|
Posted by GNUlihd on April 26, 2007, 3:06 am
If you were Registered and logged in, you could reply and use other advanced thread options
On Apr 7, 2:56 pm, "Can Balioglu" <can.balioglu at
averina.com_DONOTSPAM> wrote:
> Hi,
>
> The information in the blog is actually wrong. As first, there is no such a
> thing as "non-exportable certificate". The correct term must be "certificate
> having a non-exportable private key". And you can never export a
> non-exportable private key. This would be one of the biggest vulnerabilities
> in Windows history.
>
> Calling the CertSaveStore function just serializes the specified certificate
> store including all certificates in that store and all *Microsoft specific
> certificate context properties* associated with these certificates. One of
> these context properties points to the key container of the certificate's
> private key. So only the "name" of the key container is serialized. If this
> all serialization/deserialization process occurs in the same system, then
> both the original and the duplicated version of the certificate will point
> to the same key container which makes you think that you also have a
> duplicated private key.
>
> If you deserialize the store in a different system, then the "View
> Certificate" dialog of CryptoAPI mistakenly indicates that the certificate
> has a private key without checking the existence of the key container.
> However, if you try to use any functionality requiring the private key
> (signing, encrypting, etc.) you will receive the error NTE_BAD_KEYSET
> meaning that the key container does not exists.
>
> So do not worry about exportable "non-exportable certificates".
>
> Regards...
>
> Can Balioglu
> can.balioglu at averina.com
>
> Averina Software - Code Signing and IT Security Solutionshttp://www.averina.com
Thanks Can. You are right.
I just looked at the View Certificate dialog which tricked me.
P.S. I was out of town in a vacation so could not give a prompt reply.
Thanks,
GNUlihd
| 
XML site map