• Question

  • Hi all, I am using a hardware token to make a digital signature.

    As we know the CertPropSvc (certificate propagation service) applies when a logged-on user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store. I need to implement the same function in my application.

    For installing certificate I used the code below

        CRYPT_KEY_PROV_INFO keyProvInfo;

        keyProvInfo.pwszContainerName = id_wstr;

        keyProvInfo.pwszProvName = L"Microsoft Base Smart Card Crypto Provider";

        keyProvInfo.dwProvType = PROV_RSA_FULL;

        keyProvInfo.dwFlags = 0;

        keyProvInfo.cProvParam = 0;

        keyProvInfo.rgProvParam = NULL;

        keyProvInfo.dwKeySpec = AT_KEYEXCHANGE;

        if (!CertSetCertificateContextProperty(certCtx, CERT_KEY_PROV_INFO_PROP_ID, 0, &keyProvInfo)) {…


    When I use the installed certificate using this method, Microsoft Word adds a digital signature successfully but another third party application reports an error!

    When I use keyProvInfo.dwKeySpec = AT_SIGNATURE in my code, both mentioned applications sign documents successfully.

    As I believe there should be a logical relation between the certificate usage field (in my case an X.509 certificate) and this "keyProvInfo.dwKeySpec" parameter. But the question is:

    How should I map the x.509 usages (DigitalSignature, nonRepedudiation, KeyEncioherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly & decipherOnly) with these 2 values (AT_SIGNATURE, AT_KEYEXCHANGE)?

    Do I really need to implement that logical relation or simply use the value "AT_SIGNATURE" and every application will be alright?

    Wednesday, June 11, 2014 12:30 PM