4

I have a previously generated RSA private signing key, which is stored as a PRIVATEKEYBLOB. I am trying to move this into a new certificate for better management of the key. How do I take this blob and turn it into a .pfx certificate?

I have a HCRYPTPROV (uses MS_ENHANCED_PROV and PROV_RSA_FULL). I can get a HCRYPTKEY from CryptImportKey.

PFXExportCertStoreEx seems to be the function to export it to a PFX blob (which I'm assuming I would then write to a file), but I don't understand how to get the key into it.

redwyre
  • 1,108
  • 10
  • 23

1 Answers1

3

If I correctly understand your problem you have the certificate and the corresponding private key as data blobs and both are separately. If you work with CryptoAPI it's important to understand that the API are mostly oriented on the working with certificates stored in certificate stores and private keys stored in key containers. The function like PFXExportCertStoreEx follows the approach and allows you to export all certificates from one certificate store to the data blob which can be just saved as a file with .PFX extension.

So what you can do is the following:

  1. Create temporary certificate store by usage CertOpenStore with CERT_STORE_PROV_MEMORY parameter.
  2. Place to certificate blob to the store using CertAddEncodedCertificateToStore function.
  3. Create new key container using CryptAcquireContext with CRYPT_NEWKEYSET option. You should give some unique name to the container (see pszContainer parameter of the function).
  4. Import the information from the PRIVATEKEYBLOB, which you currently have, to the key container with respect of CryptImportKey function.
  5. Bind the certificate from the certificate store to the key container. To do this you should use CertSetCertificateContextProperty to set CERT_KEY_PROV_INFO_PROP_ID which is so named extended property of the certificate. It's important to understand that extended properties are not the part of X.509 specification. Extended properties allows you to store some additional information associated with the certificate in the certificate store (not in the certificate itself). In case of CERT_KEY_PROV_INFO_PROP_ID you can store full information (CRYPT_KEY_PROV_INFO) described the key container.
  6. Now one can use PFXExportCertStoreEx to export the temporary certificate store (which holds only one certificate and has the link to the key container) to the memory blob and then save the memory blob in the .PFX file.
  7. You should delete the key container created at the step 3. To do this you need to open key container using CryptAcquireContext with the CRYPT_DELETEKEYSET option.
Oleg
  • 220,925
  • 34
  • 403
  • 798
  • All I have is the private key blob, and I want to store that in a new certificate. I suspect I would need to swap `CertAddEncodedCertificateToStore` with something that creates a blank certificate, but I can't find a function to do that. – redwyre Sep 18 '12 at 10:54
  • You could create a self-signed certificate from the key, link the certificate you just make to the key and export that. Self signed certificate code sample: https://blogs.msdn.microsoft.com/alejacma/2009/03/16/how-to-create-a-self-signed-certificate-with-cryptoapi-c/ – Timothy John Laird Jan 25 '18 at 21:13