Discuss this help topic in SecureBlackbox Forum

Access certificates using Windows Certificate Storage

Windows CryptoAPI provides a so-called Windows certificate storage. This is both the built-in storage and the proxy interface for custom storages.

Physically Windows can store certificates (and associated private keys) in system registry or in special file storage, located in Documents and Settings folder. Additionally, Windows provides transparent access to LDAP storages.

Custom storages, provided by third-party software and hardware, are mapped into system stores and accessed as built-in storages.

You can access and manage certificates, accessible via CryptoAPI, using TElWinCertStorage class. The following properties control, what certificate storages will be accessed:

SystemStores property contains one or more store names, which will be accessed. Most commonly used stores are My (where personal certificates are stored) and Root (where root CA certificates are stored). There are more stores in system, described in Windows documentation. You can get the list of available stores using GetAvailableStores() method of TElWinCertStorage class. The method requires that you specify AccessType parameter. AccessType is described below.

PhysicalStores property contains the names of the one or more physical stores which will be accessed. Physical stores is the place, where the certificates are actually stored. It's not necessary to use physical store names when you read the certificate from, for example, My store. However if you add a certificate to the store, you need to specify where exactly the certificate will be placed, and then you need a physical store name. Note: at the moment PhysicalStores is not taken into account when the certificate is added. One more example is the hardware token. When the token is mapped to CryptoAPI, it provides a separate physical store.

Physical stores list is different for each system store. You can get the list of physical stores, available for given system store, using GetAvailablePhysicalStores() method of TElWinCertStorage class. The method requires that you specify AccessType parameter. AccessType is described below.

Specifying non-empty value for PhysicalStores makes sense when you have exactly one system store name in SystemStores property.

StorageType property specifies the type of storage to access. As mentioned above, you can access system-defined certificate storages (located in files), registry storages (located in registry keys) or LDAP storages.

AccessType also specifies, what certificates to access. Since different types of applications (user applications, system processes, service applications) need to have different access rights, Windows maintains different storages for different access types. For example, if you use default access type (atCurrentUser), and add a certificate to My storage, this certificate won't be accessible for service application, which uses atLocalMachine access type. There are more access types in Windows, described in Windows documentation.

When you change SystemStores or PhysicalStores property, use SystemStores.BeginUpdate() or PhysicalStores.BeginUpdate() respectively to tell the storage, that you will change the property. After those methods are called, the storage stops re-opening itself after each change of property values. When you complete the changes, call SystemStores.EndUpdate() or PhysicalStores.EndUpdate() respectively to tell the storage, that now it should re-open the storage.

Failure to access hardware private key via TElWinCertStorage

Sometimes access to a hardware private key via TElWinCertStorage results in a failure. Usually this happens when the hardware CSP vendor does not provide a 64-bit version of the driver. This problem is resolvable by explicitly targeting the userís application the x86/x64 platform.

How To articles about certificate storages

Discuss this help topic in SecureBlackbox Forum