First of all I recommend you to hold certificate in a certificate store with private key saved as non exportable. Now some arguments.
There are different ways to save on a machine a private secret or other private information. The most old way is LsaStorePrivateData
and LsaRetrievePrivateData
API (see http://msdn.microsoft.com/en-us/library/ms721818%28VS.85%29.aspx). It has restriction to the number of secrets, but all secrets can be divided to local, global, and machine.
Next way is using DPAPI (see http://msdn.microsoft.com/en-us/library/ms995355.aspx): CryptProtectData
and CryptUnprotectData
in our case.
I add references to this two ways because you want compare different possible ways to be sure that your way is the best for your task.
I think the most important question which you should ask is: which is the best way to protect my private key? I think you should choose the way, which protect your key to be copied. So I recommend you use certificate store. In a certificate store you can hold private key marked non exportable. This is the main advantage in my opinion. You can deploy the certificate with the corresponding private key with different ways. Be sure, that the private key saved on the machine are not marked as exportable.
Using of PFX file on disk gives you not this advantage. Moreover either your PFX is not encrypted or you receive a problem where you should save the password to the PFX file. So you have to use DPAPI (CryptProtectData
and CryptUnprotectData
) or LSA API (LsaStorePrivateData
and LsaRetrievePrivateData
) and the password can be exported.