Public/Private Key Pair Usage

All normal RSA operations use the AT_KEYEXCHANGE public/private key pair. Server-side protocol engines are required to have an X509 certificate that contains a matching public key. Client-side protocol engines are only required to have a certificate if they are intended to support client authentication.

The protocol engine never uses the AT_SIGNATURE public/private key pair, so that key pair need not be supported by the CSP.

In the situation where an SSL 3.0 export cipher suite is used and the AT_KEYEXCHANGE key pair is larger than 512 bits, the server must use an additional RSA key pair. This key pair is always exactly 512 bits and, at the discretion of the protocol engine, may be ephemeral. The pair is stored as an AT_KEYEXCHANGE element in a key container owned by the protocol engine. A handle to this key container is typically acquired at protocol engine startup.