I'm trying to export certificate to pfx file. Here's what I do (simplified):
h = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, NULL, CERT_STORE_CREATE_NEW_FLAG, NULL);
p = CertCreateCertificateContext(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
CertBlob.pbData, CertBlob.cbData);
CertSetCertificateContextProperty(p, CERT_KEY_PROV_HANDLE_PROP_ID, 0, &hPrivKey);
CertAddCertificateContextToStore(h, p, CERT_STORE_ADD_ALWAYS, NULL);
PFXExportCertStoreEx(h, &SomeBlob, L"", NULL, EXPORT_PRIVATE_KEYS);
PFX created, no private key exported. Anyone ever exported private key to pfx? What's the proper way to attach private key to certificate so that it could be exported?
Apparently,
CertSetCertificateContextProperty(p, CERT_KEY_PROV_HANDLE_PROP_ID ...)
is not good. Need to do this instead:
It's critical that provider name and other crap match the information that was used to generate actual key. It's not needed to set provider handle or any of that stuff. It also must be done before
CertAddCertificateContextToStore
.This is the only way that I found to attach private key to a certificate.
For the posterity:
The problem is related to the
CertAddCertificateContextToStore
call. Indeed, it does not copy theCERT_KEY_PROV_HANDLE_PROP_ID
property to the next context. (this fact is noted in the remark)Solution:
Fill the last parameter with a handle to the new context and copy the property from the old context to the next one.