Installing certificates to the legacy keystore (forcing to the legacy store)

Stefan 1 Reputation point
2020-09-25T21:36:49.29+00:00

We are creating a utility to install certificates automatically (as required) to the windows keystore. We are using the windows cryptography api for this. (Earlier we looked into certutil, however this differs between various windows versions and sometimes crashes on certain certificates).

It is however important that the certificate is installed to the legacy keystore and not to a new CNG provider. Currently we are importing the certificate with private key using the following api calls:

  1. We import the PFX store using PFXImportCertStore
  2. We find the certificate using CertFindCertificateInStore
  3. We open the system store using CertOpenStore(CERT_STORE_PROV_SYSTEM, NULL, NULL, CERT_SYSTEM_STORE_LOCAL_MACHINE, &storePtr)
  4. We add the private key/certificate using CertAddCertificateContextToStore

On most systems this works as the PFX has a provider specified: "Microsoft RSA SChannel Cryptographic Provider". However on some systems it will still install using the provider: "Microsoft Software Key Storage Provider".

Is there any way to force the private key being installed using a specific provider?

Any help would be appreciated!

Windows API - Win32
Windows API - Win32
A core set of Windows application programming interfaces (APIs) for desktop and server applications. Previously known as Win32 API.
2,358 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Rita Han - MSFT 2,161 Reputation points
    2020-09-27T03:15:20.977+00:00

    Hello @Stefan ,

    On most systems this works as the PFX has a provider specified: "Microsoft RSA SChannel Cryptographic Provider". However on some systems it will still install using the provider: "Microsoft Software Key Storage Provider".

    Microsoft RSA SChannel Cryptographic Provider associated with Cryptography API (CryptoAPI). While Microsoft Software Key Storage Provider associated with Cryptography API: Next Generation (CNG). So it seems CNG key storage provider selected instead of CryptoAPI Cryptographic Service Provider on "some systems".

    • So one possible solution is via PFXImportCertStore with PKCS12_PREFER_CNG_KSP flag because
      "PKCS12_PREFER_CNG_KSP indicates that the CNG key storage provider (KSP) is preferred. If the CSP is specified in the PFX file, then the CSP is used...".
    • Another possible solution is specifies the current user's default cryptographic service provider (CSP) via CryptSetProvider API. (Not tested.)

    (Please share the differences between working and non-working systems to narrow down this issue if above solutions don't work for you.)

    Note: CryptSetProvider is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.

    Thank you!


    If the answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments