Re: SmartCard CSP and CA certificate enrollment

From: lelteto (lelteto_at_discussions.microsoft.com)
Date: 07/28/05 

Date: Thu, 28 Jul 2005 09:21:04 -0700

Just one clarification: Winlogon will process only the FIRST certificate on
the smart card. If you have multiple certs you would still need a private
method to copy the other certs to the local cert store.

Laszlo Elteto
SafeNet, Inc.

"Doug Barlow" wrote:

> The Microsoft Certificate Enrollment Wizard puts new certificates into the
> certificate store, not the CA. In addition, when your smart card CSP
> enrolls for a certificate, the Certificate Enrollment Wizard offers the
> certificate to the CSP via a call to CryptSetKeyParam(KP_CERTIFICATE). A
> well-behaved smartcard CSP will store the certificate with the key.
>
> Then, while you are logged on, any time a smart card is insterted into a
> reader, the WinLogon process figures out which CSP goes with the newly
> inserted smart card, opens the key, and retrieves the certificate via
> CryptGetKeyParam(KP_CERTIFICATE). It then puts that certificate into the MY
> store, along with links as to where the associated key can be found.
>
> So the certificate propagates to every system that sees your smart card. If
> an error occurs at any point in these actions, it just quietly abandons the
> action.
>
> Doug Barlow
> The Soft Pedal Shop
> CSP Design & Development Consulting
> http://www.SoftPedal.net
> --
> "Max" <Max@discussions.microsoft.com> wrote in message
> news:BCC414E7-6323-46B7-805E-7D3CD94FAB27@microsoft.com...
> >I implement CSP for smartcard and have some questions:
> >
> > 1. Does Microsoft CA (or CA in general) put enrolled certificate for
> > smartcard to local certificate store?
> >
> > 2. If not who and when has to put the certificate to local store?
> > Can I put it to local store in CSP when the certificate is written to it
> > (in
> > CPSetKeyParam() with KP_CERTIFICATE param)?
> >
> > 3. Is it necessary to implement Certificate Store Provider?
> >
>
>
>

Relevant Pages

  • RE: SmartCard CSP and CA certificate enrollment
    ... The Microsoft CA will not put your certificate anywhere. ... Now if you use the standard method with the smart card CSP than the CSP ... The CSP can put the cert into the local store the same time when it ... on the card into the cert store on the computer. ...
    (microsoft.public.platformsdk.security)
  • Re: SmartCard CSP and CA certificate enrollment
    ... Store for each of the two keys in the ... 'default' container on the smart card. ... CSP Design & Development Consulting ... enrolls for a certificate, the Certificate Enrollment Wizard offers the ...
    (microsoft.public.platformsdk.security)
  • Re: smart card private key
    ... first storing the certificate information and the private key ... information in the system store. ... first of it the name of the CSP module that manages that key. ... information about the private key present on the smart card before ...
    (microsoft.public.platformsdk.security)
  • Re: smart card private key
    ... first storing the certificate information and the private key ... the cert shall be present in the cert store to allow the selection of the associated key in a signature process. ... the key container shall also be declared with relevant information - the first of it the name of the CSP module that manages that key. ... information about the private key present on the smart card before ...
    (microsoft.public.platformsdk.security)
  • Re: Using smartcard as certificate store
    ... > Troubleshooting Certificate Status and Revocation whitepaper: ... > Windows Server 2003 web enrollment and troubleshooting guide: ... We want to store certificates acquired when accessing ... >> secure website in smart card. ...
    (microsoft.public.platformsdk.security)