RE: Storing certificate on a hardware token (SC)

From: lelteto (lelteto_at_discussions.microsoft.com)
Date: 02/25/05 

Date: Fri, 25 Feb 2005 10:03:40 -0800

The usual way is to get context to the token's CSP (each token vendor has its
own CSP handling its own token). Next you create a container and within that
container inject a dummy key pair then call CryptSetKeyParam with
KP_CERTIFICATE to add the cert to the key. This is if you want to store JUST
the cert (and you don't have the private key).
Now how normally you use the token is that you have the private key on the
token, too. In this case BEFORE the cert request you actually generate the
key pair on-token. The steps:
- acquire context for the token's CSP
- create a container on the token
- generate a key-pair on the token (within the new container)
- export the public key
- generate your cert request, send it to the CA and get back the cert
- acquire context to the token's CSP for the container you created
- get user key
- add the cert to the key (see above, CryptSetKeyParam)

Note that in order to use the certificate from generic Windows applications
(eg. IE, Outlook etc) you still would nned to COPY the certificate into the
'MY' store - and make sure that the cert property reflects the token's CSP.
>From that point on the applications will automatically use the token's CSP to
handle requests involving the cert (and corresponding private key).

Laszlo Elteto
SafeNet, Inc.

"Noolyg" wrote:

> Hello,
>
> I was wondering how to accomplish the following:
>
> After requesting a certificate using microsoft default Certificate
> Services (certcrv site), how do I make the certificate store on the
> token and not only in the MY cert store.
>
> Is there a programmatical solution?
> I've read about the "Certificate Enrollment Control" but don't think
> it is the way, I've also read somewhere that I can track the folder
> where microsoft stores the certificates (or their serials) and on
> change to copy the new certificate, but I was wondering if there's a
> better solution.
> Some how catching the event of saving a certificate in the MY store
> and moving it to the correct store.
>
> Thanks.
>
> Nool
>

Relevant Pages

  • Re: A question about CryptAcquireCertificatePrivateKey
    ... Windows stores the CSP and private key associated with the certificate in the ... This is, of course, true only when WINDOWS stores the cert. ...
    (microsoft.public.platformsdk.security)
  • Certificate not installing in hardware csp
    ... Standard cert enrollment procedure ... Message box with question "Would you like to install certificate" (or ... My CSP is not even called during the cert installation. ...
    (microsoft.public.security)
  • Re: Certificate Error OWA
    ... the default certificate container. ... the certificate (rerunning the cert install wizard) you get the ability to ... reinstall the cert and then choose the container to use. ...
    (microsoft.public.windows.server.sbs)
  • Re: CSP Design - Working with several smartcards simultaneous
    ... This should also be enforced for example in certificate services enrollment ... where the user can enter a simple container name... ... >> Hello MS CSP experts! ... >> The problem is with the certificate store. ...
    (microsoft.public.platformsdk.security)
  • Re: LDAPS on 2k3
    ... The cert is really in the LOCAL MACHINE store "personal" container ... The Windows UI says "this certificate has a private key" when you open the certificate ... The Windows UI shows the certificate as "ok" and the path tab shows the full cert chain ... I'm not sure what you are talking about with "trusted sites" as there is no container with that name that I'm aware of. ...
    (microsoft.public.windows.server.active_directory)