Re: CA's Key on Smart Card Problem

From: Brian Komar (bkomar_at_nospam.identit.ca)
Date: 01/23/05

• Next message: Daniel: "Anonymous access to shared printers"
• Previous message: S. Pidgorny : "Re: Connecting a client with L2TP"
• In reply to: S. Pidgorny : "Re: CA's Key on Smart Card Problem"
• Next in thread: Denis Holtkamp: "Re: CA's Key on Smart Card Problem"
• Reply: Denis Holtkamp: "Re: CA's Key on Smart Card Problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Sun, 23 Jan 2005 07:40:30 -0600

In article <O$PJjeTAFHA.2700@TK2MSFTNGP14.phx.gbl>, slavickp@yahoo.com
says...
> Steve,
>
> As far as I know Microsoft is using HSMs for storing the root CA keys. At a
> very high level, HSM is the same thing as the smart cards: private key is
> protected and never leaves the device, Windows interacts with it using a
> CSP.
>
> So some guideleines would be really appreciated.
>
> Denis: I would try to use another card/CSP - to see if I'll have the same
> problem. I think that "not implemented" is kinda self-explanatory and some
> advanced CSP may indeed be required.
>
>
I agree with Slavic. For an offline CA, the CA computer would be turned
off at most times (without the smart card in place). The only time that
the smart card would be in the device would be:
- renewing the CA certificate
- issuing a subca certificate
- publishing a CRL
- needing to access the CA's private key

What smart card were you using. Although the OS ships with CSPs for the
Schlumberger (now Exalto) and GEM smart cards, they only work with
really old versions of the cards (4k and 8k). If you are attempting to
use larger cards (16K +), you will need either client software from the
smart card vendor or an updated CSP.

Brian

---

• Next message: Daniel: "Anonymous access to shared printers"
• Previous message: S. Pidgorny : "Re: Connecting a client with L2TP"
• In reply to: S. Pidgorny : "Re: CA's Key on Smart Card Problem"
• Next in thread: Denis Holtkamp: "Re: CA's Key on Smart Card Problem"
• Reply: Denis Holtkamp: "Re: CA's Key on Smart Card Problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: CAs Key on Smart Card Problem ... As far as I know Microsoft is using HSMs for storing the root CA keys. ... advanced CSP may indeed be required. ... >> store the CA's private Key on a Smart Card. ... (microsoft.public.windows.server.security) Re: windows programming cryptography(problem in implementing a Sma ... Normally your smart card should have on-board key pair generation, ... First,I should include it’s header file in CSP code as below: ... HCRYPTPROV and remember that it refers to your CSP and to the ... (microsoft.public.platformsdk.security) Re: Smart card CSP register into Win2000 ... You can call of your CSP functions ... As a CSP developer, you'll need to understand how to communicate with the ... smart card in order to provide the proper smart card CryptoAPI interface ... (microsoft.public.platformsdk.security) Re: CryptAcquireContext failw with SCARD_E_DIR_NOT_FOUND error ... The wrong CSP was being used. ... I am able to establish a CryptAcquireContext ... required to extract the user certificate from the smart card. ... And what is a fully qualified container name? ... (microsoft.public.platformsdk.security) Re: DEBUGCHK error in smartcard ... If I may use CETK to test my driver and if CETK is using CSP? ... The Smart Card Resource Manager APIS is CryptoAPI other than CryptoSPI? ... Thus to use your smartcard from the Certificate Control Panel you ... (microsoft.public.windowsce.platbuilder)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)