Re: SmartCard CSP and CA certificate enrollment
From: lelteto (lelteto_at_discussions.microsoft.com)
Date: Thu, 28 Jul 2005 09:21:04 -0700
Just one clarification: Winlogon will process only the FIRST certificate on
the smart card. If you have multiple certs you would still need a private
method to copy the other certs to the local cert store.
"Doug Barlow" wrote:
> The Microsoft Certificate Enrollment Wizard puts new certificates into the
> certificate store, not the CA. In addition, when your smart card CSP
> enrolls for a certificate, the Certificate Enrollment Wizard offers the
> certificate to the CSP via a call to CryptSetKeyParam(KP_CERTIFICATE). A
> well-behaved smartcard CSP will store the certificate with the key.
> Then, while you are logged on, any time a smart card is insterted into a
> reader, the WinLogon process figures out which CSP goes with the newly
> inserted smart card, opens the key, and retrieves the certificate via
> CryptGetKeyParam(KP_CERTIFICATE). It then puts that certificate into the MY
> store, along with links as to where the associated key can be found.
> So the certificate propagates to every system that sees your smart card. If
> an error occurs at any point in these actions, it just quietly abandons the
> Doug Barlow
> The Soft Pedal Shop
> CSP Design & Development Consulting
> "Max" <Max@discussions.microsoft.com> wrote in message
> >I implement CSP for smartcard and have some questions:
> > 1. Does Microsoft CA (or CA in general) put enrolled certificate for
> > smartcard to local certificate store?
> > 2. If not who and when has to put the certificate to local store?
> > Can I put it to local store in CSP when the certificate is written to it
> > (in
> > CPSetKeyParam() with KP_CERTIFICATE param)?
> > 3. Is it necessary to implement Certificate Store Provider?