|
Posted by S. Pidgorny on March 29, 2006, 5:33 am
If you were Registered and logged in, you could reply and use other advanced thread options
eToken CSP cannot send private key for archival because eToken is designed
to keep private keys strictly on the hardware - host PC software only has
access to it using low-level API (usually PKCS #11) for functions like
signing and encryption. Same is true for most smart cards, and for all HSMs.
What to do? Generate keys on the server, and download thse on the card.
Requires a Microsoft product that is not released yet - details are here:
http://www.alacris.com/products/products_idNexus_microsoft.htm
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
> I'm setting up Key archival and recovery in a Windows 2003 PKI.
> I've created a KRA user and issued a KRA certificate to him . Then I
> enabled
> the CA for Key archival selecting the user just created as KRA.
> I have modified a Smartcard User template , which I've been using
> successfully so far , to enable key archival .
> Then I tried to submit a certificate request on behalf of another user
> from
> the web enrollment pages to issue the new certificate template .
> The process fails with the following error ( logged on the CA )
>
> I'm using E-Token from Alladin. Is this a problem with the token? If i
> issue
> a certificate where the CSP is "Microsoft..." it wotks fine. The problem
> is
> when I try to issue smartcard certificates
>
> Origine evento: CertSvc
> ID evento: 53
> Descrizione:
> Certificate Services denied request 16 because The request is missing a
> required private key for archival by the server. 0x80094804 (-2146875388).
> The request was for DOMAIN\pkitestuser. Additional information: Denied by
> Policy Module
| 
XML site map