Re: SmartCard CSP and CA certificate enrollment
- From: _burke_ <burke@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 18 Sep 2006 07:52:02 -0700
I have a question about this propagation. When is it stopped? More clear
question is, if AT_KEYEXCHANGE and AT_SIGNATURE keys are the same for the
smartcard csp and on windows xp system propagation starts but it seems never
ends. Is it a problem or normal for winlogon process?
"Doug Barlow" wrote:
Right! (Thanks, Laszlo). WinLogon will propagate one certificate to the MY.
Store for each of the two keys (AT_KEYEXCHANGE and AT_SIGNATURE) in the
'default' container on the smart card. Any other certificates you need to
deal with yourself.
Doug Barlow
The Soft Pedal Shop
CSP Design & Development Consulting
http://www.SoftPedal.net
--
"lelteto" <lelteto@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F6B519F5-A750-4843-AE50-54F0D74EAA98@xxxxxxxxxxxxxxxx
Just one clarification: Winlogon will process only the FIRST certificate
on
the smart card. If you have multiple certs you would still need a private
method to copy the other certs to the local cert store.
Laszlo Elteto
SafeNet, Inc.
"Doug Barlow" wrote:
The Microsoft Certificate Enrollment Wizard puts new certificates into
the
certificate store, not the CA. In addition, when your smart card CSP
enrolls for a certificate, the Certificate Enrollment Wizard offers the
certificate to the CSP via a call to CryptSetKeyParam(KP_CERTIFICATE). A
well-behaved smartcard CSP will store the certificate with the key.
Then, while you are logged on, any time a smart card is insterted into a
reader, the WinLogon process figures out which CSP goes with the newly
inserted smart card, opens the key, and retrieves the certificate via
CryptGetKeyParam(KP_CERTIFICATE). It then puts that certificate into the
MY
store, along with links as to where the associated key can be found.
So the certificate propagates to every system that sees your smart card.
If
an error occurs at any point in these actions, it just quietly abandons
the
action.
Doug Barlow
The Soft Pedal Shop
CSP Design & Development Consulting
http://www.SoftPedal.net
--
"Max" <Max@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:BCC414E7-6323-46B7-805E-7D3CD94FAB27@xxxxxxxxxxxxxxxx
I implement CSP for smartcard and have some questions:
1. Does Microsoft CA (or CA in general) put enrolled certificate for
smartcard to local certificate store?
2. If not who and when has to put the certificate to local store?
Can I put it to local store in CSP when the certificate is written to
it
(in
CPSetKeyParam() with KP_CERTIFICATE param)?
3. Is it necessary to implement Certificate Store Provider?
- Prev by Date: Re: Who can alter User rights ?
- Next by Date: Re: Who can alter User rights ?
- Previous by thread: RE: Windows 2003 Server Scheduled Task?
- Next by thread: CSP and how to use a public key from a certificate to cipher data
- Index(es):
Relevant Pages
|
