Yes, so those users may benefit from the stub as well. And I do print a FIXME. This is nothing new, we've been ignoring invalid certificates in wininet for years where we should stop and show a UI.

When I tested with native cryptui and imported a cert, it didn't pick the root store. So I'm just not convinced it's doing the correct thing. That the root store is at present read-only makes it even more certain it doesn't do what the user expects at the moment. Perhaps that needs to be fixed as well, but that's a separate discussion. We need to be sure adding to the root store is the correct thing in the first place.

I'm not against stubs, I just think this one needs some tests. They shouldn't be that hard to write: test the root store before and after importing a cert with no UI, and see if the cert is added to the root store. Try with a few different kinds of certs (self-signed, not self-signed.) If they're always added to the root store, I'll be more persuaded. Right now I'm not. --Juan