Re: A question about CryptAcquireCertificatePrivateKey

smveloso_at_gmail.com
Date: 06/09/05


Date: 9 Jun 2005 06:56:31 -0700

Hi Mitch,

  That would explain why the keycontainer with the corresponding
private key is not located by the "component" when I pass it a
"certificate object" that was created from a x509 file, since the file
itself would not contain the required extended properties...

  What puzzles me is that, sometimes, the "component" does find the
private key ! It seems to depend on the CSP being used (it works for a
smart card manufacturer´s CSP but not with another´s).

  The real problem I am facing is: I cannot rely on the certificate
being in a "system store" when a user needs my application to validate
a signature... so I look for the certificate in a corporate database
(where a certificate is stored as a base64 encoded x509 der). From the
"blob", a "certificate" is created and the public key extracted to
perform the validation. I would like to use the same approach for
signing (create a "certificate" from the blob, acquire the private key
handle and then sign), but since it is not certain that a private key
will be found (even if available), I guess I will have to use two
different approaches for certificate lookup...

  Thank you very much for you help !

Michel Gallant escreveu:
> Not sure about the accuracy of the following details, but my understanding
> is that CryptAcquireCertificatePrivateKey checks the pCert provided, and
> determines if the certificate EXTENDED PROPERTY:
> CERT_KEY_PROV_INFO_PROP_ID
> exists. This indicates that the certificate has a matching and accessible private
> key. I *think* this extended property is stored in the associated cert (or as part of the
> proprietary public cert blob file at:
> C:\Documents and Settings\<userid>\Application Data\Microsoft\SystemCertificates\My\Certificates
> with the keycontainer name embedded in that blob. The exact location of this "blob"
> and the extended properties (which are not part of the X509 binary der cert) to my
> understanding is WinOS specific and can change (some earlier OS stored that blob in
> registry??)
> That keycontainer name then uniquely determines the corresponding private key blob file which
> has a "unique key container" name, derived from SID and hash of keycontainer name, at:
> C:\Documents and Settings\mgallant\Application Data\Microsoft\Crypto\RSA\<userSID>
>
> - Mitch Gallant
> MVP Security
>



Relevant Pages

  • Re: parsing PKCS#7 returnedy by ICertAdmin2::GetArchivedKey in .NET
    ... private key is in the underlying data that was signed, ... MS documentation says key archival blob should have ... > in the recovery blob. ... > the user certificate being recovered, the chain of the signing CA ...
    (microsoft.public.dotnet.security)
  • Re: Unable to use third-party cert after Exch Sp2 update on SBS200
    ... Every *server* certificate in IIS has to ... The public key is sent when a request from a browser ... The public key is used to *decrypt* data. ... The private key is used ...
    (microsoft.public.windows.server.sbs)
  • RE: SIMple SSL question ??
    ... I believe your book is instructing you to keep the private key secure. ... you use the certificate request wizard in IIS to install the cert after it's ... the certificate that's just been installed. ... If an attacker retrievs the SSL certificate, ...
    (microsoft.public.dotnet.security)
  • RE: SIMple SSL question ??
    ... I believe your book is instructing you to keep the private key secure. ... you use the certificate request wizard in IIS to install the cert after it's ... the certificate that's just been installed. ... If an attacker retrievs the SSL certificate, ...
    (microsoft.public.dotnet.security)
  • Re: Certificates, Keys, Mobile Users, Intended Usage
    ... Option that you think about uses self signed EFS certificates. ... Better then exporting user's private key as backup is to setup DRA (Data ... there is no EFS certificate and it will generate a new one. ... Mobile computer users benefit from encrypting sensitive ...
    (microsoft.public.win2000.security)