How to make privatekey of a certificate entirely non exportable from personal store?

How to make privatekey of a certificate entirely non exportable from personal store?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
How to make privatekey of a certificate entirely non exportable from personal store? GNUlihd 04-06-2007
Posted by GNUlihd on April 6, 2007, 5:47 am
If you were  Registered and logged in, you could reply and use other advanced thread options
As we know non-exportable certificate can be exported along with
privatekey programmatically or not even using any program,
(http://matrixalaya.blogspot.com/2007/03/exporting-non-exportable-
certificates.html) how to make privatekey of a certificate entirely
non exportable from personal store?

In my case the security of the certificate is very important and the
machine owner should not be bothered about any password after the
certificate is once installed in the machine. It is also important
that the privatekey need to be entirely non exportable.

Is it possible or any work around?

Thanks in advance,
GNUlihd


Posted by Nick Domukhovsky on April 6, 2007, 5:52 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> As we know non-exportable certificate can be exported along with
> privatekey programmatically or not even using any program,
> (http://matrixalaya.blogspot.com/2007/03/exporting-non-exportable-
> certificates.html) how to make privatekey of a certificate entirely
> non exportable from personal store?
>
> In my case the security of the certificate is very important and the
> machine owner should not be bothered about any password after the
> certificate is once installed in the machine. It is also important
> that the privatekey need to be entirely non exportable.
>
> Is it possible or any work around?
>
> Thanks in advance,
> GNUlihd
>

You can use third-party CSP, which allows storing of private key on USB
token or some other media, instead of registry...


--
With best regards
Nickolay Domukhovsky, MCSA

Posted by GNUlihd on April 6, 2007, 6:40 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> > As we know non-exportable certificate can be exported along with
> > privatekey programmatically or not even using any program,
> > (http://matrixalaya.blogspot.com/2007/03/exporting-non-exportable-
> > certificates.html) how to make privatekey of a certificate entirely
> > non exportable from personal store?
>
> > In my case the security of the certificate is very important and the
> > machine owner should not be bothered about any password after the
> > certificate is once installed in the machine. It is also important
> > that the privatekey need to be entirely non exportable.
>
> > Is it possible or any work around?
>
> > Thanks in advance,
> > GNUlihd
>
> You can use third-party CSP, which allows storing of private key on USB
> token or some other media, instead of registry...
>
> --
> With best regards
> Nickolay Domukhovsky, MCSA

Nick,
Thanks for the suggestion

But the case is the owners should not be bothered about the safety of
certificate but our system need to handle that.
Currently I have come up with the idea of using CertSaveStore() with
flag CERT_STORE_SAVE_TO_FILENAME and encrypting that file and deleting
certificate from the store. Will it be safer?

P.S. Certificate is only required for our system.


Posted by Brian Komar [MVP] on April 6, 2007, 8:42 am
If you were  Registered and logged in, you could reply and use other advanced thread options
In article <1175856052.716135.51420
@o5g2000hsb.googlegroups.com>, gnulihd@gmail.com says...
>
> Currently I have come up with the idea of using CertSaveStore() with
> flag CERT_STORE_SAVE_TO_FILENAME and encrypting that file and deleting
> certificate from the store. Will it be safer?
>
> P.S. Certificate is only required for our system.
>
>
>
Technically, the only way to do this as already
mentioned in the thread is to use hardware protection.
A smart card CSP would work as well as using a hardware
security module (HSM)

Brian

Posted by Nick Domukhovsky on April 8, 2007, 11:39 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> But the case is the owners should not be bothered about the safety of
> certificate but our system need to handle that.
> Currently I have come up with the idea of using CertSaveStore() with
> flag CERT_STORE_SAVE_TO_FILENAME and encrypting that file and deleting
> certificate from the store. Will it be safer?
>
> P.S. Certificate is only required for our system.
>
With what key you will encrypt private key? For example, if you will use
EFS for this - you will create deadlock, because to decrypt your private
key you will need that private key! So you need some other key...
And what you will do with it?
Where you will store this other key?
Will be it user based or computer based?
So you may face more problems with this approach.



--
With best regards
Nickolay Domukhovsky, MCSA

Similar ThreadsPosted
how to check .pfx certificates in personal store remotely April 5, 2006, 11:50 am
Error in Signtool - "Personal" certifcate store was not found August 4, 2006, 9:10 pm
Certificates, Autoenrollment, Credential Roaming and User's Personal Store April 29, 2008, 10:53 am
Certificate store question February 4, 2008, 1:01 pm
Is there a way to get certificate store path from CERT_CONTEXT March 6, 2006, 11:07 am
Where is the offline CA's certificate store ? How to retrieve the issued cert's? April 27, 2006, 3:49 pm
Private key Not Exportable May 5, 2008, 12:47 pm
CA store July 6, 2006, 4:22 pm
Store private key in assembly May 6, 2008, 5:56 am
Access to local machine store June 2, 2008, 4:08 am

The site map in XML format XML site map

Contact Us | Privacy Policy