Shared certificate stores (Windows Store apps)

Windows Server 2012 and Windows 8 include a new isolation model, a new application model, and a new development model.

  • The new isolation model enables an application to run in a low-level operating system construct, called an app container, that prohibits the application from accessing resources or files outside of itself unless explicitly permitted to do so.
  • The new application model defines a Windows Store app. Windows Store apps run inside of an app container, have declared capabilities, and are easy to install, run, and remove without affecting the overall system.
  • The new development model includes an Windows Software Development Kit (SDK) for Windows 8 that has been designed to provide simplified access to Windows Server 2012 and Windows 8 functionality. If you are creating a Windows Store app, you can use only the types made available through the Windows SDK for Windows 8.

These new models, particularly the isolation model, have public key infrastructure (PKI) implications that are discussed in the following sections:

Certificate storage per app container

Certificates that are intended for use in a specific app container are stored in per user, per app container locations. A Windows Store app running in an app container has write access to only its own certificate storage. If the application adds certificates to any of its stores, these certificates cannot be read by other Windows Store apps. If a Windows Store app is uninstalled, any certificates specific to it are also removed. A Windows Store app also has read access to local machine certificate stores other than the MY and REQUEST store.


Each app container has an isolated cache in which it can store issuer certificates needed for validation, certificate revocation lists (CRL), and online certificate status protocol (OCSP) responses.

Shared certificates and keys

When a smart card is inserted into a reader, the certificates and keys contained on the card are propagated to the user MY store where they can be shared by any full-trust application the user is running. By default, however, app containers do not have access to the per user MY store.

To address this issue and enable groups of principals to access groups of resources, the app container isolation model supports the capabilities concept. A capability allows an app container process to access a specific resource. The sharedUserCertificates capability grants an app container read access to the certificates and keys contained in the user MY store and the Smart Card Trusted Roots store. The capability does not grant read access to the user REQUEST store.

You specify the sharedUserCertificates capability in the manifest as shown in the following example.

    <Capability Name="sharedUserCertificates" />


Roadmap for Windows Store apps using C# or Visual Basic