to a null terminated string which specifies the name
of the certificate to use. The library will first search the
certificate store for a certificate with a matching "friendly
name"; this is a name for the certificate that is assigned by
the user. Note that the name must match completely, but the
comparison is not case sensitive. If no matching certificate is
found, the library will then attempt to find a certificate that has
a matching common name (also called the certificate subject). This
comparison is less stringent, and the first partial match will be
returned. If this second search fails, the library will return an
error indicating that the certificate could not be found. If the
SECURITY_PROTOCOL_SSH protocol has been specified, this member
should be NULL.
- lpszKeyFile
- This member is not used and should always be NULL. The private
key cannot be specified separately and must be associated with the
certificate.
Remarks
An application only needs to create this structure if the
server requires the client to provide a certificate as part of the
process of negotiating the secure session. If a certificate is
required, note that it must have a private key associated with it.
Attempting to use a certificate that does not have a private key will
result in an error during the connection process indicating that the
client credentials could not be established.
If you are using a local certificate store, with the certificate
and private key stored in the registry, you can explicitly specify
whether the certificate store for the current user or the local
machine (all users) should be used. This is done by prefixing the
certificate store name with "HKCU:" for the current user,
or "HKLM:" for the local machine. For example, a certificate
store name of "HKLM:MY" would specify the personal
certificate store for the local machine, rather than the current user.
If neither prefix is specified, then it will default to the certificate
store for the current user. You can manage these certificates using
the CertMgr.msc Microsoft Management Console (MMC) snap-in.
It is possible to load the certificate from a file rather than
from current user's certificate store. The dwOptions member
should be set to CREDENTIAL_STORE_FILENAME and the
lpszCertStore member should specify the name of the file that
contains the certificate and its private key. The file must be in
Private Information Exchange (PFX) format, also known as PKCS #12.
These certificate files typically have an extension of .pfx or .p12.
Note that if a password was specified when the certificate file was
created, it must be provided in the lpszPassword member or the
library will be unable to access the certificate.
Note that the lpszUserName and lpszPassword members
are values which are used to access the certificate store or private
key file. They are not the credentials which are used when
establishing the connection with the remote host or authenticating
the client session.
Requirements
Minimum Desktop Platform: Windows 7 Service Pack 1
Minimum Server Platform: Windows Server 2008 R2 Service Pack 1
Header File: cstools11.h
Unicode: Implemented as Unicode and ANSI versions
|
|