Merge pull request #10987 from chef/windows_cert_16

windows_certificate: Fix the user_store property to actually install certificates to the user store

9 files changed, 221 insertions, 20 deletions

diff --git a/Gemfile.lock b/Gemfile.lock
index 0548c8eed4..75ec2eb22f 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -96,7 +96,7 @@ PATH
       tty-table (~> 0.11)
       uuidtools (>= 2.1.5, < 3.0)
       win32-api (~> 1.5.3)
-      win32-certstore (~> 0.3)
+      win32-certstore (~> 0.5)
       win32-event (~> 0.6.1)
       win32-eventlog (= 0.6.3)
       win32-mmap (~> 0.4.1)
diff --git a/chef-universal-mingw32.gemspec b/chef-universal-mingw32.gemspec
index fa95de76f5..bfa2fab2a2 100644
--- a/chef-universal-mingw32.gemspec
+++ b/chef-universal-mingw32.gemspec
@@ -14,7 +14,7 @@ gemspec.add_dependency "win32-service", ">= 2.1.5", "< 3.0"
 gemspec.add_dependency "wmi-lite", "~> 1.0"
 gemspec.add_dependency "win32-taskscheduler", "~> 2.0"
 gemspec.add_dependency "iso8601", ">= 0.12.1", "< 0.14" # validate 0.14 when it comes out
-gemspec.add_dependency "win32-certstore", "~> 0.3"
+gemspec.add_dependency "win32-certstore", "~> 0.5" # 0.5+ required for specifying user vs. system store
 gemspec.extensions << "ext/win32-eventlog/Rakefile"
 gemspec.files += Dir.glob("{distro,ext}/**/*")
 
diff --git a/cspell.json b/cspell.json
index a55b2bfc40..a96f5ec54b 100644
--- a/cspell.json
+++ b/cspell.json
@@ -14,6 +14,7 @@
   "dictionaries": ["chef"],
   // words - list of words to be always considered correct
   "words": [
+    "northwindbaking",
     "abcz",
     "Abdulin",
     "ABORTIFHUNG",
@@ -567,6 +568,7 @@
     "getremotelogin",
     "getspnam",
     "gettext",
+    "GETTHUMBPRINTCODE",
     "gettimezone",
     "gettype",
     "gids",
@@ -1911,7 +1913,7 @@
     "lib/chef/provider/package/yum/simplejson/**/*",
     "lib/chef/provider/package/yum/simplejson/*",
     "omnibus/resources/chef/**/*",
-    "kitchen-tests/cookbooks/end_to_end/files/*",
+    "kitchen-tests/cookbooks/end_to_end/files/**/*",
     "spec/**",
     "docs_site",
     "distro/ruby_bin_folder/**/*"
diff --git a/kitchen-tests/cookbooks/end_to_end/files/certs/ca.cert.pem b/kitchen-tests/cookbooks/end_to_end/files/certs/ca.cert.pem
new file mode 100644
index 0000000000..2bb30a7b18
--- /dev/null
+++ b/kitchen-tests/cookbooks/end_to_end/files/certs/ca.cert.pem
@@ -0,0 +1,36 @@
+-----BEGIN CERTIFICATE-----
+MIIGRTCCBC2gAwIBAgIUKR+fpIUUvQMvhGba1Ky/ScpiysUwDQYJKoZIhvcNAQEL
+BQAwgakxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJXQTEQMA4GA1UEBwwHU2VhdHRs
+ZTEZMBcGA1UECgwQTm9ydGh3aW5kIEJha2luZzEUMBIGA1UECwwLRW5naW5lZXJp
+bmcxITAfBgNVBAMMGE5vcnRod2luZCBCYWtpbmcgUm9vdCBDQTEnMCUGCSqGSIb3
+DQEJARYYam9obi5tY2NyYWVAcHJvZ3Jlc3MuY29tMB4XDTIwMTIxODE3MTQxNloX
+DTQwMTIxMzE3MTQxNlowgakxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJXQTEQMA4G
+A1UEBwwHU2VhdHRsZTEZMBcGA1UECgwQTm9ydGh3aW5kIEJha2luZzEUMBIGA1UE
+CwwLRW5naW5lZXJpbmcxITAfBgNVBAMMGE5vcnRod2luZCBCYWtpbmcgUm9vdCBD
+QTEnMCUGCSqGSIb3DQEJARYYam9obi5tY2NyYWVAcHJvZ3Jlc3MuY29tMIICIjAN
+BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqQScpelNtPUrdX8K7kp8s0vLw9wB
+VEEQ0hV/hIFWjLYORmFLP4MISsL/ESu9rdGvZktCkURIivSUF9iAIaxaydUFGNLo
+lJY5LMb7Llezyy5C+W+xUUGlj9KIw6YBdXEFnaMrPDRJuPfoJREHn37U75KLlrM0
+SkYuAT5LDPXluJvB1iPpGixuaq8rmr+fSjhBZxnutJTFpnDcivzwPYmMsUrP6Hu7
+WB0Z8YrN0kv2Idw5LQikPoapnwgK4ygSiv0kIEKqsmLUG3V7NRyCE2SwMiBbRpyf
+Ehhy5JmxcIIJNAAFRkbPeHs3THC9mZJXJe5IGV91V0Jjixn9E3as+k7JwqEwViO0
+43hEg9dvrw5kshmjZxU6/9qB7WR8DsCHPZF3x6n5Z23BDYTXFcKqza17LtfbGpKL
+tPE/E5vYYogpXmNNEI55NcpTvexHrMpAasbqFysLSH0W9XKo7bmCKlaJbrMOPsyp
+WLD5jbjQm6ieNB2D992VnQkOm66Hd6FldoJoUhF4MIQ+2fDDfUDTsqG/dPO6UBZL
+vAnZAEQVkKq/1OWUizmx5WmC8b1Oyu3i+ghDFVuh3yKr/0RWdQdduGj98uMg6/jo
+46VYq5f9F9phE5A3NW1VBX5foOXyTp5xFbMJmN9MSyrXq/NCcdw9GYAGLlPjCVyc
+UpbazMzUyehfpzsCAwEAAaNjMGEwHQYDVR0OBBYEFLEKaqLFZyyT1nYDzMg/Vryr
++jVJMB8GA1UdIwQYMBaAFLEKaqLFZyyT1nYDzMg/Vryr+jVJMA8GA1UdEwEB/wQF
+MAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQCSfXsBf5I3
+Lt5EDV73sC5hV3mcP7F+Betu0PeVCdDCKEIOve3hrV6cSpA8xoRY7kqWJ+bbR0HZ
+/fX8bCOt3Em5SZXGQMSirEoZ+pYPz+YOZ2RKPcf/wZIshpLzZ23Z0D06Cyxt+M2f
+fqRvEXXR5k4gPuikm+u/X16olBRI/ULW5IA3eri818JD840yjwxTu7a97rVKEhZR
+PSORvvgWgtA7HPfibgJ7DBjbY9B8YSiq0RxaJsmSmh/zZ2i0SMjztLcTvmWs0o8m
+3E42zVDXyy9A0fr9AoasyH17nHjKlAL6v6TfGvFDNgn5fIYELOrf+l1CD5Ij+coZ
+w4QiVKREiPA26CNC9kYWqBXhAKEr31DvgVSSlZTDF35QpE0DofYKRRTQ8P68h8hM
+vKqG7Wa3/9ZCeTK15CU9q8blZtcjF2dV1GKCs7WPCPct9DdQpkuSyuc9CQgiLhCR
+ZxgxpXX15AOa/RI8qRla4MBw3j3YP9Z5q6NsG239NdyckPUGqJUIs+oyaBRcxA0o
+QHG4JUWPBlOTxwOzfmMSZtCfcNuNOWK39s5pJiSyLPvaPCj3D79OKkskuO00lVAK
+Es5m/VexGB/XnM9vTLn72YESxUfl0+nP+vyAqKletXnwf8C6wt004TgM/YIoC2zR
+l4wX7Vl8hG7lYg3yEBoDQM3Ipq2V8S9G5A==
+-----END CERTIFICATE-----
diff --git a/kitchen-tests/cookbooks/end_to_end/files/certs/chef.northwindbaking.com.chained.cert.pem b/kitchen-tests/cookbooks/end_to_end/files/certs/chef.northwindbaking.com.chained.cert.pem
new file mode 100644
index 0000000000..846bbf9dcb
--- /dev/null
+++ b/kitchen-tests/cookbooks/end_to_end/files/certs/chef.northwindbaking.com.chained.cert.pem
@@ -0,0 +1,73 @@
+-----BEGIN CERTIFICATE-----
+MIIGkDCCBHigAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwgZ8xCzAJBgNVBAYTAlVT
+MQswCQYDVQQIDAJXQTEZMBcGA1UECgwQTm9ydGh3aW5kIEJha2luZzEUMBIGA1UE
+CwwLRW5naW5lZXJpbmcxKTAnBgNVBAMMIE5vcnRod2luZCBCYWtpbmcgSW50ZXJt
+ZWRpYXRlIENBMScwJQYJKoZIhvcNAQkBFhhqb2huLm1jY3JhZUBwcm9ncmVzcy5j
+b20wHhcNMjAxMjE4MjM0MTI2WhcNMjExMjI4MjM0MTI2WjCBqTELMAkGA1UEBhMC
+VVMxCzAJBgNVBAgMAldBMRAwDgYDVQQHDAdTZWF0dGxlMRkwFwYDVQQKDBBOb3J0
+aHdpbmQgQmFraW5nMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEhMB8GA1UEAwwYY2hl
+Zi5ub3J0aHdpbmRiYWtpbmcuY29tMScwJQYJKoZIhvcNAQkBFhhqb2huLm1jY3Jh
+ZUBwcm9ncmVzcy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCq
+YMuo4lujFqZJq0awJ90RPVz28hmonIHi0lvHFj61q6yqYnTMg2ZzvEF4oJkkkPgJ
+C6TgLcYM+cJlqoqOdemLJzs0fiYXO5mlmFslHKAkoLAGDHFQcgXrFpsFW7QjDxcC
+XhgYHVD4usl+btMTKjvH8Vf1ElQZM1KEWIQRCuCXbz4tGow9tBsYV+HUJygHse5f
+SY5tITEUwmfrFUHjOTqBophBWFRd/hFcmV4IGgEKEYk/POl6AsOCxnr3QBPj8B0d
+ou/ETgCZ74c5yujfkm5GhN7iBawEGCl/38Xr6xxc7M+CkQMJajkpRjvXAtwWImwW
+MgFcazlpXYrxcp8izEJLAgMBAAGjggHIMIIBxDAJBgNVHRMEAjAAMBEGCWCGSAGG
++EIBAQQEAwIGQDAzBglghkgBhvhCAQ0EJhYkT3BlblNTTCBHZW5lcmF0ZWQgU2Vy
+dmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBReJLWsKMwg+qRi6C3rlJJ/wFjIXDCB
+1wYDVR0jBIHPMIHMgBTnmVEOPRX1Padx4GQtoVyXKFUigKGBr6SBrDCBqTELMAkG
+A1UEBhMCVVMxCzAJBgNVBAgMAldBMRAwDgYDVQQHDAdTZWF0dGxlMRkwFwYDVQQK
+DBBOb3J0aHdpbmQgQmFraW5nMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEhMB8GA1UE
+AwwYTm9ydGh3aW5kIEJha2luZyBSb290IENBMScwJQYJKoZIhvcNAQkBFhhqb2hu
+Lm1jY3JhZUBwcm9ncmVzcy5jb22CAhAAMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUE
+DDAKBggrBgEFBQcDATBRBgNVHREESjBIghd3d3cubm9ydGh3aW5kYmFraW5nLmNv
+bYITbm9ydGh3aW5kYmFraW5nLmNvbYIYY2hlZi5ub3J0aHdpbmRiYWtpbmcuY29t
+MA0GCSqGSIb3DQEBCwUAA4ICAQBaCLsFRcwRqBafvBSaCfyaufigYE1tFZ9JSdZz
+KpJeRz9xNoF79Hh+WlQb8tmS8/1w2OI4oRxkd9Gm+IzShSGzmOwRoAvTNp4p4znM
+K79HOLxqQ5YZ4iYaSPzfHH7FNnzlA09Vm05Rj71W24wvJT7O0UO0BbCJDhFYpfQ7
+1DkVPG0ytIgz8jZI/mLLL9pwLO1vA7M36meL8XjnjXfQ1xt+N3NqaM5/t3ZLeMWH
+Hi96tVP7CaK4N+uCKkg0zGoeamvLUPVQm8wCrCM2k6rNYJnmvwzLp8NnCTjCQzst
+BnM35c/rnpljfFz9Qwjzkqvs5NLVZhu/YltWTpEIRSFScr3Wq4LYxF2TEgHu7QQ9
+HW4vY7vGByiWRNzD3A1ZAHPFg3sj+Fcx+XHI8F9gyUZ13wdZswmTGGAc1RfSgd/e
+X7g/rixCSuPiKeqBQB62JkYH2nGcdNXHvJorMbw+aUI+Vg8i/tIgOxzHgxeY5uW8
+s7PSkLBX6kM3Oi4UaglDzv7FiezPG4uAKH/aYIEdv8bQMvjlrzfcjsYuJQfHTbu8
+cRpZpyG1lLp8fISe3RbxBX+1YplYZlTmeg0KRm88/ifg+Ru7z2mUMeEoDw5cpxKV
+lJy3OLXr+EBa+nJyg/AextAmlJBwDg65Fi6rQUd14FvVK9jHkV/eO9fT8WuQaBBS
+mbiXvA==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIGLDCCBBSgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgakxCzAJBgNVBAYTAlVT
+MQswCQYDVQQIDAJXQTEQMA4GA1UEBwwHU2VhdHRsZTEZMBcGA1UECgwQTm9ydGh3
+aW5kIEJha2luZzEUMBIGA1UECwwLRW5naW5lZXJpbmcxITAfBgNVBAMMGE5vcnRo
+d2luZCBCYWtpbmcgUm9vdCBDQTEnMCUGCSqGSIb3DQEJARYYam9obi5tY2NyYWVA
+cHJvZ3Jlc3MuY29tMB4XDTIwMTIxODE3MjczNloXDTMwMTIxNjE3MjczNlowgZ8x
+CzAJBgNVBAYTAlVTMQswCQYDVQQIDAJXQTEZMBcGA1UECgwQTm9ydGh3aW5kIEJh
+a2luZzEUMBIGA1UECwwLRW5naW5lZXJpbmcxKTAnBgNVBAMMIE5vcnRod2luZCBC
+YWtpbmcgSW50ZXJtZWRpYXRlIENBMScwJQYJKoZIhvcNAQkBFhhqb2huLm1jY3Jh
+ZUBwcm9ncmVzcy5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDd
+pjPv+HSfwiVhdCrA3xpMB3UM68GuFXKr9EPzTKexZVW+NPnFO7wSzxNZ2x9+IjRa
+7xPhMdBm3nBSXLpg87NCzS5Z+bQBHPi8M2RlOXyDXYz/Nqh2UIAaodmlGEa7Fwkr
+JgG9RBfuPZumtTWU1aTS4ldg3IyO/XpiNB+6p/XdgJOtYWKvfPO6KFjWkxouCSN3
+antHE9ZpB4L78rO+DK+n+UkXUDMLUFejxy2MCj1zmMqk9Qlt0RIobE/uvC05FNdE
+9xmhQ4rROteY68miy938hIKLlRs/A+7Q8wUTgrTuPxQVi62+WHxdl/zewa9s7zlk
+brQoIXhv6kQQ6ZiHRbjFvAsXcBD6tt0YKeILPMpRAPhgZJFjiS8qWz/28Nn3l2vt
+6nQgVmauw/dJ3wyiNWQ/WuX8HpwzXZ76IiTBzpzaYA4qX1k/PfJQxRPCJBqjmWfa
+bUb1PN6KM5/XYEBY2/VMFk/DdBo+PP8aDAOC37lmyyXYRRwyTyQxNaNUNdNXTWSv
+mrqq8q4IvW4qPpSn4tf7bjiTAa/xNBIPTS+axXojOQ8wBJ4r0rnjLZaLkd5015p3
+WM0bFqvHRtNUgpKd7WAbz9ZZXbzJS/ofxtAHu1JcDYJZ0UlfFBJLPB8Px2dcvWu9
+8gqnTZzMXhFYOf3Kfg54w6Rx0xDof1lTDOgbZDNarQIDAQABo2YwZDAdBgNVHQ4E
+FgQU55lRDj0V9T2nceBkLaFclyhVIoAwHwYDVR0jBBgwFoAUsQpqosVnLJPWdgPM
+yD9WvKv6NUkwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwDQYJ
+KoZIhvcNAQELBQADggIBAIktkQHQruRdIcqRSTEeety+ws21E8cqZyCvbBS6iYiW
+lGkXE1KtpT997doEYIqldL/q+PUhY3ruLMVEzd/zl16APVLIfQ94Y9/V+bQoiPTj
+PTpNv713ItSrtFZGIqC1vOFfIwHkTETNpODNM0DXv79IEyz14/sVSsG/kE+qOHyw
+B8DFgzAZWQ4Pa+17CePNeDuUjpE7lkThTL4qVZVZBFKG9UYya/xCvqRL3CKJ8nmD
+EPZtl9fy+FdMswGaTBPb8mEuO/d2p7rv3cMHD0GMn6k052yTc9/XDrKu49rOq/cp
+zRBn/By/vuk3kLPjxyj+kLJWdyAA6I78HgX4/785v0nDki/kM7H+q2UjIFotu4FG
+O5VEgNM4GIWxF8Pjm9OdHnudopk4o+ODk8cAEdePIAl+jWY6bry0nCTKwvhPbtL+
+m1b3ZjZxe3tzHQUbAuCK9B8QDDwJJhsRNij+AcefD8Orwbh/5b9slzJcfcOxVd3L
+9+ARIuOhUy4BbFWclxAPj56VHDti3yDi2JkjsfWHpZO/JXjzXBARMAHzR2KuT/IJ
+lxYL48dtoY/DGqiwoUbcTIa4DSONkf1BTzvcK3AyISBUd5+/IO5SlMXvM6om7EsZ
+KxD5nMoV3VepQUz7ZZEqcWx46kiWY/C8SOpAhcMd2ElKtbbBKd2tPKhKhKxCcLNe
+-----END CERTIFICATE-----
diff --git a/kitchen-tests/cookbooks/end_to_end/files/certs/intermediate.cert.pem b/kitchen-tests/cookbooks/end_to_end/files/certs/intermediate.cert.pem
new file mode 100644
index 0000000000..d7e6b6d0a2
--- /dev/null
+++ b/kitchen-tests/cookbooks/end_to_end/files/certs/intermediate.cert.pem
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGLDCCBBSgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgakxCzAJBgNVBAYTAlVT
+MQswCQYDVQQIDAJXQTEQMA4GA1UEBwwHU2VhdHRsZTEZMBcGA1UECgwQTm9ydGh3
+aW5kIEJha2luZzEUMBIGA1UECwwLRW5naW5lZXJpbmcxITAfBgNVBAMMGE5vcnRo
+d2luZCBCYWtpbmcgUm9vdCBDQTEnMCUGCSqGSIb3DQEJARYYam9obi5tY2NyYWVA
+cHJvZ3Jlc3MuY29tMB4XDTIwMTIxODE3MjczNloXDTMwMTIxNjE3MjczNlowgZ8x
+CzAJBgNVBAYTAlVTMQswCQYDVQQIDAJXQTEZMBcGA1UECgwQTm9ydGh3aW5kIEJh
+a2luZzEUMBIGA1UECwwLRW5naW5lZXJpbmcxKTAnBgNVBAMMIE5vcnRod2luZCBC
+YWtpbmcgSW50ZXJtZWRpYXRlIENBMScwJQYJKoZIhvcNAQkBFhhqb2huLm1jY3Jh
+ZUBwcm9ncmVzcy5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDd
+pjPv+HSfwiVhdCrA3xpMB3UM68GuFXKr9EPzTKexZVW+NPnFO7wSzxNZ2x9+IjRa
+7xPhMdBm3nBSXLpg87NCzS5Z+bQBHPi8M2RlOXyDXYz/Nqh2UIAaodmlGEa7Fwkr
+JgG9RBfuPZumtTWU1aTS4ldg3IyO/XpiNB+6p/XdgJOtYWKvfPO6KFjWkxouCSN3
+antHE9ZpB4L78rO+DK+n+UkXUDMLUFejxy2MCj1zmMqk9Qlt0RIobE/uvC05FNdE
+9xmhQ4rROteY68miy938hIKLlRs/A+7Q8wUTgrTuPxQVi62+WHxdl/zewa9s7zlk
+brQoIXhv6kQQ6ZiHRbjFvAsXcBD6tt0YKeILPMpRAPhgZJFjiS8qWz/28Nn3l2vt
+6nQgVmauw/dJ3wyiNWQ/WuX8HpwzXZ76IiTBzpzaYA4qX1k/PfJQxRPCJBqjmWfa
+bUb1PN6KM5/XYEBY2/VMFk/DdBo+PP8aDAOC37lmyyXYRRwyTyQxNaNUNdNXTWSv
+mrqq8q4IvW4qPpSn4tf7bjiTAa/xNBIPTS+axXojOQ8wBJ4r0rnjLZaLkd5015p3
+WM0bFqvHRtNUgpKd7WAbz9ZZXbzJS/ofxtAHu1JcDYJZ0UlfFBJLPB8Px2dcvWu9
+8gqnTZzMXhFYOf3Kfg54w6Rx0xDof1lTDOgbZDNarQIDAQABo2YwZDAdBgNVHQ4E
+FgQU55lRDj0V9T2nceBkLaFclyhVIoAwHwYDVR0jBBgwFoAUsQpqosVnLJPWdgPM
+yD9WvKv6NUkwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwDQYJ
+KoZIhvcNAQELBQADggIBAIktkQHQruRdIcqRSTEeety+ws21E8cqZyCvbBS6iYiW
+lGkXE1KtpT997doEYIqldL/q+PUhY3ruLMVEzd/zl16APVLIfQ94Y9/V+bQoiPTj
+PTpNv713ItSrtFZGIqC1vOFfIwHkTETNpODNM0DXv79IEyz14/sVSsG/kE+qOHyw
+B8DFgzAZWQ4Pa+17CePNeDuUjpE7lkThTL4qVZVZBFKG9UYya/xCvqRL3CKJ8nmD
+EPZtl9fy+FdMswGaTBPb8mEuO/d2p7rv3cMHD0GMn6k052yTc9/XDrKu49rOq/cp
+zRBn/By/vuk3kLPjxyj+kLJWdyAA6I78HgX4/785v0nDki/kM7H+q2UjIFotu4FG
+O5VEgNM4GIWxF8Pjm9OdHnudopk4o+ODk8cAEdePIAl+jWY6bry0nCTKwvhPbtL+
+m1b3ZjZxe3tzHQUbAuCK9B8QDDwJJhsRNij+AcefD8Orwbh/5b9slzJcfcOxVd3L
+9+ARIuOhUy4BbFWclxAPj56VHDti3yDi2JkjsfWHpZO/JXjzXBARMAHzR2KuT/IJ
+lxYL48dtoY/DGqiwoUbcTIa4DSONkf1BTzvcK3AyISBUd5+/IO5SlMXvM6om7EsZ
+KxD5nMoV3VepQUz7ZZEqcWx46kiWY/C8SOpAhcMd2ElKtbbBKd2tPKhKhKxCcLNe
+-----END CERTIFICATE-----
diff --git a/kitchen-tests/cookbooks/end_to_end/files/certs/steveb.pfx b/kitchen-tests/cookbooks/end_to_end/files/certs/steveb.pfx
new file mode 100644
index 0000000000..097c7075ff
--- /dev/null
+++ b/kitchen-tests/cookbooks/end_to_end/files/certs/steveb.pfx
diff --git a/kitchen-tests/cookbooks/end_to_end/recipes/windows.rb b/kitchen-tests/cookbooks/end_to_end/recipes/windows.rb
index ea5f0f7421..7eeb4ef5be 100644
--- a/kitchen-tests/cookbooks/end_to_end/recipes/windows.rb
+++ b/kitchen-tests/cookbooks/end_to_end/recipes/windows.rb
@@ -114,3 +114,28 @@ end
 user "phil" do
   action :remove
 end
+
+directory 'C:\mordor' do
+  rights :full_control, "everyone"
+end
+
+cookbook_file "c:\\mordor\\steveb.pfx" do
+  source "/certs/steveb.pfx"
+  action :create_if_missing
+end
+
+windows_certificate "c:/mordor/steveb.pfx" do
+  pfx_password "1234"
+  action :create
+  user_store true
+  store_name "MY"
+end
+
+cookbook_file "c:\\mordor\\ca.cert.pem" do
+  source "/certs/ca.cert.pem"
+  action :create_if_missing
+end
+
+windows_certificate "c:/mordor/ca.cert.pem" do
+  store_name "ROOT"
+end
diff --git a/lib/chef/resource/windows_certificate.rb b/lib/chef/resource/windows_certificate.rb
index 5800fe0f45..0879f04636 100644
--- a/lib/chef/resource/windows_certificate.rb
+++ b/lib/chef/resource/windows_certificate.rb
@@ -76,7 +76,7 @@ class Chef
         default: "MY", equal_to: ["TRUSTEDPUBLISHER", "TrustedPublisher", "CLIENTAUTHISSUER", "REMOTE DESKTOP", "ROOT", "TRUSTEDDEVICES", "WEBHOSTING", "CA", "AUTHROOT", "TRUSTEDPEOPLE", "MY", "SMARTCARDROOT", "TRUST", "DISALLOWED"]
 
       property :user_store, [TrueClass, FalseClass],
-        description: "Use the user store of the local machine store if set to false.",
+        description: "Use the `CurrentUser` store instead of the default `LocalMachine` store. Note: Prior to #{ChefUtils::Dist::Infra::CLIENT}. 16.10 this property was ignored.",
         default: false
 
       property :cert_path, String,
@@ -119,7 +119,7 @@ class Chef
         code_script << acl_script(hash)
         guard_script << cert_exists_script(hash)
 
-        powershell_script "setting the acls on #{new_resource.source} in #{cert_location}\\#{new_resource.store_name}" do
+        powershell_script "setting the acls on #{new_resource.source} in #{ps_cert_location}\\#{new_resource.store_name}" do
           convert_boolean_return true
           code code_script
           only_if guard_script
@@ -161,25 +161,47 @@ class Chef
       end
 
       action_class do
+
+        CERT_SYSTEM_STORE_LOCAL_MACHINE                    = 0x00020000
+        CERT_SYSTEM_STORE_CURRENT_USER                     = 0x00010000
+
         def add_cert(cert_obj)
-          store = ::Win32::Certstore.open(new_resource.store_name)
+          store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location)
           store.add(cert_obj)
         end
 
         def add_pfx_cert
           exportable = new_resource.exportable ? 1 : 0
-          store = ::Win32::Certstore.open(new_resource.store_name)
+          store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location)
           store.add_pfx(new_resource.source, new_resource.pfx_password, exportable)
         end
 
         def delete_cert
-          store = ::Win32::Certstore.open(new_resource.store_name)
-          store.delete(new_resource.source)
+          store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location)
+          store.delete(resolve_thumbprint(new_resource.source))
         end
 
         def fetch_cert
-          store = ::Win32::Certstore.open(new_resource.store_name)
-          store.get(new_resource.source)
+          store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location)
+          store.get(resolve_thumbprint(new_resource.source))
+        end
+
+        # Thumbprints should be exactly 40 Hex characters
+        def valid_thumbprint?(string)
+          string.scan(/\H/).empty? && string.length == 40
+        end
+
+        def get_thumbprint(store_name, location, source)
+          <<-GETTHUMBPRINTCODE
+            $content = Get-ChildItem  -Path Cert:\\#{location}\\#{store_name} | Where-Object {$_.Subject -Match "#{source}"} | Select-Object Thumbprint
+            $content.thumbprint
+          GETTHUMBPRINTCODE
+        end
+
+        def resolve_thumbprint(thumbprint)
+          return thumbprint if valid_thumbprint?(thumbprint)
+
+          powershell_exec!(get_thumbprint(new_resource.store_name, ps_cert_location, new_resource.source)).result
         end
 
         # Checks whether a certificate with the given thumbprint
@@ -187,9 +209,11 @@ class Chef
         # If the certificate is not present, verify_cert returns a String: "Certificate not found"
         # But if it is present but expired, it returns a Boolean: false
         # Otherwise, it returns a Boolean: true
+        # updated this method to accept either a subject name or a thumbprint - 1/29/2021
+
         def verify_cert(thumbprint = new_resource.source)
-          store = ::Win32::Certstore.open(new_resource.store_name)
-          store.valid?(thumbprint)
+          store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location)
+          store.valid?(resolve_thumbprint(thumbprint))
         end
 
         def show_or_store_cert(cert_obj)
@@ -230,13 +254,19 @@ class Chef
           out_file.close
         end
 
-        def cert_location
-          @location ||= new_resource.user_store ? "CurrentUser" : "LocalMachine"
+        # this array structure is solving 2 problems. The first is that we need to have support for both the CurrentUser AND LocalMachine stores
+        # Secondly, we need to pass the proper constant name for each store to win32-certstore but also pass the short name to powershell scripts used here
+        def ps_cert_location
+          new_resource.user_store ? "CurrentUser" : "LocalMachine"
+        end
+
+        def native_cert_location
+          new_resource.user_store ? CERT_SYSTEM_STORE_CURRENT_USER : CERT_SYSTEM_STORE_LOCAL_MACHINE
         end
 
         def cert_script(persist)
           cert_script = "$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2"
-          file = Chef::Util::PathHelper.cleanpath(new_resource.source)
+          file = Chef::Util::PathHelper.cleanpath(new_resource.source, ps_cert_location)
           cert_script << " \"#{file}\""
           if ::File.extname(file.downcase) == ".pfx"
             cert_script << ", \"#{new_resource.pfx_password}\""
@@ -252,14 +282,14 @@ class Chef
         def cert_exists_script(hash)
           <<-EOH
   $hash = #{hash}
-  Test-Path "Cert:\\#{cert_location}\\#{new_resource.store_name}\\$hash"
+  Test-Path "Cert:\\#{ps_cert_location}\\#{new_resource.store_name}\\$hash"
           EOH
         end
 
         def within_store_script
           inner_script = yield "$store"
           <<-EOH
-  $store = New-Object System.Security.Cryptography.X509Certificates.X509Store "#{new_resource.store_name}", ([System.Security.Cryptography.X509Certificates.StoreLocation]::#{cert_location})
+  $store = New-Object System.Security.Cryptography.X509Certificates.X509Store "#{new_resource.store_name}", ([System.Security.Cryptography.X509Certificates.StoreLocation]::#{ps_cert_location})
   $store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
   #{inner_script}
   $store.Close()
@@ -273,7 +303,7 @@ class Chef
           # and from https://msdn.microsoft.com/en-us/library/windows/desktop/bb204778(v=vs.85).aspx
           set_acl_script = <<-EOH
   $hash = #{hash}
-  $storeCert = Get-ChildItem "cert:\\#{cert_location}\\#{new_resource.store_name}\\$hash"
+  $storeCert = Get-ChildItem "cert:\\#{ps_cert_location}\\#{new_resource.store_name}\\$hash"
   if ($storeCert -eq $null) { throw 'no key exists.' }
   $keyname = $storeCert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
   if ($keyname -eq $null) { throw 'no private key exists.' }
@@ -340,7 +370,7 @@ class Chef
             if verify_cert(thumbprint) == true
               Chef::Log.debug("Certificate is already present")
             else
-              converge_by("Adding certificate #{new_resource.source} into Store #{new_resource.store_name}") do
+              converge_by("Adding certificate #{new_resource.source} into #{ps_cert_location} Store #{new_resource.store_name}") do
                 if is_pfx
                   add_pfx_cert
                 else