Ureader.com  
Microsoft software help and Community
   home   |   control panel login   |   archive   |  
 
platform
active.directory
adsi
adsi.iis-admin
base
com_ole
complus_mts
component_svcs
database
directx
gdi
graphics_mm
internet.client
internet.server
internet.server.isapi-dev
localization
mapi
messaging
msi
mslayerforunicode
multimedia
networking
networking.ipv6
sdk_install
security
shell
telephony.tapi_2
telephony.tapi_3
telephony.tsp
telephony.wte
tools
ui
ui_shell
win_base_svcs
win16
  
 
date: Wed, 23 Jul 2008 16:30:00 -0700,    group: microsoft.public.platformsdk.security        back       


Problem exporting MY certificate store with private keys    
Hi,

I have a problem exporting MY certificate store with private keys. There is 
only one certificate on the store. Here is how certificate was created and 
added to the store.
1. Create KeyProvInfo and acquire hCryptProv by calling CryptAcquireContext 
with CRYPT_NEWKEYSET flag.
2. Generate keys by calling CryptGenKey with CRYPT_EXPORTABLE flag.
3. Create cetificate request using aquired hCryptProv.
4. Send certificate request to server and received *.cer data blob form it.
5. Create certificate context and add certificate to MY, CA and ROOT stores. 
At this point I can see cetificate on the store but without private key 
present.
6. Associate private key to the Certificate using 
CertSetCertificateContextProperty( pCertCxt,CERT_KEY_PROV_INFO_PROP_ID, 0, 
pKeyProvInfo)
7. Associate certificate to the key on the smart card (needed for EAP-TLS 
authentication) using 
CryptSetKeyParam(hCurKey,KP_CERTIFICATE,pCertCxt->pbCertEncoded, 0)). At 
this point I can see certificate on the store with Private Key present.
8. Export MY store using PFXExportCertStoreEx with 
      dwFlags = (EXPORT_PRIVATE_KEYS | REPORT_NO_PRIVATE_KEY | 
REPORT_NOT_ABLE_TO_EXPORT_PRIVATE_KEY). Function returns with an error 0x57 
(The parameter is incorrect).
If I use dwFlags = 0, function returns without error, but store import 
(PFXImportCertStore) later on results in certificate without private key.

What can cause PFXExportCertStoreEx to error when I try to export store with 
private keys?

Thanks,
Anthony
date: Wed, 23 Jul 2008 16:30:00 -0700   author:   Anthony

Re: Problem exporting MY certificate store with private keys    
Anthony wrote on 24/07/2008 01:30:
> 
> [...]
> 2. Generate keys by calling CryptGenKey with CRYPT_EXPORTABLE flag.
> [...]
> 6. Associate private key to the Certificate using ...
> 7. Associate certificate to the key on the smart card ...

assumption: at this point the cert is linked to the smartcard's key,
no longer with the soft-key generated at step 2

> 8. Export MY store using PFXExportCertStoreEx with EXPORT_PRIVATE_KEYS
> Function returns with an error 0x57 (The parameter is incorrect).

if true, the key can't be exported since it does not exist in MY store.

Sylvain.
date: Thu, 24 Jul 2008 03:01:28 +0200   author:   Sylvain SF

Re: Problem exporting MY certificate store with private keys    
Hi Sylvain,

There is no physical smartcard on the system. Win CE uses Smart Card 
authentication type for wireless EAP-TLS authentication purposes.

Also, I tried to export store right after associating private key to the 
Certificate but before association to the key on the smart card. 
PFXExportCertStoreEx fails with the same error code.

Even though PFXExportCertStoreEx fails to export certificates with private 
keys, Win CE Certificate utility shows certificate on MY store with Private 
Key present and there are no other certificates on the store.

Is it the type of the store (CERT_STORE_PROV_SYSTEM_W) that causes the 
problem?

Thanks,
Anatoliy
date: Thu, 24 Jul 2008 08:23:00 -0700   author:   Anthony

Re: Problem exporting MY certificate store with private keys    
Anthony wrote on 24/07/2008 17:23:
> 
> There is no physical smartcard on the system. Win CE uses Smart Card 
> authentication type for wireless EAP-TLS authentication purposes.

I thought "to the key on the smart card" means the "key on the scard",
forget it.

"WinCE" is a new info, it enforces unicode, are you sure password is
well encoded ?

does the error 0x57 present for both calls pPFX==null (to get its size)
and pPFX!=null to retreive it, or only the second ?

> Even though PFXExportCertStoreEx fails to export certificates with private 
> keys, Win CE Certificate utility shows certificate on MY store with Private 
> Key present and there are no other certificates on the store.

and shows it as exportable ?
have you double check that generation was fine?

> Is it the type of the store (CERT_STORE_PROV_SYSTEM_W) that causes the 
> problem?

don't know.

Sylvain.
date: Thu, 24 Jul 2008 17:35:41 +0200   author:   Sylvain SF

Re: Problem exporting MY certificate store with private keys    
PFXExportCertStoreEx fails on the first call, when I try to get the size.

Win CE certificate utility shows that private key is present. I don’t know 
if it can show if key is exportable.

Is there a way to check programmatically if key is exportable?

Thanks,
Anatoliy
date: Thu, 24 Jul 2008 10:02:00 -0700   author:   Anthony

Google
 
Web ureader.com


    COPYRIGHT 2007, YARDI TECHNOLOGY LIMITED, ALL RIGHT RESERVE  |   contact us