none
WinCE5: How to include private key into BSP / NK.bin RRS feed

  • Question

  • Hi all,

    I have to upgrade a WinCE 5 BSP for a customer to add Web Server with HTTPS protocol support.

    I have found myself howto include the certificate for my server into the BSP but, I don't know how I can include the private key directly into the BSP.

    I have found how to do it manually, but that's not possible for "real life" of the product.

    Can someone explain me how to do this, there seems to be nothing about this on MSDN!

    Regards

    Fabrice

    Friday, December 10, 2010 7:54 AM

All replies

  • What do you mean by private key? do you mean the Windows CE license key given by Microsoft for your device?

    Vinoth.R http://vinoth-vinothblog.blogspot.com http://www.e-consystems.com
    Friday, December 10, 2010 7:58 AM
  • Hi Vinoth,

    For the embedded Web Server, my customer have sent to me the certificate file (.cer file) and the associate private key (.pkv file).

    To setup the https protocol for the web server I have to enroll the certificate and the private key into the credential manager first.

    For the certificate, I have found how to do it with a custom PKCS#7 file (p7b extension). But I have also the include the private key.

     

    Friday, December 10, 2010 8:24 AM
  • Not entirely sure if this applies, but try MasterKeysInRegistry:
    http://msdn.microsoft.com/en-us/library/ms885505.aspx
     

    Good luck,

    Michel Verhagen, eMVP
    Check out my blog: http://guruce.com/blog

    GuruCE
    Microsoft Embedded Partner
    http://guruce.com
    Consultancy, training and development services.
    Friday, December 10, 2010 6:56 PM
    Moderator
  • MasterKeysInRegistry is for storing keys used for Data Protection API in registry, this has nothing to do with my problem.

    I want to be able to register the private key for my certificate at NK.bin generation, like I do it for the certificate.

    It is very strange that I can find how to do it for the certificate in MSDN but not for the associate private key!

    Friday, December 10, 2010 9:45 PM
  • I think that this is a very strange use case.  You might want to automatically add a certificate to a device, to allow identification of a server is the 'right' one.  You might want to allow the installation of a client certificate to allow identification of the client.  Allowing the private key to be installed feels to me like a way to cut the user, who is supposed to know this private key, out of the process.  In your case, I presume that this isn't a break in security, but it's still nothing I've ever seen needed before.

    How about if we step back and find a work-around.  How would you manually register your private key by running a program?  Can the Certificates Control Panel applet do this?  If so, it seems to me that you could associate your private key file with some small application that you write.  Have a special location where a list of private key files to be registered is placed.  On startup, have the little application scan that list and register each private key listed, deleting the list when it's done.  It's not a 100% done-at-platform-build-time solution, but it seems like it would keep the wheels turning.

    Paul T.

     

    Monday, December 13, 2010 3:13 PM
  • Why does this seem such a strange use?

    Our customer for whom we make the hardware and customized Windows CE Image wants a secure web server.

    Obviously for the initial tests we used the "Certificates" Control Panel Applet to import the .cer and .pvk (certificate and private key).

    For production we need a more industrial solution... (we cannot manually install Certificate and Private key for significant numbers of boards), and the secure web server must be up and running even after clearing the registry.

    After searching I found that we can put the certificate into the image in a .p7b file, but I haven't found the solution for the private key.

    Obviously I could develop an application as you suggested, but will have to count development and debugging time for that.

    It seems strange to me (unless there is something I haven't understood) that I can put half of what I need for a secure web server in the image, but not the other half.

    Fabrice

    Monday, December 13, 2010 4:23 PM
  • Private keys just don't float around that much, I guess.  I suppose that it seems somewhat less than private if the file is on every device...

    I've never needed to include the private key to use a server certificate before, as far as I can remember.  It definitely does not work if you don't 'install' the private key file?

    Paul T.

    Wednesday, December 15, 2010 5:31 PM