diff --git a/dlls/crypt32/chain.c b/dlls/crypt32/chain.c
index 4424f52a948..10997afc665 100644
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@@ -104,12 +104,48 @@ static BOOL CRYPT_CheckRestrictedRoot(HCERTSTORE store)
     return ret;
 }
 
-BOOL WINAPI CertCreateCertificateChainEngine(PCERT_CHAIN_ENGINE_CONFIG pConfig,
- HCERTCHAINENGINE *phChainEngine)
+HCERTCHAINENGINE CRYPT_CreateChainEngine(HCERTSTORE root,
+ PCERT_CHAIN_ENGINE_CONFIG pConfig)
 {
     static const WCHAR caW[] = { 'C','A',0 };
     static const WCHAR myW[] = { 'M','y',0 };
     static const WCHAR trustW[] = { 'T','r','u','s','t',0 };
+    PCertificateChainEngine engine =
+     CryptMemAlloc(sizeof(CertificateChainEngine));
+
+    if (engine)
+    {
+        HCERTSTORE worldStores[4];
+
+        engine->ref = 1;
+        engine->hRoot = root;
+        engine->hWorld = CertOpenStore(CERT_STORE_PROV_COLLECTION, 0, 0,
+         CERT_STORE_CREATE_NEW_FLAG, NULL);
+        worldStores[0] = CertDuplicateStore(engine->hRoot);
+        worldStores[1] = CertOpenSystemStoreW(0, caW);
+        worldStores[2] = CertOpenSystemStoreW(0, myW);
+        worldStores[3] = CertOpenSystemStoreW(0, trustW);
+        CRYPT_AddStoresToCollection(engine->hWorld,
+         sizeof(worldStores) / sizeof(worldStores[0]), worldStores);
+        CRYPT_AddStoresToCollection(engine->hWorld,
+         pConfig->cAdditionalStore, pConfig->rghAdditionalStore);
+        CRYPT_CloseStores(sizeof(worldStores) / sizeof(worldStores[0]),
+         worldStores);
+        engine->dwFlags = pConfig->dwFlags;
+        engine->dwUrlRetrievalTimeout = pConfig->dwUrlRetrievalTimeout;
+        engine->MaximumCachedCertificates =
+         pConfig->MaximumCachedCertificates;
+        if (pConfig->CycleDetectionModulus)
+            engine->CycleDetectionModulus = pConfig->CycleDetectionModulus;
+        else
+            engine->CycleDetectionModulus = DEFAULT_CYCLE_MODULUS;
+    }
+    return (HCERTCHAINENGINE)engine;
+}
+
+BOOL WINAPI CertCreateCertificateChainEngine(PCERT_CHAIN_ENGINE_CONFIG pConfig,
+ HCERTCHAINENGINE *phChainEngine)
+{
     BOOL ret;
 
     TRACE("(%p, %p)\n", pConfig, phChainEngine);
@@ -123,39 +159,17 @@ BOOL WINAPI CertCreateCertificateChainEngine(PCERT_CHAIN_ENGINE_CONFIG pConfig,
     ret = CRYPT_CheckRestrictedRoot(pConfig->hRestrictedRoot);
     if (ret)
     {
-        PCertificateChainEngine engine =
-         CryptMemAlloc(sizeof(CertificateChainEngine));
+        HCERTSTORE root;
+        HCERTCHAINENGINE engine;
 
+        if (pConfig->hRestrictedRoot)
+            root = CertDuplicateStore(pConfig->hRestrictedRoot);
+        else
+            root = CertOpenSystemStoreW(0, rootW);
+        engine = CRYPT_CreateChainEngine(root, pConfig);
         if (engine)
         {
-            HCERTSTORE worldStores[4];
-
-            engine->ref = 1;
-            if (pConfig->hRestrictedRoot)
-                engine->hRoot = CertDuplicateStore(pConfig->hRestrictedRoot);
-            else
-                engine->hRoot = CertOpenSystemStoreW(0, rootW);
-            engine->hWorld = CertOpenStore(CERT_STORE_PROV_COLLECTION, 0, 0,
-             CERT_STORE_CREATE_NEW_FLAG, NULL);
-            worldStores[0] = CertDuplicateStore(engine->hRoot);
-            worldStores[1] = CertOpenSystemStoreW(0, caW);
-            worldStores[2] = CertOpenSystemStoreW(0, myW);
-            worldStores[3] = CertOpenSystemStoreW(0, trustW);
-            CRYPT_AddStoresToCollection(engine->hWorld,
-             sizeof(worldStores) / sizeof(worldStores[0]), worldStores);
-            CRYPT_AddStoresToCollection(engine->hWorld,
-             pConfig->cAdditionalStore, pConfig->rghAdditionalStore);
-            CRYPT_CloseStores(sizeof(worldStores) / sizeof(worldStores[0]),
-             worldStores);
-            engine->dwFlags = pConfig->dwFlags;
-            engine->dwUrlRetrievalTimeout = pConfig->dwUrlRetrievalTimeout;
-            engine->MaximumCachedCertificates =
-             pConfig->MaximumCachedCertificates;
-            if (pConfig->CycleDetectionModulus)
-                engine->CycleDetectionModulus = pConfig->CycleDetectionModulus;
-            else
-                engine->CycleDetectionModulus = DEFAULT_CYCLE_MODULUS;
-            *phChainEngine = (HCERTCHAINENGINE)engine;
+            *phChainEngine = engine;
             ret = TRUE;
         }
         else
diff --git a/dlls/crypt32/crypt32_private.h b/dlls/crypt32/crypt32_private.h
index ffd5a87515c..439700567b0 100644
--- a/dlls/crypt32/crypt32_private.h
+++ b/dlls/crypt32/crypt32_private.h
@@ -251,6 +251,13 @@ PWINECRYPT_CERTSTORE CRYPT_FileNameOpenStoreA(HCRYPTPROV hCryptProv,
 PWINECRYPT_CERTSTORE CRYPT_FileNameOpenStoreW(HCRYPTPROV hCryptProv,
  DWORD dwFlags, const void *pvPara);
 
+/* Allocates and initializes a certificate chain engine, but without creating
+ * the root store.  Instead, it uses root, and assumes the caller has done any
+ * checking necessary.
+ */
+HCERTCHAINENGINE CRYPT_CreateChainEngine(HCERTSTORE root,
+ PCERT_CHAIN_ENGINE_CONFIG pConfig);
+
 /* Helper function for store reading functions and
  * CertAddSerializedElementToStore.  Returns a context of the appropriate type
  * if it can, or NULL otherwise.  Doesn't validate any of the properties in