EldoS | Feel safer!

Software components for data protection, secure storage and transfer

SSL Certificate Woes

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
Posted: 01/02/2008 18:11:58
by Joshua Jones (Basic support level)
Joined: 01/02/2008
Posts: 4

I'm building a service in Delphi 2007 and taking the Server example that uses ElSecureServerSocket as a template for my project. The service works fine if I load the certificate as a file stream

F := TFileStream.Create('C:\pathtomypfx\mycert.pfx', fmOpenRead);
R := Cert.LoadFromStreamPFX(F, 'pfxpassword');
if R = 0 then
Log('Failed to load certificate (error ' + IntToStr® + ')');

However when I load the certificate from a windows store using the following code

for I := 0 to WinCertStorage.Count do
DisplayName := GetCertDisplayName(WinCertStorage.Certificates[I]);
if DisplayName = 'mycert' then

the service doesn't establish a ssl connection and an exception is thrown from the class EElWin32CryptoProviderError with the message 'Decryption failed'.

This only happens in my service. If I take the same code to load the certificate from the windows store and place it in the example the example works after I agree to the CryptoAPI Private Key warning.

I believe that my service is getting the CryptoAPI warning and so the decryption fails. Any ideas on how to fix this?

Posted: 01/03/2008 03:42:15
by Eugene Mayevski (Team)

You are right, the problem is caused by the warning which can't be displayed.

The only way to get rid of the warning is to import the certificate with exportable private key and weak private key protection. In this case no warning is given.

Is it the requirement to use Windows Certificate Store?

Sincerely yours
Eugene Mayevski
Posted: 01/03/2008 15:39:19
by Joshua Jones (Basic support level)
Joined: 01/02/2008
Posts: 4

Thank you for the response. I was told to use the windows store if possible. Is there a suggested way of handling certificate storage? I will need to find a place to store one on the server as well as finding a place to store the certificates being issued to our clients. The windows store seemed the logical place to do this. Both the client and server certificates need to be stored securely.
Posted: 01/04/2008 02:27:58
by Eugene Mayevski (Team)

As you need to access certificates quickly, the only options are PFX files or windows certificate storage. In case of PFX files you can keep the storage passwords inside of your application OR in DPAPI (this is a special service of Windows, we don't have components for it at the moment and you need to access it via Windows API). In case of Windows certificate storage you need to keep the passwords totally unprotected as there's no way to pass the password to CryptoAPI.

Sincerely yours
Eugene Mayevski
Posted: 01/04/2008 10:22:27
by Joshua Jones (Basic support level)
Joined: 01/02/2008
Posts: 4

The problem isn't that I can't pass the password to CryptoAPI. I don't have one set up on the certificate (the security level on the certificate is set to medium). The problem is that since the security level is set to medium CryptoAPI is going to notify me everytime a program tries to use the certificate. Is it possible to set the security level even lower or if its possible to set some kind of privilege that will allow my program to access the certificate without throwing a warning?
Posted: 01/04/2008 11:48:09
by Eugene Mayevski (Team)

As I wrote, with Windows certificate storage you have not to use any protection at all. This is possible by specifying exportable private key and low protection level when you import the certificate with it's private key to Windows certificate storage. There's no way to not confirm the use of the private key or not to enter the password for it, if you have previously imported the key as non-exportable or with medium or high protection level.

Sincerely yours
Eugene Mayevski
Posted: 01/04/2008 12:09:18
by Joshua Jones (Basic support level)
Joined: 01/02/2008
Posts: 4

I'll try exporting and reimporting the certificate with the settings you mentioned. Thank you for your help.
Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.



Topic viewed 2492 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!