Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Schannel credentials are represented internally as CERT_CONTEXT structures. Schannel locates the private key associated with a particular certificate context using the certificate's CERT_KEY_PROV_INFO_PROP_ID property. Using this property, Schannel accesses the private key by calling the CryptAcquireContext function. For additional details, see Public/Private Key Pairs.
Every Schannel credential contains a reference to one or more private keys, each associated with a particular certificate. The private keys are handled quite differently depending on whether the credential is for a client or a server.
Client Private Keys
Client private keys are managed by the cryptographic service provider (CSP) in use. Client private keys are typically stored by CSPs of type PROV_RSA_FULL or PROV_RSA_SIGNATURE.
If the client application makes the CryptAcquireContext call manually then before calling AcquireCredentialsHandle, the client must bind the CSP's handle to the certificate context using the CERT_KEY_PROV_HANDLE_PROP_ID property. If Schannel finds this property set, it does not use the CERT_KEY_PROV_INFO_PROP_ID property.
Server Private Keys
Server private keys are stored by one of the following CSPs:
- PROV_RSA_SCHANNEL
- PROV_DH_SCHANNEL
- PROV_FORTEZZA CSP
The choice of CSP depends on the selected key exchange algorithm. Server private keys must be of type AT_KEYEXCHANGE.