|
|
|
date: Wed, 16 Jul 2008 13:04:15 -0700,
group: microsoft.public.platformsdk.security
back
RE: EAP-TLS Client enrollment recovery.
Hi,
How do you store the private keys associated with the "MY" certificates? Are
they created using the Microsoft CSP?
When you serialize a certificate, you are serializing all the information
that link it to its private key (CSP name, container name, key
specification...) but not the private key itself. When the certificate
context is restored, these private key information should be valid and should
point to the same key in the target CSP.
I advice you to use PFXExportCertStoreEx to export the "MY" certificate
store (certificates + keys) to a pfx file. Then you can import it back
programmatically using PFXImportCertStore (explore the returned store using
CertEnumCertificatesInStore and extract necessary information using
CertGetCertificateContextProperty). For that to work, the enrollement private
keys must be generated as exportable (CRYPT_EXPORTABLE flag). Tell me if this
solution solves your problem.
Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr
to reach : mounir_idrix_fr (replace the underscores with the at and dot
characters respectively)
"Anthony" wrote:
> Our Client (Win CE 5.00 device) connects to a wireless network using EAP-TLS
> authentication.
> We programmatically enroll Clients (web-enrollment) that get certificates
> from Windows Server 2003.
> Client connects to the network and works fine until we have to reboot Client
> (Win CE).
>
> On reboot all certificate stores (âMYâ, âROOTâ and âCAâ) loose certificates
> installed during enrollment processes (Client has a RAM-based registry) and
> we have to go through the regular enrollment process once again. Going
> through this process is not feasible in some cases (device has to visit a
> special station), so we need to re-install certificate from a file.
>
> I tried to serialize certificate (CertSerializeCertificateStoreElement())
> just after enrollment and than restore certificate (using
> CertAddSerializedElementToStore) and a session key after reboot, but network
> authentication fails with the following error:
>
> Reason-Code = 260
> Reason = The message or signature supplied for verification has been altered
>
> My question is
> What is the correct way to restore certificate and Client authentication
> settings/properties programmatically?
>
> Thanks Anthony
>
date: Fri, 18 Jul 2008 01:58:02 -0700
author: Mounir IDRASSI am
RE: EAP-TLS Client enrollment recovery.
Hi Mounir,
My enrollment code is based on the Microsoft enroll.exe source, which uses
the default Microsoft CSP.
I do not import and store private keys explicitly, but I do generate them
with CRYPT_EXPORTABLE flag. I just tell CSP to generate private keys and
then CryptSetKeyParam(hCurKey,KP_CERTIFICATE,pCert->pbCertEncoded, 0)
function is called, as I understand, to associate certifate with the private
key.
When certificate and private keys are originally created, do I have to
import the private keys and save them in order to restore them later? So far,
I assumed that private keys can be restored using restored certificate.
I tried to use PFXExportCertStoreEx/ PFXImportCertStore calls, but it didnât
work.
- PFXExportCertStoreEx was called with (EXPORT_PRIVATE_KEYS |
EXPORT_PRIVATE_KEYS | REPORT_NOT_ABLE_TO_EXPORT_PRIVATE_KEY) flags
- PFXImportCertStore was called with CRYPT_EXPORTABLE flags.
Calls were successful, but, after executing the import function, I couldnât
find certificate on MY store and my server name didnât appear on âTrustered
Authoritiesâ list. So, I assume that CA and ROOT stores also werenât updated
properly.
I can find certificate in the store using a handle returned by
PFXImportCertStore, but later on, when I open MY store, there is nothing in
there.
Iâm, probably, missing something during the import. When I call
PFXImportCertStore, how does it know which store has to be imported?
Is there a working code example I can use?
Thanks,
Anthony
date: Fri, 18 Jul 2008 16:02:01 -0700
author: Anthony
RE: EAP-TLS Client enrollment recovery.
Hi,
To answer your first question, the private keys are not restored when you
only restore the certificates. You also have to import them back manually to
the Microsoft CSP.
Concerning PFXImportCertStore, I think you are missing how it really works.
This function imports the keys and certificates into a memory store and
returns to you its handle. Then, you can to explore programmatically this
store in order to extract certificates and keys from it and then putting them
back into the "MY" store. This function doesn't interact with the system
physical stores.
As I wrote in my first message, you have to "explore the returned store using
CertEnumCertificatesInStore and extract necessary information using
CertGetCertificateContextProperty". This means that you will use the handle
returned by PFXImportCertStore in CertEnumCertificatesInStore to read all the
certificates contexts and then extract all the necessary information from
them (using CertGetCertificateContextProperty,
CryptAcquireCertificatePrivateKey and others) in order to populate the "MY"
store (or another store). Repeat the same procedure for the other stores, one
by one.
I hope this will help.
Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr
To reach me: mounir_idrix_fr (replace the underscores with the at and dot
characters respectively)
"Anthony" wrote:
> Hi Mounir,
>
> My enrollment code is based on the Microsoft enroll.exe source, which uses
> the default Microsoft CSP.
> I do not import and store private keys explicitly, but I do generate them
> with CRYPT_EXPORTABLE flag. I just tell CSP to generate private keys and
> then CryptSetKeyParam(hCurKey,KP_CERTIFICATE,pCert->pbCertEncoded, 0)
> function is called, as I understand, to associate certifate with the private
> key.
> When certificate and private keys are originally created, do I have to
> import the private keys and save them in order to restore them later? So far,
> I assumed that private keys can be restored using restored certificate.
>
> I tried to use PFXExportCertStoreEx/ PFXImportCertStore calls, but it didnât
> work.
>
> - PFXExportCertStoreEx was called with (EXPORT_PRIVATE_KEYS |
> EXPORT_PRIVATE_KEYS | REPORT_NOT_ABLE_TO_EXPORT_PRIVATE_KEY) flags
> - PFXImportCertStore was called with CRYPT_EXPORTABLE flags.
>
> Calls were successful, but, after executing the import function, I couldnât
> find certificate on MY store and my server name didnât appear on âTrustered
> Authoritiesâ list. So, I assume that CA and ROOT stores also werenât updated
> properly.
>
> I can find certificate in the store using a handle returned by
> PFXImportCertStore, but later on, when I open MY store, there is nothing in
> there.
> Iâm, probably, missing something during the import. When I call
> PFXImportCertStore, how does it know which store has to be imported?
> Is there a working code example I can use?
>
> Thanks,
> Anthony
>
date: Sat, 19 Jul 2008 01:53:00 -0700
author: Mounir IDRASSI am
RE: EAP-TLS Client enrollment recovery.
Hi Anthony,
The steps for part 1 seems OK to me. For the steps of part 2 you have to use
in step d CERT_KEY_PROV_INFO_PROP_ID instead of CERT_KEY_PROV_HANDLE_PROP_ID
for the CertSetCertificateContextProperty call.
In your approach you have to be careful how you store the private keys to
avoid security risks. That's why the other approach using
PFXExportCertStoreEx is handy here because it gives you good storage security
with minimum programming.
Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr
To reach me: mounir_idrix_fr (replace the underscores with the at and dot
characters respectively)
"Anthony" wrote:
> Hi Mounir,
>
> Apparently, I have to export private keys before I can import them back.
> Here is how I see private keys restoration
> 1. Private keys creation and storage
> a. Create certificate request and generate public/private keys.
> b. Call CryptExportKey () with PRIVATEKEYBLOB flag to export
> private/public keys into BLOB.
> c. Save certificate, save private/public keys BLOB.
>
> 2. Private keys restoration
> a. Restore certificate on MY stores to create certificatet context.
> b. Aquire/create key container using CryptAcquireContext().
> c. Import private/public keys BLOB using CryptImportKey(), which creates
> a container key.
> d. Associate certificate context with the key calling
> CertSetCertificateContextProperty() with CERT_KEY_PROV_HANDLE_PROP_ID flag.
> e. Add certificate to MY, ROOT and CA stores.
> f. Create session key.
>
> Please advise, if the steps above are incorrect or there is a better way to
> restore private keys.
>
> Thanks,
> Anthony
>
>
date: Mon, 21 Jul 2008 11:53:01 -0700
author: Mounir IDRASSI am
RE: EAP-TLS Client enrollment recovery.
Hi Anthony,
1- PFXExportCertStoreEx implicitly calls all the necessary functions to
exports the certificates and their corresponding private keys.
PFXImportCertStore do the same for importing but it uses only a memory store
and it doesn't interact with the physical stores of the machine.
2- No. You have to explicitly exports the private keys using the
information in the memory store and import them into the MS CSP. To do that,
iterate through all the certificate contexts in the memory store, call
CryptAcquireCertificatePrivateKey and CryptExportKey to export the associated
private key, create a new container in the MS CSP, import the private key to
it, create a new certificate context with the value of the memory store
certificate context, set its CERT_KEY_PROV_INFO_PROP_ID with the information
of the private key you have just created and then add it to the MY store.
Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr
To reach me: mounir_idrix_fr (replace the underscores with the at and dot
characters respectively)
"Anthony" wrote:
> Hi Mounir,
>
> 1. Does PFXExportCertStoreEx/PFXImportCertStore approach implicitly (without
> my intervention) exports/imports private keys for each certificate in store?
>
> 2. When restoring MY store, I go through the memory store created by
> PFXImportCertStore() and copy each certificate context from it into MY store.
> Does it also copy private keys associated with certificate?
>
> Thanks,
> Anthony
>
>
date: Mon, 21 Jul 2008 15:15:01 -0700
author: Mounir IDRASSI am
|
|
