I am implementing CSP and have a question about importing certificate to CSP. I read some old posts. KP_CERTIFICATE param in CPSetKeyParam() is used for importing certificate to CSP. Now, I finished implementing KP_CERTIFICATE param in CPSetKeyParam(). I tried to importing PKCS#12 file with Certificate Import Wizard. I found - CPImportKey() is called to import a private key - Certificate is stored in MY store - But CPSetKeyParam() is not called with KP_CERTIFICATE param I want a certificate to be imported to CSP automatically. Is there a way to do it? I also want to know when CPSetKeyParam() with KP_CERTIFICATE is called by MS applications?
Hi, As far as I know, the Certificate Import Wizard is designed to work only with the MS CSPs and to interact with the system certificate stores. It's not intended to be used to import keys and certificates using custom CSPs. For that, all the CSP provider companies (at least smart card vendors) ship with their libraries custom tools that enable the user to load Pfx file using their CSP ( into the user card for example) That being said, there is one context where an MS tool loads keys and certificates into a custom CSP: it's in the case of user Enrollment with a Windows CA. For that, through a web page, the user choose which CSP to use to generate his key and at the end of the process the certificate created by the CA is imported to the chosen CSP by the web page using a call to CryptSetKeyParam. I hope this clarifies things to you. -- Mounir IDRASSI IDRIX http://www.idrix.fr "Worawit Wang" wrote: > I am implementing CSP and have a question about importing certificate to CSP. > > I read some old posts. KP_CERTIFICATE param in CPSetKeyParam() is used for > importing certificate to CSP. > Now, I finished implementing KP_CERTIFICATE param in CPSetKeyParam(). > > I tried to importing PKCS#12 file with Certificate Import Wizard. I found > - CPImportKey() is called to import a private key > - Certificate is stored in MY store > - But CPSetKeyParam() is not called with KP_CERTIFICATE param > > I want a certificate to be imported to CSP automatically. > Is there a way to do it? > > I also want to know when CPSetKeyParam() with KP_CERTIFICATE is called by MS > applications?
In the CAPI model certificates are not handled by CSPs. (Yes, you can still HAVE them.) In CAPI certificates are handled by a different subsystem - the APIs start with 'Cert' vs. the CSP related APIs which start with 'Crypt'. CAPI handles certificates in CERTIFICATE STORES which are different from the CONTAINERS which CSPs handle. So generally the CSP doesn't need to care about certificates - although it is advisable to be able to store and return them IF an application happens to use KP_CERTIFICATE in CryptSet/GetKeyParam. One reason few apps do it because if you retrieve the certificate that way it is just the pure certificate and the app would need to handle (parse) the ASN1 format - or import it into a certificate store to allow CAPI to handle the certificate content. (Of course, in the latter case it is easier to just store the cert in the cert store in the first place.) TOKEN CSPs usually have a mechanism (either automated -> when the token is plugged in; or manual -> with a utility program) which allows them to copy the certificates on the token into CAPI certificate stores. Yes, for that they use CryptGetKeyParam(KP_CERTIFICATE) but after they certs are moved to cert stores, they are handled there. Since Microsoft doesn't have CSPs for tokens, all their code assume the certs are in the certificate store(s). Laszlo Elteto SafeNet, Inc. "Worawit Wang" wrote: > I am implementing CSP and have a question about importing certificate to CSP. > > I read some old posts. KP_CERTIFICATE param in CPSetKeyParam() is used for > importing certificate to CSP. > Now, I finished implementing KP_CERTIFICATE param in CPSetKeyParam(). > > I tried to importing PKCS#12 file with Certificate Import Wizard. I found > - CPImportKey() is called to import a private key > - Certificate is stored in MY store > - But CPSetKeyParam() is not called with KP_CERTIFICATE param > > I want a certificate to be imported to CSP automatically. > Is there a way to do it? > > I also want to know when CPSetKeyParam() with KP_CERTIFICATE is called by MS > applications?
