Re: export a certificate private key as .pem file

From: Michel Gallant (neutron_at_nspxistar.ca)
Date: 10/07/03


Date: Mon, 6 Oct 2003 22:53:38 -0400

Looks ok ... are you SURE you have the correct certcontext for
the cert you want? Otherwise, not sure what the problem is.
 - Mitch

"kidd" <kiddwang@msik.com.cn> wrote in message news:097301c38c7b$248be5c0$a301280a@phx.gbl...
> It still is AT_EXCHANGE on w2k sp4.
>
> I used cryptAcquireCertificatePrivateKey() like this:
>
> if(!( CryptAcquireCertificatePrivateKey(
> certcontext,
> 0,
> NULL,
> &hCryptProv,
> &dwKeySpec,
> NULL)))
> {
> printf("cryptacquireCertificatePrivateKey
> error is %x\n",GetLastError());
> return FALSE;
> }
>
>
> Anything wrong with these?
> >-----Original Message-----
> >Just tried this on W2k sp4 fully patched and
> >I have no problem getting the keyspec as AT_SIGNATURE
> >after creating a test cert using same makecert command as
> you
> >give below.
> >
> >How do you call CryptAcquireCertificatePrivateKey()?
> >
> >Here is a CAPICOM webpage based cert lister which also
> >shows keytypes of any cert in any store (NOTE: REQUIRES
> CAPICOM 2):
> > http://pages.istar.ca/~neutron/KeyContainerTool
> >
> >Cheers,
> > - Michel Gallant
> > Visual Security MVP
> >
> >"kiddwang" <kiddwang@msik.com.cn> wrote in message
> news:111501c38be7$aafe61d0$a301280a@phx.gbl...
> >> I do the steps below:
> >>
> >> 1. run the makecert: makecert -ss my -pe -n "CN=kidd" -
> >> sky signature
> >>
> >> 2.run the signcode: and in the next pane I see the
> >> keytype is signature.
> >>
> >> It seems that the certificate I built is the signature
> >> type.But when I use CryptAcquireCertificatePrivateKey()
> >> function,the dwKeySpec is 0x0001(AT_EXCHANGE) too.
> >> what's up? MY platform is winxp(sp1).
> >>
> >> Can you help me? Thanks .
> >>
> >> kidd
> >> >-----Original Message-----
> >> >hmmm, you mean CryptAcquireCertificatePrivateKey().
> >> >I just tried this, and I didn't have a problem getting
> >> both
> >> >AT_SIGNATURE and AT_EXCHANGE returned for certs
> >> >in MY store with these attributes (Win2000 sp4).
> >> >
> >> >What platform?
> >> >I used default invocation with dwFlags = 0.
> >> >
> >> >Are you sure your cert really has key marked as
> >> AT_SIGNATURE?
> >> >
> >> >--- Hint: ----
> >> >You can check your cert. type and keyspec very easily
> >> using
> >> >tool Authenticode tool signcode.exe.
> >> >Take any dummy exe file to sign, select "Custom"mode
> and
> >> >then pick any certificate. The next panel "Private Key"
> >> has
> >> >very useful drop-down lists for all of:
> >> > CSP, Provider Type, Key container, key type
> >> >You can verify your cert here.
> >> >
> >> > - Michel Gallant
> >> > MVP Security
> >> >
> >> >"kidd" <kiddwang@msik.com.cn> wrote in message
> >> news:146801c3864e$e1c94160$a101280a@phx.gbl...
> >> >> Thanks for you guys.
> >> >> But still a problem:When I used
> CryptAcquirePrivateKey
> >> ()..
> >> >> It always return the value which indicate the key
> blob
> >> is
> >> >> a key exchange(AT_KEYEXCHANGE) even if I take that
> >> from a
> >> >> sinature private keys,Why?
> >> >>
> >> >> >-----Original Message-----
> >> >> >Another solution is to use CryptoAPI CryptExportKey
> ()
> >> >> >and use a password-derived session key to encrypt
> your
> >> >> >public/private key in a PRIVATEKEYBLOB.
> >> >> >Note that if hExpKey is null, the exported
> >> PRIVATEKEYBLOB
> >> >> >is not encrypted (not a good idea unless you
> manually
> >> >> encrypt it
> >> >> >yourself after export).
> >> >> >
> >> >> >Also, you might want to consider using CAPICOM which
> >> >> makes
> >> >> >exporting to a pfx incredibly easy with
> >> >> CAPICOM.Certificate.Save:
> >> >> >
> >> >> >http://msdn.microsoft.com/library/default.asp?
> >> >> url=/library/en-
> >> us/security/security/certificate_save.asp
> >> >> >
> >> >> > - Michel Gallant
> >> >> > MVP Security
> >> >> >
> >> >> >"Pieter Philippaerts" <Pieter@nospam.mentalis.org>
> >> wrote
> >> >> in message
> >> >> >news:uFjk71ngDHA.2984@TK2MSFTNGP11.phx.gbl...
> >> >> >> "kidd" <kiddwang@msik.com.cn> wrote in message
> >> >> >> > I can find a personal certificate for the
> >> >> certificate
> >> >> >> > store,How can I export the certificate private
> key
> >> >> >> > as .pem file or anything else?
> >> >> >>
> >> >> >> PEM files are not supported by the Crypto API. If
> >> you
> >> >> really need PEM
> >> >> >> support, you may want to link to the OpenSSL
> >> libraries.
> >> >> >> However the CryptoAPI does support exporting PFX
> >> files
> >> >> [PfxExportCertStore]
> >> >> >> and those PFX file can contain the private key of
> a
> >> >> certificate.
> >> >> >> Another option would be to use Microsoft's PVK
> file
> >> >> format. It's a very
> >> >> >> simple format to export and transfer private keys.
> >> You
> >> >> can find its details
> >> >> >> over here: http://www.drh-
> >> >> consultancy.demon.co.uk/pvk.html
> >> >> >>
> >> >> >> Regards,
> >> >> >> Pieter Philippaerts
> >> >> >> SSL and TLS for .NET:
> >> http://www.mentalis.org/go.php?sl
> >> >> >>
> >> >> >>
> >> >> >
> >> >> >
> >> >> >.
> >> >> >
> >> >
> >> >
> >> >.
> >> >
> >
> >
> >.
> >



Relevant Pages

  • Re: export a certificate private key as .pem file
    ... I have no problem getting the keyspec as AT_SIGNATURE ... How do you call CryptAcquireCertificatePrivateKey()? ... Here is a CAPICOM webpage based cert lister which also ... > keytype is signature. ...
    (microsoft.public.platformsdk.security)
  • Re: export a certificate private key as .pem file
    ... I used cryptAcquireCertificatePrivateKey() like this: ... >after creating a test cert using same makecert command as ... >shows keytypes of any cert in any store (NOTE: ... >> keytype is signature. ...
    (microsoft.public.platformsdk.security)