Platform SDK: Logon Authentication

CryptoAPI 2.0 Private Keys

Every Schannel credential contains access to one or more private keys, each associated with a particular certificate. Together, these are used to prove the user's identity to the remote system. The private keys are handled quite differently depending on whether the credential is for a client or a server.

Schannel locates the private key associated with a particular certificate context using the certificate's CERT_KEY_PROV_INFO_PROP_ID property. This property provides Schannel with everything it needs to know to access a private key by calling CryptAcquireContext.

Client Private Keys

Client private keys can be stored by any CSP. The enrollment control or the user chooses the CSP.

If the client application makes the CryptAcquireContext call rather than leaving it up to Schannel, it must bind the provider handle to the certificate context with the CERT_KEY_PROV_HANDLE_PROP_ID property before calling AcquireCredentialsHandle. If Schannel finds this property set, it does not use the CERT_KEY_PROV_INFO_PROP_ID property.

Server Private Keys / Windows 2000

Server private keys are stored by an PROV_RSA_SCHANNEL, PROV_DH_SCHANNEL, or PROV_FORTEZZA CSP, depending on the key exchange algorithm used by the private key. Other CSPs do not support the algorithms necessary to perform the TLS, SSL, or PCT key exchange operations.

Server private keys must be of type AT_KEYEXCHANGE.