CryptoAPI 2.0 Private Keys

Schannel credentials are represented internally as CERT_CONTEXT structures. Schannel locates the private key associated with a particular certificate context using the certificate's CERT_KEY_PROV_INFO_PROP_ID property. Using this property, Schannel accesses the private key by calling the CryptAcquireContext function. For additional details, see Public/Private Key Pairs.

Every Schannel credential contains a reference to one or more private keys, each associated with a particular certificate. The private keys are handled quite differently depending on whether the credential is for a client or a server.

Client Private Keys

Client private keys are managed by the cryptographic service provider (CSP) in use. Client private keys are typically stored by CSPs of type PROV_RSA_FULL or PROV_RSA_SIGNATURE.

If the client application makes the CryptAcquireContext call manually then before calling AcquireCredentialsHandle, the client must bind the CSP's handle to the certificate context using the CERT_KEY_PROV_HANDLE_PROP_ID property. If Schannel finds this property set, it does not use the CERT_KEY_PROV_INFO_PROP_ID property.

Server Private Keys

Server private keys are stored by one of the following CSPs:

  • PROV_RSA_SCHANNEL
  • PROV_DH_SCHANNEL
  • PROV_FORTEZZA CSP

The choice of CSP depends on the selected key exchange algorithm. Server private keys must be of type AT_KEYEXCHANGE.