RE: EAP-TLS Client enrollment recovery.


To answer your first question, the private keys are not restored when you
only restore the certificates. You also have to import them back manually to
the Microsoft CSP.

Concerning PFXImportCertStore, I think you are missing how it really works.
This function imports the keys and certificates into a memory store and
returns to you its handle. Then, you can to explore programmatically this
store in order to extract certificates and keys from it and then putting them
back into the "MY" store. This function doesn't interact with the system
physical stores.

As I wrote in my first message, you have to "explore the returned store using
CertEnumCertificatesInStore and extract necessary information using
CertGetCertificateContextProperty". This means that you will use the handle
returned by PFXImportCertStore in CertEnumCertificatesInStore to read all the
certificates contexts and then extract all the necessary information from
them (using CertGetCertificateContextProperty,
CryptAcquireCertificatePrivateKey and others) in order to populate the "MY"
store (or another store). Repeat the same procedure for the other stores, one
by one.

I hope this will help.

To reach me: mounir_idrix_fr (replace the underscores with the at and dot
characters respectively)

"Anthony" wrote:

Hi Mounir,

My enrollment code is based on the Microsoft enroll.exe source, which uses
the default Microsoft CSP.
I do not import and store private keys explicitly, but I do generate them
with CRYPT_EXPORTABLE flag. I just tell CSP to generate private keys and
then CryptSetKeyParam(hCurKey,KP_CERTIFICATE,pCert->pbCertEncoded, 0)
function is called, as I understand, to associate certifate with the private
When certificate and private keys are originally created, do I have to
import the private keys and save them in order to restore them later? So far,
I assumed that private keys can be restored using restored certificate.

I tried to use PFXExportCertStoreEx/ PFXImportCertStore calls, but it didn’t

- PFXExportCertStoreEx was called with (EXPORT_PRIVATE_KEYS |
- PFXImportCertStore was called with CRYPT_EXPORTABLE flags.

Calls were successful, but, after executing the import function, I couldn’t
find certificate on MY store and my server name didn’t appear on “Trustered
Authorities” list. So, I assume that CA and ROOT stores also weren’t updated

I can find certificate in the store using a handle returned by
PFXImportCertStore, but later on, when I open MY store, there is nothing in
I’m, probably, missing something during the import. When I call
PFXImportCertStore, how does it know which store has to be imported?
Is there a working code example I can use?



Relevant Pages

    ... All of the certificates and private keys live under %appdata%. ... > If I have a backup set which includes my Windows XP ... but do not want to restore the ...
  • Re: Active Directory User Object certificate store to personal certificate store
    ... Active Directory doesn't store private keys. ... the keys and certificates are stored in the user profile - you can ... > Is there a way to move AD published certs to from the Active Directory ... I can see the certs in the AD User Object cert store for ...
  • Re: Shared Certificate Store in Active Directory
    ... There is no need to store IPSEC certs in the AD for IPSEC, ... > Active Directory so you can make Certificates and their ... > Certificates rather than Kerberos? ...
  • Re: Microsoft CA not installing trusted root path in local computer store
    ... > I installed a standalone root CA, I use it to validate vpn l2tp/IPSec> conections, the problem is that when I try to install the root ... > certification path for the CA in the client machine > using the web page, it is installed in te user certificates store, and> not in the local computer certificates store. ...
  • Re: Unable to Install Secure Certificate with use for website
    ... Certificates and their associated private keys are not available when a user ... who has a roaming user profile uses a Windows 2000-based computer to log on ... SP1 under windows 2000, as a user on an AD domain. ...