Archived Forum Post

Index of archived forum posts

Question:

ChilkatCert and smartcard

Jul 19 '12 at 12:47

I'm using ChilkatCert. Is there any way to specifically open the certificate store that's on a smartcard? (Our users are using an Omnikey cardreader with a smartcard).

Capicom was using "SMART_CARD_USER_STORE" for that.


Answer

I don't think it's possible, but it may not be necessary. I'll explain.

A digital certificate has an associated private key. The certificate itself (i.e. the X.509 cert) does not need to be protected. In fact, it would never make sense to protect the certificate because your counterparty needs to have it to verify signatures, or to encrypt messages sent to you (such that only the holder of the associated private key can decrypt). In other words, the certificate is something to be freely provided to your counterparties.

It is the associated private key that must be protected. For example, when a cert + private key is installed onto a Windows system (no smart card involved), the cert is installed to a registry-based certificate store, and the private key goes into something called the "protected store". The "protected store" is accessed by programs via Crypto API which internally uses DPAPI (http://msdn.microsoft.com/en-us/library/ms995355.aspx)

Most other systems that provide a PKI (public/private key infrastructure) have some sort of protected way of storing private keys, while the cert itself is unprotected. Java has KeyStores, PFX (PKCS #12) files are containers where the keys are stored in "shrouded" stores. Etc.

I would expect that it should be possible to extract the certificates (without private key) from the smart card. If so, then you can install the certificate-only (without private key) onto the Windows system such that it exists in the Current User registry-based certificate store. Once you do this, Chilkat should be able to automatically use the associated private key located on the smart card without any special coding.