Windows 10: CryptAcquireCertificatePrivateKey fails to retrieve the private key for certificate listed...

//Open Local Machine store NCRYPT_KEY_HANDLE hKey = 0; PCCERT_CONTEXT pCertContext = NULL; HCERTSTORE hCertStore = NULL; DWORD dwKeySpec; BOOL bCallerFreeProv; hCertStore = CertOpenStoreCERT_STORE_PROV_SYSTEM, 0, NULL, CERT_SYSTEM_STORE_LOCAL_MACHINE, L"My"; // Enumerate all certificates. while pCertContext = CertFindCertificateInStorehCertStore, X509_ASN_ENCODING, 0, CERT_FIND_ANY, NULL, pCertContext

:)

 

CryptAcquireCertificatePrivateKey gets a handle to something that knows both the private and the public keys

Hello,

CryptAcquireCertificatePrivateKey with the flag CRYPT_ACQUIRE_ONLY_NCRYPT_KEY_FLAG gets a handle (NCRYPT_KEY_HANDLE) to a certificate's private key.

In the documentation https://learn.microsoft.com/en-us/w...nf-wincrypt-cryptacquirecertificateprivatekey you can read:

"The CryptAcquireCertificatePrivateKey function obtains the private key for a certificate".

But I found out that we get a handle to something that knows both the private key and the public key, and if I encrypt something with this handle (NCryptEncrypt), it encrypts with the public key and not the private key as expected.

The result can indeed be decrypted (NCryptDecrypt) using the same handle (strange for an asymmetric algorithm), but not with a handle to the public key (public key obtained with CryptImportPublicKeyInfoEx2), NCryptDecrypt returns 0xc000000d = STATUS_INVALID_PARAMETER that just means "Can't decrypt".

Of course, we're supposed to encrypt with a public key and decrypt with a private key, the opposite looks more like a signature than encryption, but I needed to do it in a special case. It seems I can't.

Can you confirm this analysis? It took me a long time to understand this.

Regards,

Michel Terrisse

 

how do I export certificates and/or private keys?

Hi,

Thank you for posting your query on Microsoft Community. Let me assist you.

I suggest you to follow the below steps to export a certificate with a private key

1. Open the Certificates console for the user, computer, or service you want to manage.

2. In the console pane, select the certificate store and container holding the certificate that you want to export.

3. In the details pane, click the certificate you want to export.

4. On the Action menu, point to
All Tasks, and then click Export.

5. In the Certificate Export Wizard, click
Yes, export the private key. (This option will appear only if the private key is marked as exportable and you have access to the private key.)

6. Under Export File Format, do one or all of the following, and then click
Next.

• To include all certificates in the certification path, select the
  Include all certificates in the certification path if possible check box.
• To enable strong protection, select the Enable strong protection (requires IE 5.0, NT 4.0 SP4 or above) check box.
• To delete the private key if the export is successful, select the
  Delete the private key if the export is successful check box.

7.In Password, type a password to encrypt the private key you are exporting. In
Confirm password, type the same password again, and then click
Next.

8. In File name, type a file name and path for the PKCS #12 file that will store the exported certificate and private key, click
Next, and then click Finish.

Hope this information is helpful. Please do let us know if you need further assistance, we’ll be glad to assist you.

 

CryptAcquireCertificatePrivateKey gets a handle to something that knows both the private and the public keys

Thank you for this suggestion.

I copied my question here

CryptAcquireCertificatePrivateKey gets a handle to something that knows both the private and the public keys - Microsoft Q&A

Regards,

Michel Terrisse