Need to create a Public Key Blob for our Windows CE device, I think

First the background. We are creating a Windows CE 5.0 device. We
have the OS pretty well solid. It does include the CryptoAPIs and the
Certificates Service. I have control of the platform so I can add
other catalog items if they are needed.
Our goal is to allow an executable from our Company to be run from a
USB drive inserted prior to boot. It has been decided that the
executable will have a known name (say "Runme.exe"). I am thinking
that we can sign the executable with our PFX file/key to verify it's
origin and integrity. The issue is that the device will not be on a
network connected to the Internet (it will be on a network however).
My Issues, I have seen examples of reading a public key blob and
verifying a signature, but I do not know how to extract the public key
from the PFX file. I am disinclined to put the PFX file on the
Windows CE unit as it will be going to customers. Though our shell
does not give them access to the file system, I would rather not let
the file out the door.
I am open to an alternative approach, but time is an issue. I need to
have the solution implemented and in place by the beginning of
December. I am working on an odd CRC solution in case I cannot
resolve these issues, but I would much prefer to use the Certificates
and Keys we already own.

Pat O
Cognex, Corp.

Relevant Pages