RE: EAP-TLS Client enrollment recovery.


How do you store the private keys associated with the "MY" certificates? Are
they created using the Microsoft CSP?
When you serialize a certificate, you are serializing all the information
that link it to its private key (CSP name, container name, key
specification...) but not the private key itself. When the certificate
context is restored, these private key information should be valid and should
point to the same key in the target CSP.

I advice you to use PFXExportCertStoreEx to export the "MY" certificate
store (certificates + keys) to a pfx file. Then you can import it back
programmatically using PFXImportCertStore (explore the returned store using
CertEnumCertificatesInStore and extract necessary information using
CertGetCertificateContextProperty). For that to work, the enrollement private
keys must be generated as exportable (CRYPT_EXPORTABLE flag). Tell me if this
solution solves your problem.


to reach : mounir_idrix_fr (replace the underscores with the at and dot
characters respectively)

"Anthony" wrote:

Our Client (Win CE 5.00 device) connects to a wireless network using EAP-TLS
We programmatically enroll Clients (web-enrollment) that get certificates
from Windows Server 2003.
Client connects to the network and works fine until we have to reboot Client
(Win CE).

On reboot all certificate stores (“MY”, “ROOT” and “CA”) loose certificates
installed during enrollment processes (Client has a RAM-based registry) and
we have to go through the regular enrollment process once again. Going
through this process is not feasible in some cases (device has to visit a
special station), so we need to re-install certificate from a file.

I tried to serialize certificate (CertSerializeCertificateStoreElement())
just after enrollment and than restore certificate (using
CertAddSerializedElementToStore) and a session key after reboot, but network
authentication fails with the following error:

Reason-Code = 260
Reason = The message or signature supplied for verification has been altered

My question is
What is the correct way to restore certificate and Client authentication
settings/properties programmatically?

Thanks Anthony