Configuring Microsoft Base CSP with home made .exe files

Posted on January 2, 2010 by DXter

My dear friend Hasain wrote a very interesting blog post  last year about modifying the registry to enable the Base CSP to allow manuall .pfx imports to smartcards using certuil.

 

This is very interesting in many aspects, not the least from the aspect that you are able to generate keys outside of the smartcard and then import them to the card. This allows us to archive the keys without the need for CLM to enable key archiving for certificates on smartcards (since the private key exists outside of the smartcard). :)

 

If you follow Hasain’s instructions, and export the settings to a registry file, you should have the following content:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider]
"AllowPrivateSignatureKeyImport"=dword:00000001
"AllowPrivateExchangeKeyImport"=dword:00000001

 

Since I am not a fan of manually modifying the registry (or using registry files), I prefer to use a script or a homemade binary to be able to just double click on a file to make the settings. :)

 

So I wrote the following VB.NET code that does the same thing as our registry file:

Public Module Registry
Public Sub Main() 

My.Computer.Registry.SetValue("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider", "AllowPrivateSignatureKeyImport", "1", Microsoft.Win32.RegistryValueKind.DWord)

My.Computer.Registry.SetValue("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider", "AllowPrivateExchangeKeyImport", "1", Microsoft.Win32.RegistryValueKind.DWord)

End Sub
End Module

 

After a simple compilation of the VB.NET code above using vbc.exe, I have a single .exe file that automatically does the necessary registry settings for me.

 

I showed the VB.NET code to Dalle for feedback, and he was kind enough to insist on making a PowerShell version. (Thanks Dalle! :) )

Set-ItemProperty -path ‘HKLM:\Software\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider’ -name ‘AllowPrivateSignatureKeyImport’ -type ‘DWord’ -value ’1′

Set-ItemProperty -path ‘HKLM:\Software\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider’ -name ‘AllowPrivateExchangeKeyImport’ -type ‘DWord’ -value ’1′

 

// Fredrik “DXter” Jonsson

No related posts.

This entry was posted in PKI and tagged , . Bookmark the permalink.

0 Responses to Configuring Microsoft Base CSP with home made .exe files

  1. Pingback: Backup and restore for Active Directory Certificate Services | Dalle & DXter

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>