EldoS | Feel safer!

Software components for data protection, secure storage and transfer

SSL Certificate Woes

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
Posted: 01/02/2008 18:11:58
by Joshua Jones (Basic support level)
Joined: 01/02/2008
Posts: 4

I'm building a service in Delphi 2007 and taking the Server example that uses ElSecureServerSocket as a template for my project. The service works fine if I load the certificate as a file stream

F := TFileStream.Create('C:\pathtomypfx\mycert.pfx', fmOpenRead);
R := Cert.LoadFromStreamPFX(F, 'pfxpassword');
if R = 0 then
Log('Failed to load certificate (error ' + IntToStr® + ')');

However when I load the certificate from a windows store using the following code

for I := 0 to WinCertStorage.Count do
DisplayName := GetCertDisplayName(WinCertStorage.Certificates[I]);
if DisplayName = 'mycert' then

the service doesn't establish a ssl connection and an exception is thrown from the class EElWin32CryptoProviderError with the message 'Decryption failed'.

This only happens in my service. If I take the same code to load the certificate from the windows store and place it in the example the example works after I agree to the CryptoAPI Private Key warning.

I believe that my service is getting the CryptoAPI warning and so the decryption fails. Any ideas on how to fix this?

Posted: 01/03/2008 03:42:15
by Eugene Mayevski (EldoS Corp.)

You are right, the problem is caused by the warning which can't be displayed.

The only way to get rid of the warning is to import the certificate with exportable private key and weak private key protection. In this case no warning is given.

Is it the requirement to use Windows Certificate Store?

Sincerely yours
Eugene Mayevski
Posted: 01/03/2008 15:39:19
by Joshua Jones (Basic support level)
Joined: 01/02/2008
Posts: 4

Thank you for the response. I was told to use the windows store if possible. Is there a suggested way of handling certificate storage? I will need to find a place to store one on the server as well as finding a place to store the certificates being issued to our clients. The windows store seemed the logical place to do this. Both the client and server certificates need to be stored securely.
Posted: 01/04/2008 02:27:58
by Eugene Mayevski (EldoS Corp.)

As you need to access certificates quickly, the only options are PFX files or windows certificate storage. In case of PFX files you can keep the storage passwords inside of your application OR in DPAPI (this is a special service of Windows, we don't have components for it at the moment and you need to access it via Windows API). In case of Windows certificate storage you need to keep the passwords totally unprotected as there's no way to pass the password to CryptoAPI.

Sincerely yours
Eugene Mayevski
Posted: 01/04/2008 10:22:27
by Joshua Jones (Basic support level)
Joined: 01/02/2008
Posts: 4

The problem isn't that I can't pass the password to CryptoAPI. I don't have one set up on the certificate (the security level on the certificate is set to medium). The problem is that since the security level is set to medium CryptoAPI is going to notify me everytime a program tries to use the certificate. Is it possible to set the security level even lower or if its possible to set some kind of privilege that will allow my program to access the certificate without throwing a warning?
Posted: 01/04/2008 11:48:09
by Eugene Mayevski (EldoS Corp.)

As I wrote, with Windows certificate storage you have not to use any protection at all. This is possible by specifying exportable private key and low protection level when you import the certificate with it's private key to Windows certificate storage. There's no way to not confirm the use of the private key or not to enter the password for it, if you have previously imported the key as non-exportable or with medium or high protection level.

Sincerely yours
Eugene Mayevski
Posted: 01/04/2008 12:09:18
by Joshua Jones (Basic support level)
Joined: 01/02/2008
Posts: 4

I'll try exporting and reimporting the certificate with the settings you mentioned. Thank you for your help.
Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.



Topic viewed 2136 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!