Some applications (including .NET Core) specify the PKCS12_ALWAYS_CNG_KSP flag when calling PFXImportCertStore. According to Microsoft's documentation, this flag indicates that the CNG key storage provider should always be used, but if it is not available the import will not fail.
Wine does not implement a CNG KSP, so instead of failing we simply ignore the flag and continue with the existing import path. A FIXME trace is printed for visibility.
Notably, .NET Core automatically adds PKCS12_ALWAYS_CNG_KSP when the ephemeral key storage flag (X509KeyStorageFlags.EphemeralKeySet) is used. Without support for this flag, certificate import fails in ASP.NET Core applications using Kestrel with ephemeral server certificates.
This improves compatibility with .NET and other applications expecting this flag to be accepted without error.
-- v4: crypt32: Accept PKCS12_ALWAYS_CNG_KSP flag and fall back to standard import.