EldoS | Feel safer!

Software components for data protection, secure storage and transfer

X509Certificate.ChangeSecurityLevel not working

Posted: 09/29/2008 08:51:10
by Wolfgang Denz (Standard support level)
Joined: 09/24/2008
Posts: 19

For several days already I try to change the securitylevel of installed x509-Certifcates in den Windows-Store of an XP-Computer.
I can install certificates with Security/protectionlevel low oder medium where the later results in a prompt if an application wants to access the protected certificate.
But the call to the function ELWinStore.Certifcates[0].ChangeSecurityLevel(cslhigh,'$afeword'); fails.

Has anyone seen this working?


Oh... IÄ'm using SecureBlackBox6 / Delphi2007
Posted: 09/29/2008 09:11:05
by Ken Ivanov (Team)

Default system cryptographic providers do not support security level changing for the existing certificates, and that's why TElX509Certificate.ChangeSecurityLevel() method has been never published. Although this method *may* work with alternative cryptographic providers (hardware or custom software CSPs), it does not work with Microsoft Cryptographic providers. The only way to set/cancel the password for the certificate stored under one of the default providers is to reinstall the certificate to the store from scratch.
Posted: 09/29/2008 09:18:08
by Wolfgang Denz (Standard support level)
Joined: 09/24/2008
Posts: 19

Wow, pretty fast :-)
Thnx for the answer, but then the next question comes to my mind:
How can I install a certificate into the Windows-Certificate-store with security-level high programmatically?
I can set the flag "protected" to true, but then the user would have to set the protection-level manually from medium to high and enter a password while installing/importing the x509-certificate into the windows-store.
I would like to automate this process by giving the user a password-prompt and then installing the certificate with the givven password, supressing the dialog-boxes and prompts from Microsoft completely

Posted: 09/29/2008 09:33:08
by Ken Ivanov (Team)

Sorry for disappointing you, but it is not possible. Although CryptoAPI declares means for setting the password manually, Microsoft CSPs do not implement the needed functionality. In other words, there is no way to suppress Microsoft GUI when dealing with strong system-based private key protection.



Topic viewed 1715 times

Number of guests: 2, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!