Associate private key to certificate for PFXExportCertStoreEx

拥有回忆 提交于 2020-01-01 16:54:11

问题


I'm trying to export certificate to pfx file. Here's what I do (simplified):

h = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, NULL, CERT_STORE_CREATE_NEW_FLAG, NULL); 
p = CertCreateCertificateContext(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
                  CertBlob.pbData, CertBlob.cbData);
CertSetCertificateContextProperty(p, CERT_KEY_PROV_HANDLE_PROP_ID, 0, &hPrivKey);
CertAddCertificateContextToStore(h, p, CERT_STORE_ADD_ALWAYS, NULL);
PFXExportCertStoreEx(h, &SomeBlob, L"", NULL, EXPORT_PRIVATE_KEYS);

PFX created, no private key exported. Anyone ever exported private key to pfx? What's the proper way to attach private key to certificate so that it could be exported?


回答1:


Apparently, CertSetCertificateContextProperty(p, CERT_KEY_PROV_HANDLE_PROP_ID ...)

is not good. Need to do this instead:

CRYPT_KEY_PROV_INFO kpi;
ZeroMemory( & kpi, sizeof(kpi) );
kpi.pwszContainerName = "my-container-name";
kpi.dwProvType = PROV_RSA_FULL;
kpi.dwKeySpec = AT_KEYEXCHANGE;
kpi.dwFlags = CRYPT_MACHINE_KEYSET;
CertSetCertificateContextProperty( pCert, CERT_KEY_PROV_INFO_PROP_ID, 0, & kpi);

It's critical that provider name and other crap match the information that was used to generate actual key. It's not needed to set provider handle or any of that stuff. It also must be done before CertAddCertificateContextToStore.

This is the only way that I found to attach private key to a certificate.




回答2:


For the posterity:

The problem is related to the CertAddCertificateContextToStore call. Indeed, it does not copy the CERT_KEY_PROV_HANDLE_PROP_ID property to the next context. (this fact is noted in the remark)

Solution:

Fill the last parameter with a handle to the new context and copy the property from the old context to the next one.



来源:https://stackoverflow.com/questions/749654/associate-private-key-to-certificate-for-pfxexportcertstoreex

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!