Key archival and smartcard CSP

From: dot (Stephane)
Date: 01/28/04

• Next message: Marco: "Re: impersonation of a user process with Admin rights"
• Previous message: dot: "Re: Requesting a Key Archival Certificate"
• Next in thread: Vishal Agarwal[MSFT]: "Re: Key archival and smartcard CSP"
• Reply: Vishal Agarwal[MSFT]: "Re: Key archival and smartcard CSP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 28 Jan 2004 01:31:07 -0800

Hi,

I'm generating 3 certificates for my smartcard :
- 1 for authentication,
- 1 for signature,
- 1 for encryption with key archival on my Win2K3 entreprise server.

Using xenroll, i managed to create the first two certificates, but can't generate the 3rd because the Smartcard CSP (here Schlumberger) doesn't allow key export.

So i think of a solution like:
- create the certirficate with key archival using a software CSP (MS_ENHANCED_PROV) following the MSDN sample "Requesting a Key Archival Certificate"
- When the certificate has been issued, i get the container name and the private key from the software CSP and reimport all that in the smartcard CSP,
- i import then the issued certificate in the smartcard using CryptSetKeyParam(KP_CERTIFICATE)

My questions are:
* Is that a good solution or should i find something else ? Maybe there's something simpler my modifying the certificate properties ?
* I dont know the format of the certificate i must provide to CryptSetKeyParam, and even the CSPDK documentation doesn't mention it. How can i convert my certificate recovered using CertRequest->GetCertificate or CertRequest->GetFullResponseProperty to something usable by KP_CERTIFICATE parameter ?

Thanks a lot for any help.

Stephane

---

• Next message: Marco: "Re: impersonation of a user process with Admin rights"
• Previous message: dot: "Re: Requesting a Key Archival Certificate"
• Next in thread: Vishal Agarwal[MSFT]: "Re: Key archival and smartcard CSP"
• Reply: Vishal Agarwal[MSFT]: "Re: Key archival and smartcard CSP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: Relative Security Provided by Cached Domain Credentials? ... So when a user logs on the w2k terminal using a smartcard + pin no (rather ... If it does then EFS ... profile currently logged on for the private certificate. ... (Focus-Microsoft) Re: SmartCards ... Smartcards can contain many authentication id's. ... client certificates can be stored on the smartcard. ... The user must provide the PKI ... certificate. ... (Security-Basics) Re: Setting up AD (W2K3) for SmartCard Authentication ... The SmartCards can log into on AD Forest, ... Looked that the article on 3rd party CA's, ... Does the certificate contain the user's UPN in the subject alternative name ... Does the DomainController's certificate contain the SmartCard Logon ... (microsoft.public.security) Re: Key archival and smartcard CSP ... the first question is that does your smartcard ... CSP allow the public/private key pair to be imported into its own store? ... > - When the certificate has been issued, i get the container name and the ... (microsoft.public.platformsdk.security) Re: Removing smartcard certificates from the Microsoft Certificate Store (possible MCS API defect) ... You friend comes over, plugs in his smartcard, his certificate is automatically transferred over to the Microsoft Certificate Store, he takes out his smartcard and the system is set to go. ... When a client arrives to the office the client's smartcard is inserted into the lawyer's PC and the client's certificate is transferred over to the Microsoft Certificate Store. ... The lawyer and client do their thing, client takes out his smartcard and leaves. ... (microsoft.public.platformsdk.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.platformsdk.security  > 2004-01