Setting certificate store capabilities (HTML)
Certificates intended for use in a specific app container are stored in per user, per app container locations. An app running in an app container has write access to only its own certificate storage. On Windows 8.1, an app also has read access to local machine certificate stores other than the MY and REQUEST store.
When a smart card is inserted into a reader, the certificates and keys contained on the card are propagated to the user MY store where they can be shared by any full-trust application the user is running. By default, however, app containers do not have access to the per user MY store.
To address this issue and enable groups of principals to access groups of resources, the app container isolation model supports the capabilities concept. A capability allows an app container process to access a specific resource. The sharedUserCertificates capability grants an app container read access to the certificates and keys contained in all user stores and the Smart Card Trusted Roots store. Further, this capability grants an app container write access to the smart card in order to enable direct enrollment of certificates on to smart cards.
You specify the sharedUserCertificates capability in the manifest as shown by the following example.