I am working on a client-server application where server is web service which perform client authentication based on SSL client certificate. The client cert is issued by Root-CA -> Intermedia-CA-1 -> Intermedia-CA-2. I imported the cert to both user cert store and cert machine store.
Use WinHttpSetOption(request, WINHTTP_OPTION_CLIENT_CERT_CONTEXT, (LPVOID)pCertCtx, sizeof(*pCertCtx)) to set the client certificate.
WinHttp send both client certificate and the intermediate CAs when pCertCtx is searched from user store.
But WinHttp only send the client cert, does not send intermediate CAs, when pCertCtx is searched from local machine store or from in-memory cert store.
Why WinHttp has different behavior on these? Is there any options to force WinHttp always send both certificate and the chain?
Resolved by adding the intermedia ca to machine store.