I need to programmatically import a digital certificate (.PFX) into Windows 7 and apply specific security settings. When opening a digital certificate the third page of the “Certificate Import Wizard” presents the following option.
- Enable strong private key protection. You will be prompted every time the private key is used by an application if you enable this option.
Checking that option triggers the “Importing a new private exchange key” dialog. The default security level is set to Medium. This must be forced to High. Changing the security level to High triggers the “Create a Password” dialog.
This password must be entered by the user every time the certificate is used.
The X509Certificate2 class provides much of the needed functionality. Passing X509KeyStorageFlags.UserProtected to the constructor appears to correspond to strong private key protection. However, there does not appear to be a way to select the High
security level. Research suggests that another flag value (CRYPT_FORCE_KEY_PROTECTION_HIGH) is necessary to provide the desired result. This flag is not exposed by the .NET Framework.
Is this possible with .NET or a Windows SDK utility like CertMgr.exe? It would also be beneficial to verify if specific certificates have been imported with these settings.
Microsoft Reference Source
/mscorlib/system/security/cryptography/x509certificates/x509utils.cs
private void LoadCertificateFromFile (string fileName, object password, X509KeyStorageFlags keyStorageFlags)
/mscorlib/system/security/cryptography/x509certificates/x509utils.cs
internal static uint MapKeyStorageFlags(X509KeyStorageFlags keyStorageFlags)
WinCrypt.h
CRYPT_FORCE_KEY_PROTECTION_HIGH