Discussion:
MMC does not see private key corresponding to certificate
(too old to reply)
Innokentiy Ivanov
2010-07-30 04:06:22 UTC
Permalink
Hello,

Our product generates certificates and puts them into system stores in two
different ways:

1) Keypair along with certificate is generated by our code (that doesn't use
CryptoAPI), then the certificate is added to the system store
(CertAddEncodedCertificateToStore), and the private key is imported to new
key container (CryptImportKey) and bound to the certificate context by
making the CERT_KEY_PROV_INFO_PROP_ID property point to that key container.

2) Keypair is generated with the means of CryptoAPI (CryptGenKey). Then the
certificate is generated by our code and added to the system store
(CertAddEncodedCertificateToStore), and the existing private key container
is bound to the certificate context again with the use of
CERT_KEY_PROV_INFO_PROP_ID property.

The issue we are facing is that if the certificate was created in the second
way, MMC certificates applet cannot get the private key. Though it indicates
private key existence on the main tab of certificate properties dialog ("you
have a private key that corresponds to this certificate", it reports that
"private key was not found" when trying to export the certificate to PFX.

That is really strange for us, as
- all the CryptAcquireContext()'s are called with exactly the same parameter
sets in both cases,
- CertAddEncodedCertificateToStore()'s are called with exactly the same
parameter sets,
- CertSetCertificateContextProperty's are also called with equal parameter
sets,
- our code can export the private key in both cases by obtaining the
container with CertGetCertificateContextProperty and then CryptGetUserKey,
CryptExportKey.

According to our investigations, it seems that MMC does not like something
in the keypair generated with CryptGenKey (in all other aspects the logic is
the same). Is there something else we have to consider when generating the
keypair (we just do CryptAcquireContext and then CryptGenKey)? Or probably
we are doing something wrong (or maybe just not doing something) when
binding a key container to a certificate?

Thanks in advance,

With best wishes,
Innokentiy Ivanov
EldoS Corporation
lelteto
2010-08-03 22:03:04 UTC
Permalink
When you call CryptGenKey (in your second method) you need to specify
CRYPT_EXPORTABLE in the dwFlags parameter. Please check your code to see that
you do that.

Laszlo Elteto
SafeNet, Inc.
Post by Innokentiy Ivanov
Hello,
Our product generates certificates and puts them into system stores in two
1) Keypair along with certificate is generated by our code (that doesn't use
CryptoAPI), then the certificate is added to the system store
(CertAddEncodedCertificateToStore), and the private key is imported to new
key container (CryptImportKey) and bound to the certificate context by
making the CERT_KEY_PROV_INFO_PROP_ID property point to that key container.
2) Keypair is generated with the means of CryptoAPI (CryptGenKey). Then the
certificate is generated by our code and added to the system store
(CertAddEncodedCertificateToStore), and the existing private key container
is bound to the certificate context again with the use of
CERT_KEY_PROV_INFO_PROP_ID property.
The issue we are facing is that if the certificate was created in the second
way, MMC certificates applet cannot get the private key. Though it indicates
private key existence on the main tab of certificate properties dialog ("you
have a private key that corresponds to this certificate", it reports that
"private key was not found" when trying to export the certificate to PFX.
That is really strange for us, as
- all the CryptAcquireContext()'s are called with exactly the same parameter
sets in both cases,
- CertAddEncodedCertificateToStore()'s are called with exactly the same
parameter sets,
- CertSetCertificateContextProperty's are also called with equal parameter
sets,
- our code can export the private key in both cases by obtaining the
container with CertGetCertificateContextProperty and then CryptGetUserKey,
CryptExportKey.
According to our investigations, it seems that MMC does not like something
in the keypair generated with CryptGenKey (in all other aspects the logic is
the same). Is there something else we have to consider when generating the
keypair (we just do CryptAcquireContext and then CryptGenKey)? Or probably
we are doing something wrong (or maybe just not doing something) when
binding a key container to a certificate?
Thanks in advance,
With best wishes,
Innokentiy Ivanov
EldoS Corporation
.
Loading...