tags:

views:

505

answers:

1

I'm trying to export certificate to pfx file. Here's what I do (simplified):

h = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, NULL, CERT_STORE_CREATE_NEW_FLAG, NULL); 
p = CertCreateCertificateContext(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
                  CertBlob.pbData, CertBlob.cbData);
CertSetCertificateContextProperty(p, CERT_KEY_PROV_HANDLE_PROP_ID, 0, &hPrivKey);
CertAddCertificateContextToStore(h, p, CERT_STORE_ADD_ALWAYS, NULL);
PFXExportCertStoreEx(h, &SomeBlob, L"", NULL, EXPORT_PRIVATE_KEYS);

PFX created, no private key exported. Anyone ever exported private key to pfx? What's the proper way to attach private key to certificate so that it could be exported?

A: 

Apparently, CertSetCertificateContextProperty(p, CERT_KEY_PROV_HANDLE_PROP_ID ...)

is not good. Need to do this instead:

CRYPT_KEY_PROV_INFO kpi;
ZeroMemory( & kpi, sizeof(kpi) );
kpi.pwszContainerName = "my-container-name";
kpi.dwProvType = PROV_RSA_FULL;
kpi.dwKeySpec = AT_KEYEXCHANGE;
kpi.dwFlags = CRYPT_MACHINE_KEYSET;
CertSetCertificateContextProperty( pCert, CERT_KEY_PROV_INFO_PROP_ID, 0, & kpi);

It's critical that provider name and other crap match the information that was used to generate actual key. It's not needed to set provider handle or any of that stuff. It also must be done before CertAddCertificateContextToStore.

This is the only way that I found to attach private key to a certificate.

galets