Why can I silently export private keys marked as non-exportable?

• Previous message: Mathew: "Re: How to get from PCCERT_CONTEXT to an encoded PKCS #7 blob in memory?"
• Next in thread: Oliver Young: "Re: Why can I silently export private keys marked as non-exportable?"
• Reply: Oliver Young: "Re: Why can I silently export private keys marked as non-exportable?"
• Reply: Valery Pryamikov: "Re: Why can I silently export private keys marked as non-exportable?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 18 Dec 2003 00:10:48 +1300

Hi

I adding a certificate with a private key. During installation I opted to:
a. not allow export of the public key, and
b. require a password to use the certificate

These options appear to be honored within the standard certificate UI. Also
when I sign hashes using the crypto-API I get an OS password prompt at the
appropriate place.

However, it appears that I can silently export the entire certificate,
private key included, using the CertSerializeCertificateStoreElement API
call. I was trying to export only the public information and was somewhat
surprised to be informed that I had the private key on the receiving machine
(determined by viewing the certificate using the OS dialog).

So, my questions are:
1. Is it intended that you can silently export private keys the user said
shouldn't be exported?
2. Why is this behavior designed to be different from what happens when you
copy certificates to another memory store and then serialize the whole
store? (doing this removes the private keys)
3. What is the best method of serializing a single certificate from a store
so you never get the private key? Can it be done in one step? ( as opposed
to using behavior 2. to workaround behavior 1. )

Thanks
Z

• Previous message: Mathew: "Re: How to get from PCCERT_CONTEXT to an encoded PKCS #7 blob in memory?"
• Next in thread: Oliver Young: "Re: Why can I silently export private keys marked as non-exportable?"
• Reply: Oliver Young: "Re: Why can I silently export private keys marked as non-exportable?"
• Reply: Valery Pryamikov: "Re: Why can I silently export private keys marked as non-exportable?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: How to exchange certificate ? ... certificate store (I own ONLY a public key). ... >contained in a certificate store AND having an associated private key. ... you can test any cert for an associated private key using: ... (microsoft.public.platformsdk.security) Re: Unable to unwrap a symmetric key using the private key of an X ... the certificate (public and private key) is ... installed in the personal store of both local computer and current user and I ... The problem is related to the certificate store on the web service side. ... You installed the certificate in "OtherPeople" store but the policy points ... (microsoft.public.dotnet.framework.webservices.enhancements) Re: Client Certificates Issue ... "Active Directory User Objects" where the certificate is available, ... the Store Name for that store or, how can I access it using C#.Net code? ... not on your server. ... of the private key for the certificate they provided to the server. ... (microsoft.public.dotnet.framework.aspnet.security) Re: Help please - Can not use/export private key after domain change ... You see only one EFS certificate in your private cert store? ... the certificate, also when I view it, it says that I have private key ... Windows XP encrypts the ... (microsoft.public.security) Re: Client Certificates ... |> I am generating client certificates using win2k3 Certificate Services. ... | generate the request creates a public-private key pair on the fly. ... | Anything encrypted with the private key in the pair can only be ... | decrypted by the public key in the pair, ... (microsoft.public.windows.server.security)