RE: EAP-TLS Client enrollment recovery.



Hi,

How do you store the private keys associated with the "MY" certificates? Are
they created using the Microsoft CSP?
When you serialize a certificate, you are serializing all the information
that link it to its private key (CSP name, container name, key
specification...) but not the private key itself. When the certificate
context is restored, these private key information should be valid and should
point to the same key in the target CSP.

I advice you to use PFXExportCertStoreEx to export the "MY" certificate
store (certificates + keys) to a pfx file. Then you can import it back
programmatically using PFXImportCertStore (explore the returned store using
CertEnumCertificatesInStore and extract necessary information using
CertGetCertificateContextProperty). For that to work, the enrollement private
keys must be generated as exportable (CRYPT_EXPORTABLE flag). Tell me if this
solution solves your problem.

Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr

to reach : mounir_idrix_fr (replace the underscores with the at and dot
characters respectively)


"Anthony" wrote:

Our Client (Win CE 5.00 device) connects to a wireless network using EAP-TLS
authentication.
We programmatically enroll Clients (web-enrollment) that get certificates
from Windows Server 2003.
Client connects to the network and works fine until we have to reboot Client
(Win CE).

On reboot all certificate stores (“MY”, “ROOT” and “CA”) loose certificates
installed during enrollment processes (Client has a RAM-based registry) and
we have to go through the regular enrollment process once again. Going
through this process is not feasible in some cases (device has to visit a
special station), so we need to re-install certificate from a file.

I tried to serialize certificate (CertSerializeCertificateStoreElement())
just after enrollment and than restore certificate (using
CertAddSerializedElementToStore) and a session key after reboot, but network
authentication fails with the following error:

Reason-Code = 260
Reason = The message or signature supplied for verification has been altered

My question is
What is the correct way to restore certificate and Client authentication
settings/properties programmatically?

Thanks Anthony

.



Relevant Pages

  • Re: Wireless WPA on SBS not authenticating
    ... I manually updated the cert on my client machine just fine. ... Automatic certificate enrollment for local system failed to contact the ... Enrollment will not be performed. ... certificate then tested on wireless. ...
    (microsoft.public.windows.server.sbs)
  • Re: Wireless WPA on SBS not authenticating
    ... Automatic certificate enrollment for local system failed to contact the ... Enrollment will not be performed. ... certificate then tested on wireless. ... client PC or the router. ...
    (microsoft.public.windows.server.sbs)
  • Re: Client Certificates
    ... I hope you are talking about exporting the pfx file on the CLIENT machine ... The way PKI certificate generation usually works is the following: ... - CA signs that information (i.e. encrypts the hash of that info with its own private key) ...
    (microsoft.public.security)
  • Re: LDAP and SASL
    ... Getting client certficates to work under ASP.NET is a bit of PITA because ... The private key needs to be ... What I would suggest doing would be to export the certificate and private ... >>> Dim searcherLdap As New DirectorySearcher ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: 802.1x wireless lan how to?
    ... wireless client PC is getting the certificate from the server using auto ... certificate auto enrollment after a couple of days of battle. ... or WPA with TKIP otherwise. ...
    (microsoft.public.windows.server.sbs)