RE: EAP-TLS Client enrollment recovery.


How do you store the private keys associated with the "MY" certificates? Are
they created using the Microsoft CSP?
When you serialize a certificate, you are serializing all the information
that link it to its private key (CSP name, container name, key
specification...) but not the private key itself. When the certificate
context is restored, these private key information should be valid and should
point to the same key in the target CSP.

I advice you to use PFXExportCertStoreEx to export the "MY" certificate
store (certificates + keys) to a pfx file. Then you can import it back
programmatically using PFXImportCertStore (explore the returned store using
CertEnumCertificatesInStore and extract necessary information using
CertGetCertificateContextProperty). For that to work, the enrollement private
keys must be generated as exportable (CRYPT_EXPORTABLE flag). Tell me if this
solution solves your problem.


to reach : mounir_idrix_fr (replace the underscores with the at and dot
characters respectively)

"Anthony" wrote:

Our Client (Win CE 5.00 device) connects to a wireless network using EAP-TLS
We programmatically enroll Clients (web-enrollment) that get certificates
from Windows Server 2003.
Client connects to the network and works fine until we have to reboot Client
(Win CE).

On reboot all certificate stores (“MY”, “ROOT” and “CA”) loose certificates
installed during enrollment processes (Client has a RAM-based registry) and
we have to go through the regular enrollment process once again. Going
through this process is not feasible in some cases (device has to visit a
special station), so we need to re-install certificate from a file.

I tried to serialize certificate (CertSerializeCertificateStoreElement())
just after enrollment and than restore certificate (using
CertAddSerializedElementToStore) and a session key after reboot, but network
authentication fails with the following error:

Reason-Code = 260
Reason = The message or signature supplied for verification has been altered

My question is
What is the correct way to restore certificate and Client authentication
settings/properties programmatically?

Thanks Anthony


Relevant Pages

  • Re: Wireless WPA on SBS not authenticating
    ... I manually updated the cert on my client machine just fine. ... Automatic certificate enrollment for local system failed to contact the ... Enrollment will not be performed. ... certificate then tested on wireless. ...
  • Re: Client Certificates
    ... I hope you are talking about exporting the pfx file on the CLIENT machine ... The way PKI certificate generation usually works is the following: ... - CA signs that information (i.e. encrypts the hash of that info with its own private key) ...
  • Re: LDAP and SASL
    ... Getting client certficates to work under ASP.NET is a bit of PITA because ... The private key needs to be ... What I would suggest doing would be to export the certificate and private ... >>> Dim searcherLdap As New DirectorySearcher ...
  • Re: Wireless WPA on SBS not authenticating
    ... Automatic certificate enrollment for local system failed to contact the ... Enrollment will not be performed. ... certificate then tested on wireless. ... client PC or the router. ...
  • Re: HttpWebRequest failure with TLS
    ... My guess is that you are going to want it in the machine store as the ... account your web service client is running under will eventually change to ... private key associated with it in the cert properties dialog. ... certificate should go in the personal store. ...