The SunMSCAPI Cryptographic provider does only support two keystores: Windows-MY(personal certificate store) and Windows-ROOT(trusted authorities certificate store), thus I don't thinks it is possible to directly access to other windows certificate stores. However it may not be necessart since it seems that the Windows-MYkeystore is able to build certificate chains with the certificates from other stores.

SunMSCAPI 加密提供程序仅支持两个密钥库：（Windows-MY个人证书存储）和Windows-ROOT（受信机构证书存储），因此我认为无法直接访问其他 Windows 证书存储。但是，它可能不是必需的，因为Windows-MY密钥库似乎能够使用来自其他存储的证书构建证书链。

Here is a code snippet I use to test it:

这是我用来测试它的代码片段：

KeyStore ks = KeyStore.getInstance("Windows-MY");
ks.load(null, null) ;
Enumeration en = ks.aliases() ;
while (en.hasMoreElements()) {
    String aliasKey = (String)en.nextElement() ;
    Certificate c = ks.getCertificate(aliasKey) ;
    System.out.println("---> alias : " + aliasKey) ;
    if (ks.isKeyEntry(aliasKey)) {
        Certificate[] chain = ks.getCertificateChain(aliasKey);
        System.out.println("---> chain length: " + chain.length);
        for (Certificate cert: chain) {
            System.out.println(cert);
    }
}

If I add a single certificate with private key in the personal certificate store the chain length is 1. After adding the CA in the intermediate CA certificate store the I launch the program a second time and the chain length is now 2.

如果我在个人证书存储中添加带有私钥的单个证书，则链长为 1。在中间 CA 证书存储中添加 CA 后，我第二次启动该程序，链长现在为 2。

UPDATE (April, 2nd)It is possible to programmatically add certificates in the Windows-MYand Windows-ROOTkeystore with some limitations:

更新（4 月 2 日）可以在Windows-MY和Windows-ROOT密钥库中以编程方式添加证书，但有一些限制：

• when adding a certificate in the Windows-ROOTthe user is prompted for confirmation
• all certificate added in the Windows-MYkeystore is a TrustedCertificateEntry(from the keystore point of view, not the Windows point of view). The keystore seems to build the longest possible chain with all available certificates.
• the certifcates with no associated private key are not visible in the Windows certificate store browser but it is possible to programmatically delete them.

• 在用户中添加证书时，Windows-ROOT会提示用户进行确认
• Windows-MY密钥库中添加的所有证书都是一个TrustedCertificateEntry（从密钥库的角度来看，而不是 Windows 的角度）。密钥库似乎使用所有可用证书构建了尽可能长的链。
• 没有关联私钥的证书在 Windows 证书存储浏览器中不可见，但可以通过编程方式删除它们。

Adding a certificate in a keystore is straightforward:

在密钥库中添加证书很简单：

Certificate c = CertificateFactory.getInstance("X.509").generateCertificate(new FileInputStream("C:/Users/me/Downloads/myca.crt"));
KeyStore.TrustedCertificateEntry entry = new KeyStore.TrustedCertificateEntry(c);
ks.setEntry("CA1", entry , null);

Jcs had the answer, but I want to show some pseudocode so:

Jcs 有答案，但我想展示一些伪代码，所以：

// load the Windows keystore
KeyStore winKeystore = KeyStore.getInstance("Windows-MY", "SunMSCAPI");
winKeystore.load(null, null);

// add the user's smart card cert to the keystore
winKeystore.setCertificateEntry(myAlias, userCertificate);

// build the cert chain! this will include intermediate CAs
Certificate[] chain = winKeystore.getCertificateChain(myAlias);

Windows cert chains aren't validated as they're built, but now you can do the usual thing of creating a CertPath and PKIXParameters and using them to validate the chain.

Windows 证书链在构建时未经过验证，但现在您可以执行通常的操作，即创建 CertPath 和 PKIXParameters 并使用它们来验证链。

CertPathValidator certPathValidator = CertPathValidator.getInstance(CertPathValidator.getDefaultType());
certPathValidator.validate(certPath, params);