RE: EAP-TLS Client enrollment recovery.


To answer your first question, the private keys are not restored when you
only restore the certificates. You also have to import them back manually to
the Microsoft CSP.

Concerning PFXImportCertStore, I think you are missing how it really works.
This function imports the keys and certificates into a memory store and
returns to you its handle. Then, you can to explore programmatically this
store in order to extract certificates and keys from it and then putting them
back into the "MY" store. This function doesn't interact with the system
physical stores.

As I wrote in my first message, you have to "explore the returned store using
CertEnumCertificatesInStore and extract necessary information using
CertGetCertificateContextProperty". This means that you will use the handle
returned by PFXImportCertStore in CertEnumCertificatesInStore to read all the
certificates contexts and then extract all the necessary information from
them (using CertGetCertificateContextProperty,
CryptAcquireCertificatePrivateKey and others) in order to populate the "MY"
store (or another store). Repeat the same procedure for the other stores, one
by one.

I hope this will help.

To reach me: mounir_idrix_fr (replace the underscores with the at and dot
characters respectively)

"Anthony" wrote:

Hi Mounir,

My enrollment code is based on the Microsoft enroll.exe source, which uses
the default Microsoft CSP.
I do not import and store private keys explicitly, but I do generate them
with CRYPT_EXPORTABLE flag. I just tell CSP to generate private keys and
then CryptSetKeyParam(hCurKey,KP_CERTIFICATE,pCert->pbCertEncoded, 0)
function is called, as I understand, to associate certifate with the private
When certificate and private keys are originally created, do I have to
import the private keys and save them in order to restore them later? So far,
I assumed that private keys can be restored using restored certificate.

I tried to use PFXExportCertStoreEx/ PFXImportCertStore calls, but it didn’t

- PFXExportCertStoreEx was called with (EXPORT_PRIVATE_KEYS |
- PFXImportCertStore was called with CRYPT_EXPORTABLE flags.

Calls were successful, but, after executing the import function, I couldn’t
find certificate on MY store and my server name didn’t appear on “Trustered
Authorities” list. So, I assume that CA and ROOT stores also weren’t updated

I can find certificate in the store using a handle returned by
PFXImportCertStore, but later on, when I open MY store, there is nothing in
I’m, probably, missing something during the import. When I call
PFXImportCertStore, how does it know which store has to be imported?
Is there a working code example I can use?