Re: PFXExportCertStoreEx
From: Monica Ene-Pietrosanu[MSFT] (monicae_at_online.microsoft.com)
Date: 07/07/04
- Next message: Shawn G.: "Windows Service on Non-Domain connected PCs"
- Previous message: Victor Pereira: "NetScheduleJobAdd - Access Denied"
- In reply to: kasilingam_s_at_hotmail.com: "Re: PFXExportCertStoreEx"
- Next in thread: kasilingam_s_at_hotmail.com: "Re: PFXExportCertStoreEx"
- Reply: kasilingam_s_at_hotmail.com: "Re: PFXExportCertStoreEx"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 7 Jul 2004 12:53:41 -0700
Kasilingam,
Everything you have up to step vii. looks fine. After calling
PFXExportCertStoreEx you don't need to call CertSaveStore. You just need to
take that CRYPT_DATA_BLOB structure and extract the pbData field from it
which contains the actual PFX and write that to the disk.
For example, if you have
CRYPT_DATA_BLOB cryptdatablob;
cryptdatablob.cbData contains the size of your PFX
cryptdatablob.pbData has your PFX info => WriteFile this to the disk
to a *.pfx file
-- Monica Ene-Pietrosanu [MS] Windows Security This posting is provided "AS IS" with no warranties, and confers no rights. "kasilingam_s@hotmail.com" <kasilingamshotmailcom@discussions.microsoft.com> wrote in message news:789E1B8B-5F25-4CFF-8382-44C8A853510E@microsoft.com... > Thanks Monica for your reply. i tried exporting the certificate as a seriliazed store, but i am not getting a valid .pfx file. i also used CryptFindCertificateKeyProvInfo API, it returns success but finally i am not getting a valid .pfx file.i need some more help from your side. > let me explain the crypto API's that i had used....suggest if any more API's that must to be used in order to get a valid .pfx file. or any other methods to export certificate + private key from the IE store. > i. i opened the "MY" store using CertOpenSystemStore(hSystemStoreHandle). > ii. i find the desired certificate using CertFindCertificateInStore. > iii. used CryptAcquireCertificatePrivateKey to find whether it has the private key. > iv. i added the desired certificate context to a separate store(hTempStoreHandle) using CertAddCertificateContextToStore. > v. i used PFXExportCertStore(hTempStoreHandle...,EXPORT_PRIVATE_KEYS) to determine the size of CRYPT_DATA_BLOB and finally got the BLOB. > vi. The BLOB is a PFX packet which i confirmed using PFXIsPFXBlob. > vii. Now, How should i save this BLOB in the disk(.pfx or .p12) so that it will be converted to .pem using openssl. > viii. i used CertSaveStore(hTempStoreHandle,CERT_STORE_SAVE_TO_FILE...) to save it in a disk but i find it as invalid .pfx file. > ix. when i used openssl to convert it into .pem, it says"expecting asn1 sequence". should i encode the PFX packet?? > > Thanks in advance > Kasilingam.S > > > "Monica Ene-Pietrosanu[MSFT]" wrote: > > > There are two separate pieces here: > > - private key itself (which is included in the PFX file) > > - Key Provider information (KEY_PROV_INFO) property, which is a volatile > > property associated with the certificate *while it is in the store*. It is > > lost if you export/import the certificate. The KEY_PROV_INFO property stores > > CSP and key information (acts like a pointer from the cert to the private > > key). > > > > To preserve this property on the certificate, you have two alternatives: > > - either export the cert as a serialized store with 1 element, using > > CertSaveStore(CERT_STORE_SAVE_AS_STORE) (not as PFX as this is going to > > strip out the key prov info) > > - or, if using PFX, after importing the cert back to the store, parse all > > private keys and see which one matches the public key in the certificate and > > then set the KEY_PROV_INFO property on the cert. It is reccomended that you > > use the CryptFindCertificateKeyProvInfo API for this. See more info at > > http://msdn.microsoft.com/library/en-us/security/security/cryptfindcertificatekeyprovinfo.asp > > > > I hope this helps. > > -- > > Monica Ene-Pietrosanu [MS] > > Windows Security > > > > This posting is provided "AS IS" with no warranties, and confers no rights. > > > > > > "kasilingam_s@hotmail.com" <kasilingamshotmailcom@discussions.microsoft.com> > > wrote in message news:C13DF6DA-3255-4F5A-81B7-06F5564EF2D4@microsoft.com... > > > i used PFXExportCertStoreEx with "EXPORT_PRIVATE_KEYS" to export the > > certificate + private key. > > > i get the PFX packet and i find problems after saving it to the disk using > > CertSaveStore(CERT_STORE_SAVE_AS_STORE,CERT_STORE_SAVE_TO_FILE). > > > CertSaveStore returns with success. > > > In order to test .pfx or .p12 file, i use certificate import wizard > > manually to import into a store. i can see the import successful with the > > associated private key.But if i double click on the .pfx or .p12 i get "This > > file is invalid for use as the following:Personal Information exchange" > > > If i use the same .pfx or .p12 file in openssl to convert it to .pem file, > > i find openssl throwing an error. > > > Can anyone pls tell me how to save the PFX packet to a valid .pfx or .p12 > > in order to avoid compatibility issues?? > > > > > > if i use CertSaveStore(CERT_STORE_SAVE_AS_PKCS7,CERT_STORE_SAVE_TO_FILE), > > i dont see the associated private key as pkcs7 doesn't support private key > > export. > > > > > > Thanks in advance > > > Kasilingam.S > > > > > > > > > > > >
- Next message: Shawn G.: "Windows Service on Non-Domain connected PCs"
- Previous message: Victor Pereira: "NetScheduleJobAdd - Access Denied"
- In reply to: kasilingam_s_at_hotmail.com: "Re: PFXExportCertStoreEx"
- Next in thread: kasilingam_s_at_hotmail.com: "Re: PFXExportCertStoreEx"
- Reply: kasilingam_s_at_hotmail.com: "Re: PFXExportCertStoreEx"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
