We want to use the "Microsoft Platform Crypto Provider Key Storage Provider” APIs on Surface Pro devices and Windows Mobile Phone devices for Windows 8 and 10. The operations we need to support are provisioning new keys to the KSP (key storage provider) using a PKCS12 formatted “blob" and using one or more keys in the KSP as client credentials in a mutually authenticated TLS 1.2 exchange with a server.
We need to know the correct APIs to use in our client to import the certificate key with some name (alias) that we can use to reference it later - we presume that the correct APIs for this is CertificateEnrollmentManager.ImportPfxDataAsyn. If we use this API, will the resulting credentials be protected at rest by the Trusted Platform Module (TPM) or are there other APIs we must use to import and use certificates. We understand that CertificateEnrollmentManager.ImportPfxDataAsyn will import a pfx certificate to the app container. We really want to have our credentials is protected by TPM.
We also need to know the appropriate APIs to select the certificate/keys via its friendly name during a socket connection to a server using the TLS 1.2 protocol. We know that in Windows 10 StreamSocket has a "Control" property and "Control" itself has a "ClientCertificate" property which we can use to pass in a client certificate for opening an SSL connection, but in Windows 8.1, Control property of StreamSocket doesn't have a "ClientCertificate" property. In Windows 8.1, where and which certificate will StreamSocket.ConnectAsync be looking for?
Any help or comment will be highly appreciated.
Josh
