Discuss this help topic in SecureBlackbox Forum

Copy certificate of any origin to TElMemoryCertStorage

TElMemoryCertStorage can serve as a universal container for certificates with any physical origin. When you add a certificate to the memory storage, it saves the complete information about the certificate's background. This information can be retrieved later, when the certificate is needed for a cryptographic operation. That is, a certificate object originating from TElPKCS11CertStorage remembers its roots even after being added to TElMemoryCertStorage. This certificate can be used for signing and other internal PKCS#11 operations required to actually perform the signing.

The following code preserves a reference to the original Windows certificate:

TElWinCertStorage winStorage = new TElWinCertStorage();

TElMemoryCertStorage memStorage = new TElMemoryCertStorage();
memStorage.Add(winStorage.get_Certificates(0), true);
The second parameter tells the component whether the certificate's private key shall also be copied (if present, of course). When CopyPrivateKey is false, only the public part of the certificate will be copied to the storage. It will not be possible to use such certificate for private key operations (e.g., signing).

Two important points to be considered when adding certificates to TElMemoryCertStorage:

  1. TElMemoryCertStorage keeps its own list of certificate objects. That is, the original certificate object is cloned to a new object (with identical content though) inside the Add() method. Certificate objects kept by TElMemoryCertStorage are released when they are removed from the storage, or when the storage is disposed of. Therefore you should never dispose of the objects returned by TElMemoryCertStorage.get_Certificates().
  2. Objects with an external origin (PKCS#11 store or System store), when added to TElMemoryCertStorage, keep references to their original storages. These references become invalid if the original storage is closed or destroyed. Therefore make sure that your original TElPKCS11CertStorage or TElWinCertStorage objects are alive and open until any references to them are kept elsewhere in TElMemoryCertStorage objects. Getting back to the above example, you should not modify the content of winStorage (by disposing of it, or changing the value of its SystemStores property) until there is a reference to a certificate originating from it contained in memStorage.

How To articles about certificate storages

Discuss this help topic in SecureBlackbox Forum