Re: CA's Key on Smart Card Problem

From: Denis Holtkamp (anonymous_at_discussions.microsoft.com)
Date: 01/31/05 

Date: Mon, 31 Jan 2005 01:31:02 -0800

Hi, thanks for your answers!

As you already said, I only want to use the smart card for
the offline CA, so it is no problem that the smart card
must be inserted from time to time.
I adopted Brians proposal and tried to use other smart
cards/csp. I used Gemplus, Kobil and Siemens cards/csp,
but only succeeded with the native (in Windows originally
integrated) GemPlus csp with the 8k GemPlus card. The
only problem is that 8k GemPlus smartcard only supports
1024bit keys - this is not enough for a CA. All other
smart cards failed with different errors.
So if anybody knows that other smart cards/csp work or
fail, please post in this newsgroup.

Denis

>-----Original Message-----
>In article <O$PJjeTAFHA.2700@TK2MSFTNGP14.phx.gbl>,
slavickp@yahoo.com
>says...
>> Steve,
>>
>> As far as I know Microsoft is using HSMs for storing
the root CA keys. At a
>> very high level, HSM is the same thing as the smart
cards: private key is
>> protected and never leaves the device, Windows
interacts with it using a
>> CSP.
>>
>> So some guideleines would be really appreciated.
>>
>> Denis: I would try to use another card/CSP - to see if
I'll have the same
>> problem. I think that "not implemented" is kinda self-
explanatory and some
>> advanced CSP may indeed be required.
>>
>>
>I agree with Slavic. For an offline CA, the CA computer
would be turned
>off at most times (without the smart card in place). The
only time that
>the smart card would be in the device would be:
>- renewing the CA certificate
>- issuing a subca certificate
>- publishing a CRL
>- needing to access the CA's private key
>
>What smart card were you using. Although the OS ships
with CSPs for the
>Schlumberger (now Exalto) and GEM smart cards, they only
work with
>really old versions of the cards (4k and 8k). If you are
attempting to
>use larger cards (16K +), you will need either client
software from the
>smart card vendor or an updated CSP.
>
>Brian
>.
>

Relevant Pages

  • CryptImportKey fails
    ... I'm developing my own Smart Card CSP. ... my CSP is loading adn importing my private key ... CryptImportKey function fails with NTE_BAD_VERSION error. ...
    (microsoft.public.platformsdk.security)
  • CAs Key on Smart Card Problem
    ... store the CA's private Key on a Smart Card. ... installation process of the certificate services I ... checkbox "Allow this CSP to interact with the desktop". ...
    (microsoft.public.windows.server.security)
  • Re: CAs Key on Smart Card Problem
    ... As far as I know Microsoft is using HSMs for storing the root CA keys. ... advanced CSP may indeed be required. ... >> store the CA's private Key on a Smart Card. ...
    (microsoft.public.windows.server.security)
  • Re: windows programming cryptography(problem in implementing a Sma
    ... Normally your smart card should have on-board key pair generation, ... First,I should include it’s header file in CSP code as below: ... HCRYPTPROV and remember that it refers to your CSP and to the ...
    (microsoft.public.platformsdk.security)
  • Re: Smart card CSP register into Win2000
    ... You can call of your CSP functions ... As a CSP developer, you'll need to understand how to communicate with the ... smart card in order to provide the proper smart card CryptoAPI interface ...
    (microsoft.public.platformsdk.security)