CryptoAPI 2.0 Private Keys
Schannel credentials are represented internally as CERT_CONTEXT structures. Schannel locates the private key associated with a particular certificate context using the certificate's CERT_KEY_PROV_INFO_PROP_ID property. Using this property, Schannel accesses the private key by calling the CryptAcquireContext function. For additional details, see Public/Private Key Pairs.
Every Schannel credential contains a reference to one or more private keys, each associated with a particular certificate. The private keys are handled quite differently depending on whether the credential is for a client or a server.
Client Private Keys
Client private keys are managed by the cryptographic service provider (CSP) in use. Client private keys are typically stored by CSPs of type PROV_RSA_FULL or PROV_RSA_SIGNATURE.
If the client application makes the CryptAcquireContext call manually then before calling AcquireCredentialsHandle, the client must bind the CSP's handle to the certificate context using the CERT_KEY_PROV_HANDLE_PROP_ID property. If Schannel finds this property set, it does not use the CERT_KEY_PROV_INFO_PROP_ID property.
Server Private Keys
Server private keys are stored by one of the following CSPs:
- PROV_RSA_SCHANNEL
- PROV_DH_SCHANNEL
- PROV_FORTEZZA CSP
The choice of CSP depends on the selected key exchange algorithm. Server private keys must be of type AT_KEYEXCHANGE.