none
Digital certificate import RRS feed

  • Question

  • I need to programmatically import a digital certificate (.PFX) into Windows 7 and apply specific security settings.  When opening a digital certificate the third page of the “Certificate Import Wizard” presents the following option.

    • Enable strong private key protection.  You will be prompted every time the private key is used by an application if you enable this option.

    Checking that option triggers the “Importing a new private exchange key” dialog.  The default security level is set to Medium.  This must be forced to High.  Changing the security level to High triggers the “Create a Password” dialog.  This password must be entered by the user every time the certificate is used.
     
    The X509Certificate2 class provides much of the needed functionality.  Passing X509KeyStorageFlags.UserProtected to the constructor appears to correspond to strong private key protection.  However, there does not appear to be a way to select the High security level.  Research suggests that another flag value (CRYPT_FORCE_KEY_PROTECTION_HIGH) is necessary to provide the desired result.  This flag is not exposed by the .NET Framework.

    Is this possible with .NET or a Windows SDK utility like CertMgr.exe?  It would also be beneficial to verify if specific certificates have been imported with these settings.

    Microsoft Reference Source

    /mscorlib/system/security/cryptography/x509certificates/x509utils.cs

    private void LoadCertificateFromFile (string fileName, object password, X509KeyStorageFlags keyStorageFlags)

    /mscorlib/system/security/cryptography/x509certificates/x509utils.cs

    internal static uint MapKeyStorageFlags(X509KeyStorageFlags keyStorageFlags)
    

    WinCrypt.h

    CRYPT_FORCE_KEY_PROTECTION_HIGH
    
    Monday, January 26, 2015 6:13 PM

Answers

  • Hello jdenney,

    >> This flag is not exposed by the .NET Framework.

    It might be that the .NET team has their own consideration about the implementation for importing the digital certificate with a dialog to let the user to choice the import mode.

    >> Is this possible with .NET or a Windows SDK utility like CertMgr.exe?

    With the pure .NET, I think it is not possible without the dialog UI, you could have a try with the CryptoAPI as you mention when classes in System.Security.Cryptography namespace have their limitations. However, after researching more, it seems even with the CryptoAPI, it is still to use the dialog to process the security level according to this blog below:

    http://blogs.msdn.com/b/alejacma/archive/2008/01/31/how-to-import-a-certificate-without-user-interaction-c-c.aspx?PageIndex=2#comments

    Regards.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Tuesday, January 27, 2015 5:52 AM
    Moderator