Question: How does Chilkat’s Mime.UnwrapSecurity search for a certificate?
Usually the digital certificates are embedded within the signature part or encrypted message, so it is technically not necessary to locate the digital certificate on the system. However, if the certs are not included, UnwrapSecurity first checks the Local Machine store, followed by the Current User store.
A private key is necessary for decryption. The private key must be present in the calling process’s Windows Protected Store. In other words, you need to have the digital certificate installed WITH a private key (to decrypt a message). Technically, the certificate (located in a registry-based certificate store) may not need to be accessed, but the private key (located in the Protected Store) is needed. NOTE: This is a common problem. Developers test their programs interactively within the context of a logged-on user, and then deploy under ASP.NET or within a Windows Service only to find that decryption stops working. It’s because the private key is not available in the process’s logged-on user’s protected store.
When "unwrapping" a digital signature (i.e. validating the signature), only the public key is required.