Commands related to cryptographical operations
This module is still experimental and liable to change.
This package provides procedures related to cryptographic services provided by the Windows platforms.
This page describes the commands related to the Win32 CryptoAPI which includes functions related to encryption, decryption, signatures and ancillary services for certificate and key management.
The Win32 CryptoAPI includes the Security Support Provider Interface (SSPI) related to secure communication protocols. Those commands are documented separately on the SSPI page.
This documentation expects the reader is familiar with the use of cryptography. An overview of the concepts in the CryptoAPI is provided but the API itself is fairly complex and the reader may wish to refer to the Windows SDK CryptoAPI documentation for detailed guides and reference documentation.
A Cryptographic Service Providers (CSP) on Windows is a software module that implements a set of cryptographical functions such as encryption or key storage. There may be multiple such modules on a system, each implementing one of more cryptographic algorithms for one or more cryptographic functions. Applications implement cryptographic operations by calling a standard interface defined by Windows and implemented by the CSPs.
Some CSP's come with the Windows operating system while others are implemented by third parties. The feature set implemented by each CSP is different and can depend on factors such as the operating system version, and because of US export restrictions, the country. Based on the supported features, CSP's have an associated CSP type. For example, a CSP of type PROV_RSA_FULL supports digital signatures and encryption using the RSA public key algorithm. On the other hand, a CSP of type PROV_DSS uses the DSA algorithm and only supports hashes and signatures. When creating a Cryptographic contexts, an application needs to specify a CSP type that supports the desired operations. The following types are recognized: prov_rsa_full, prov_rsa_sig, prov_dss, prov_fortezza, prov_ms_exchange, prov_ssl, prov_rsa_schannel, prov_dss_dh, prov_ec_ecdsa_sig, prov_ec_ecnra_sig, prov_ec_ecdsa_full, prov_ec_ecnra_full, prov_dh_schannel, prov_spyrus_lynks, prov_rng, prov_intel_sec, prov_replace_owf, prov_rsa_aes. Refer to the Windows SDK for details about the features provided by each. For most applications, the default prov_rsa_full is sufficient.
Two standard providers shipped as part of Windows are Microsoft Base Cryptographic Provider and the Microsoft Strong Cryptographic Provider. On most systems, the latter is the default when no specific CSP is selected and is sufficient in most cases unless some special functionality like hardware based cryptography is desired.
The commands crypt_csps and crypt_csptypes return the list of CSP's and CSP types on the system.
The keys used for cryptographic operations are stored in key containers within a CSP's control. The keys are not generally exposed directly to an application but rather the CSP carries out the operations using the keys on the application's behalf.
A CSP may be associated with multiple key containers, each identified by a name. The specific key container and the keys within that container that are used for an operation depends on the Cryptographic contexts is bound at the time the context is created via the crypt_acquire command. This command also allows creation of new key containers within a CSP if they do not exist.
Depending on the options specified and the account under which they are created, key containers are created with restricted access. The exact access depends on the account group membership (e.g. whether an adminitrator or not) and operating system version. Applications can set specific access rules by setting a DACL on the container using crypt_set_security_descriptor.
To delete key containers, use the crypt_key_container_delete command.
Depending on the CSP chosen, key containers may be empty when created. The command crypt_key_generate adds keys to the container. The algorithm with which the key will be used and the purpose (encryption, signing etc.) can be specified so the appropriate type of key is generated. The container may contain multiple keys and appropriate key must be chosen when cryptographic operations are invoked.
A key container may be created as a user key set or a computer key set. These are distinguished based on where they are stored and who has access to them. Refer to the Windows SDK CryptoAPI documentation for details. It is possible to change the default access permissions for a key container. The crypt_get_security_descriptor and crypt_set_security_descriptor commands can be used retrieve and change the security descriptor for a key container.
In order to perform cryptographic operations, an application must choose a CSP, the algorithms to use and their parameters including keys. The command crypt_acquire takes these are parameters and returns a handle to a cryptographic context that binds the desired combination together. This handle can then be used in further cryptographic operation.
Once a context is created, the various parameters associated with it can be retrieved.
When no longer needed, cryptographic contexts must be freed with the crypt_free command.
The CryptoAPI interface provides functions for handling and storage of X.509 digital certificates. A certificate store is a container for certificates. The container may be a physical store, for example on disk, or a logical store which is a collection of physical stores presented to the application as a single store. Certificate stores may also be created as in-memory temporary stores which are not persisted.
Certain certificate stores, called system stores are predefined by Windows. These include the stores MY, ROOT, Trust and CA. Most applications should store certificates in either the MY store, or in their own custom store.
Note that the system stores are relative to a system store location which must be specified when opening the store. To enumerate the locations of the system stores, use cert_system_store_locations. Optionally, the following predefined values may be used to specify a system store location:
user | Certificates associated with the current user account. |
users | Certificates shared among all user accounts on the system. |
service | Certificates associated with the current service account. |
services | Certificates shared among all services on the system. |
localmachine | Certificates associated with the system. |
localmachineenterprise | Certificates downloaded from the global enterprise directory. |
localmachinegrouppolicy | Certificates associated with the group policy for the system. |
usergrouppolicy | Certificates associated with the group policy for the current user. |
To enumerate system stores at a location, use the cert_system_stores.
Most certificate store operations require the store to be first opened or created. Persistent stores are opened or created using the one of the commands cert_system_store_open, cert_physical_store_open or cert_file_store_open as appropriate. Non-persistent stores are created using cert_temporary_store which includes various options for populating the store, for example with the contents of PFX/PKCS #12 or PKCS #7 packets.
The handle returned from these commands must be passed to any commands that operate on stores and released by calling cert_store_release when no longer required.
The returned handle from these commands refers to a cached copy of the store. Any changes made via this handle are made to the cached copy and must be explicitly saved if they need to persist. This can be done either via the -commitenable option when the store is opened, or by calling cert_store_commit.
Commands cert_store_export_pfx, cert_store_export_pkcs12, cert_store_export_pkcs7, and cert_store_serialize can be used to export certificate stores in various formats.
Existing certificate stores can be deleted using the commands cert_system_store_delete, cert_physical_store_delete and cert_file_store_delete. A in-memory certificate store is deleted when its handle is closed.
When a certificate is placed in a store, it is associated with additional properties that are not part of the certificate itself, for example a private key associated with the certificate. These properties can be enumerated with cert_enum_properties and manipulated with the cert_property, cert_property_set and cert_property_delete commands.
Operating on a certificate requires a certificate context which encapsulates all information about the certificate. Most often, the certificate of interest is an existing certificate that is located in a certificate store. The commands for finding certificates in a store return a handle to a suitable certificate context. Similarly, commands that create new certificates or add certificates to a store return handles to certificate contexts as well.
When no longer needed, certificate contexts must be freed by calling cert_release.
The cert_info command returns the fields in a certificate context. The cert_extension command retrieves specific extensions. Two extensions, Intended Key Usage and Enhanced Key Usage, can be also be retrieved with the cert_key_usage and cert_enhkey_usage command. These look up certificate context properties in addition to multiple related extensions in the certificate itself.
The encoded certificate associated with a certificate context can be retrieved with the cert_export command. This can be written to a file or otherwise distributed.
set fd [open MyCert.cer w] chan configure $fd -translation binary puts -nonewline $fd [cert_export $hcert] close $fd
The cert_locate_private_key command locates the private key corresponding to the public key in a certificate.
An existing certificate in a store can be retrieved in one of two ways:
Both these commands return a handle to a certificate context that can be used for further operations on the certificate.
New certificates can be created by commands such as cert_create_self_signed, cert_create_signed_from_crypt_context and cert_create. These return handles to certificate contexts that are not associated with any store. The certificates must be explicitly placed in a certificate store if desired.
Creating a new certificate involves several steps. As always, first a cryptographic context is needed that defines the algorithms, keys etc. that will be used to create the certificate.
set crypt [crypt_acquire twapi_test_container -csp {Microsoft Strong Cryptographic Provider} -csptype prov_rsa_full -create 1]
This assumes a key container called twapi_test_container does not exist. All the options specified above happen to be the defaults if unspecified.
The key container is created without any keys so we need to generate public/private key pairs. As we will use the certificate for both signing and key exchange, we generate two key pairs for the container.
crypt_key_free [crypt_key_generate $crypt signature -exportable 1] crypt_key_free [crypt_key_generate $crypt keyexchange -exportable 1]
Note we immediately release the key handles as they are not needed. This does not destroy the underlying keys. Also, because we want to write the certificate out to a file with the private keys, we mark the keys exportable.
Next, we create a self signed certificate from the cryptographic context we created. This will use the keys we just added.
set cert [cert_create_self_signed_from_crypt_context "CN=TwapiTestCA" $crypt]
We now have a certificate context for a new self signed certificate. In most cases, we will want to either store it in a certificate store for future use or export it to a file. This is illustrated in succeeding sections of this document.
The cryptographic context is not needed any more and can be released.
crypt_free $crypt
Certificates that are not self-signed are created through cert_create. The private key for the signing certificate must be accessible to the application. The data for the new certificate, such as the subject name, the certificate public key, extensions etc. may be provided by the application itself but more often come from a certificate signing request which is generated elsewhere, possibly even on a different system. The command cert_request_parse can be used to parse such a request and the extracted fields passed to cert_create. The request itself can be created by cert_request_create.
On the requester's side, assuming the key container for the requestor has been already created as in the example above,
set crypt [crypt_acquire twapi_requestor_container -csp {Microsoft Strong Cryptographic Provider} -csptype prov_rsa_full] set req [cert_request_create "CN=My Subject Name" $crypt keyexchange -keyusage {key_agreement key_encipherment} -enhkeyusage client_auth] crypt_free $crypt
The above will create a binary which can be sent to the remote signing authority where the certificate request contents can be retrieved:
set parsed_req [cert_request_parse $req]
After verifying the validity of the request (how this is done is entirely up to the application), a certificate for the requestor can be created:
# Assume cissuer is certificate context of signing certificate set subject [dict get $parsed_req subject] set pubkey [dict get $parsed_req pubkey] set opts {} foreach optname {-basicconstraints -keyusage -enhkeyusage} { if {[dict exists $parsed_req extensions $optname]} { lappend opts $optname [dict get $parsed_req extensions $optname] } } set reqcert [cert_create $subject $pubkey $cissuer {*}$opts]
The encoded new certificate returned can be sent back to the requesting client.
Certificates can be added and deleted from certificate stores with the commands cert_store_add_certificate and cert_store_delete_certificate respectively. These commands take a certificate context. A certificate that is in encoded form can be added to a store with cert_store_add_encoded_certificate.
Note that adding a certificate to a store creates a copy of the certificate. The original certificate (context) is unmodified.
The sample code below adds the certificate we created in the previous section to a temporary in-memory store. First we create the memory store.
set store [cert_temporary_open]
Then we add the certificate to it.
set mcert [cert_store_add_certificate $store $cert]
This creates a copy of the certificate we created earlier. Since we no longer need the original, we need to free it.
cert_release $cert
There is now one crucial additional step. The association between a certificate and its private key is maintained by the store and is not part of the certificate. We therefore have to explicitly make the association between the CSP key container and the new certificate context for the temporary store.
cert_set_key_prov $mcert -csp {Microsoft Strong Cryptographic Provider} -keycontainer twapi_test_container -csptype prov_rsa_full
Notice we have specified exactly the key container we had created earlier.
The certificate is now stored in the temporary store and will be available as long as the volatile temporary store is not closed. As a final step we will export the certificate and the private keys to a file. This step is only necessary if we want to move the certificate elsewhere. (Note if we only wanted to export the certificate without private keys, we would follow the procedure in Getting certificate contents.
set fd [open MyCert.pfx w] chan configure $fd -translation binary puts -nonewline $fd [cert_store_export_pfx $store [password] -exportprivate] close $fd
Note that because we are exporting private keys, a password is required to protect the exported file.
Finally, assuming we have no need to hold on to the certificate, we can free up the resources.
cert_release $mcert cert_store_release $store
There are several aspects to validating a certificate. At the very least, the following must be checked:
The cert_tls_verify command can be used for this purpose. Currently, TWAPI only supports certificate verification for use in SSL connections.
An ASN.1 object identifier (OID) is a dotted decimal string such as 1.2.3.4 that represents a ASN.1 class or attribute. Many CryptoAPI command arguments use OID's to represent types and values such as algorithm identifiers. OID's can be passed in their dotted decimal form, or, for some commonly used ones, a mnemonic identifer. The list of mnemonic identifiers can be obtained through the oids command. Mapping to and from a specific mnemonic can be done through the oidname and oid commands.
The X.509 certificate extensions allow for a list of alternative names to be specified for both the certificate subject and issuer. When passed to commands, this list is formatted as a list of alternating name format and name value elements. The allowed name formats and corresponding values are specified in the following table:
other | The value is a pair of elements, the first being an OID and the second a binary. |
The value is a RFC 822 email address string. | |
dns | The value is a DNS name string. |
directory | The value is directory name in binary format. |
url | The value is a URL string. |
ip | The value is a binary octet string containing an IP address. |
registered | The value is a registered OID in string format. |
Windows provides facilities to encrypt and protect data based on the user credentials such that it can only be retrieved on the same system with the same credentials. The The protect_data and unprotect_data commands provide access to this facility.
-format FORMAT | Specifies how the output is to be formatted. FORMAT must be one of x500 (default), oid or simple. |
-noplus BOOLEAN | If true, the plus sign in names is replaced with a single space. Default is false. |
-noquote BOOLEAN | If true, quoting of special characters in RDN names is disabled. Default is false. |
-reverse BOOLEAN | If true, order of RDN components is reversed. Default is false. |
-separator SEPARATOR | Specifies the separator to use between RDN components. SEPARATOR must be one of comma (default), semicolon or newline. |
-altnames ALTNAMES | Specifies X.509 Alternative Name values to include in the certificate. ALTNAMES is a pair of one or two elements. The first is a list of pairs containing the name type and name value as described in X.509 alternative names. The second element, which is optional and defaults to false, is a boolean indicating whether the corresponding certificate extension should be marked critical or not. | ||||||
-basicconstraints BASICCONSTRAINTS | Specifies a basic constraints extension to be included in the certificate. BASICCONSTRAINTS is a pair of one or two elements. The first is a triplet consisting of a boolean which should be true if the certificate is to be used for a certificate authority, a boolean that indicates whether the path length value is to be enforced, and a non-negative integer which is the path length value itself. These last are only relevant if the first is true. The second element of BASICCONSTRAINTS, which is optional and defaults to true, is a boolean indicating whether the corresponding certificate extension should be marked critical or not. This element cannot be specified if the -purpose option is specified and contains the value ca. | ||||||
-capathlen CAPATHLENGTH | Specifies the limit on the certificate chain path length during verification. Ignored unless the -purpose option includes ca. | ||||||
-end ENDTIME | Specifies the end of the certificate validity period. ENDTIME must be of the form Year-Month-Day Hour:Minutes:Seconds. Defaults to one year beyond the start time. | ||||||
-enhkeyusage ENHKEYUSAGE | Specifies values to use for the X.509 enhanced key usage extension. ENHKEYUSAGE is a pair of one or two elements, the first of which is a list containing one or more values from client_auth, code_signing, email_protection, ipsec_endsystem, ipsec_tunnel, ipsec_user, server_auth, ocsp_signing, timestamp_signing or a valid OID. The second element, which is optional and defaults to false, is a boolean indicating whether the corresponding certificate extension should be marked critical or not. | ||||||
-encoding ENCODING | Specifies the encoding in which the encoded certificate is returned. ENCODING may be der (default) or pem for DER- and PEM-encoding respectively. | ||||||
-keyspec KEYSPEC | KEYSPEC must be one of signature (default) or keyexchange and specifies the public/private key pair in the container for which the certificate is being created. | ||||||
-keyusage KEYUSAGE | Specifies values to use for the X.509 key usage extension. KEYUSAGE is a pair of one or two elements, the first of which is a list containing one or more values from crl_sign, data_encipherment, decipher_only digital_signature, encipher_only, key_agreement, key_cert_sign, key_encipherment and non_repudiation. The second element, which is optional and defaults to false, is a boolean indicating whether the corresponding certificate extension should be marked critical or not. | ||||||
-purpose PURPOSELIST | Specifies the purposes for which the certificate is
to be used. This is a more convenient method of specifying common
extensions. Use of this adds appropriate extensions but does not
preclude caller from specifying other extension-based options.
PURPOSELIST must be a list containing zero or
more items from the following:
|
||||||
-signaturealgorithm SIGLAGORITHM | Specifies the signature algorithm to use for signing the certificate. | ||||||
-start STARTTIME | Specifies the start of the certificate validity period. STARTTIME must be of the form Year-Month-Day Hour:Minutes:Seconds. Defaults to the current time. |
-altnames ALTNAMES | See cert_create |
-capathlen CAPATHLENGTH | See cert_create |
-csp CSP | Specifies the name of the CSP to be used. If unspecified, the default Microsoft CSP for the system is used. |
-csptype CSPTYPE | Indicates the type of CSP. Defaults to prov_rsa_full. See Cryptographic Service Providers for all possible types. |
-end ENDTIME | See cert_create |
-enhkeyusage ENHKEYUSAGE | See cert_create |
-keycontainer CONTAINERNAME | Specifies the name of the key container to use. If unspecified, the default container for the CSP is used. |
-keysettype KEYSETTYPE | KEYSETTYPE type must be user (default) or machine depending on whether the key container is user-specific or not. |
-keyspec KEYSPEC | See cert_create |
-keyusage KEYUSAGE | See cert_create |
-purpose PURPOSELIST | See cert_create |
-silent BOOLEAN | Normally, the CSP may prompt the user for any information that may be required to retrieve the keys. If this option is specified as true, the user is never prompted. Instead the command will raise an error if a user prompt would have been required. |
-signaturealgorithm SIGLAGORITHM | Specifies the signature algorithm to use for signing the certificate. SIGLAGORITHM is the OID (see ASN.1 Object Identifiers) corresponding to a signature algorithm. Defaults to the SHA1RSA algorithm if unspecified. |
-start STARTTIME | See cert_create |
-altnames ALTNAMES | See cert_create |
-capathlen CAPATHLENGTH | See cert_create |
-end ENDTIME | See cert_create |
-enhkeyusage ENHKEYUSAGE | See cert_create |
-keyusage KEYUSAGE | See cert_create |
-purpose PURPOSES | See cert_create |
-silent BOOLEAN | See cert_create_self_signed. |
-signaturealgorithm SIGLAGORITHM | See cert_create_self_signed. |
-start STARTTIME | See cert_create |
-backupprivilege BOOLEAN | If true, specifies that the thread's SE_BACKUP_NAME and SE_RESTORE_NAME privileges must be used to open the store. Default is false. |
-commitenable BOOLEAN | If true, any changes made to the store are persisted to PATH when the store is closed. Default is false. |
-create BOOLEAN | If true, a new store is opened only if it did not exist. An error is raised if the store already existed. Default is false so no error is raised in the latter case. |
-deferclose BOOLEAN | Normally changes to any certificate contexts made after the associated store is closed are not persisted. Setting this option to true will defer the closing of the store until all associated certificate contexts have been released. Default is false. |
-existing BOOLEAN | If true, when PATH does not already exist, it is not created. An exception is raised instead. Default is false. |
-includearchived BOOLEAN | By default, enumeration of certificates in a store will not include any that are marked as archived. Setting this option to true will cause those certificates to be included. Default is false. |
-maxpermissions BOOLEAN | If true, the store is opened with the maximum set of access permissions possible. Default is false. |
-readonly BOOLEAN | If true, the underlying file is opened in read-only mode. However, changes can still be made to the in-memory cache. Default is false. |
-end | The end of the certificate's validity period in the format Year-Month-Day Hour:Minutes:Seconds |
-extensions | A list of extensions in the certificate. Each element is a triplet containing the OID of the extension, a boolean indicating whether the extension is marked critical or not, and the extension value. |
-issuer | The name of the certificate issuer. |
-issuerid | A binary containing unique id for the certificate issuer. This is generally not used and should not be relied on. |
-publickey | The public key of the subject. This is a pair consisting of the algorithm identifier (in the same format as -signaturealgorithm) and a binary containing the public key. |
-serialnumber | A binary containing the serial number of the certificate. |
-signaturealgorithm | A pair consisting of the OID for the algorithm used to sign the certificate and a binary containing any associated parameters. |
-start | The start of the certificate's validity period in the format Year-Month-Day Hour:Minutes:Seconds. |
-subject | The name of the certificate subject. |
-subjectid | A binary containing unique id for the certificate subject. This is generally not used and should not be relied on. |
-version | The X.509 version of the certificate. Note this is 0-based on V3 certificates will have a value of 2. |
-keysettype any|user|machine | Specifies which key sets are to be searched for the private key. If user or machine, the search is restricted to the containers for the current user or the machine respectively. If any (default), both user and machine containers are searched. |
-silent BOOLEAN | Normally, the CSP may prompt the user for any information that may be required to access key containers. If this option is specified as true, the user is never prompted. Instead the command will return 0 indicating no key could be found. |
-format FORMAT | Specifies how NAME is formatted. FORMAT must be one of x500 (default), oid or simple. |
-noplus BOOLEAN | If true, the plus sign in NAME is not treated as a value separator. Default is false. |
-noquote BOOLEAN | If true, quoting is not supported in NAME. Default is false. |
-reverse BOOLEAN | If true, order of RDN components in NAME is reversed before encoding. Default is false. |
-separator SEPARATOR | If unspecified, commans and semicolons are parsed as separators. If specified, only SEPARATOR is treated as a separator. SEPARATOR must be one of comma (default), semicolon or newline. In the case of newline, carriage return and linefeed characters are treated as separators. |
access_state | A non-0 integer if write operations to the certificate context are persisted and 0 if they are not. |
archived | If this property exists, the certificate is an archived certificate. |
auto_enroll | The certificate type for which this certificate has been auto-enrolled. |
date_stamp | The date and time that the certificate was added to the store. |
description | The description associated with the certificate for display purposes. |
enhkey_usage | A list of enhanced key usage OID's. |
extended_error_info | Any extended error information for the certificate context. |
friendly_name | The display name for the certificate. |
issuer_public_key_md5_hash | The MD5 hash of the issuer's public key used to sign the certificate. |
issuer_serial_number_md5_hash | The MD5 hash of the issuer name and serial number. |
key_context | A list of two elements containing a handle to the cryptographic context for the certificate and the key type. |
key_identifier | A binary containing the Subject Key Identifier value if it exists else the SHA1 hash on the certificate Subject Public Key. |
key_prov_handle | A handle to the associated cryptographic context. |
key_prov_info | A list containing the following elements: the name of the key container, the name of the CSP, the CSP type, attributes, key container parameters and the key type. |
key_spec | Specifies the private key. |
md5_hash | Binary containing the MD5 hash of the certificate. |
pvk_file | File path of the private key file corresponding to the certificate's public key. |
sha1_hash | Binary containing the SHA1 hash of the certificate. This can also be retrieved as a hexadecimal string with cert_thumbprint. |
signature_hash | Signature hash. |
subject_name_md5_hash | Binary containing the MD5 hash of the encoded subject name. |
subject_public_key_md5_hash | Binary containing the MD5 hash of the certificate public key. |
-altnames ALTNAMES | See cert_create |
-capathlen CAPATHLENGTH | See cert_create |
-encoding ENCODING | Specifies the encoding of the returned CSR. ENCODING may be der (default) or pem for DER- and PEM-encoding respectively. |
-enhkeyusage ENHKEYUSAGE | See cert_create |
-keyusage KEYUSAGE | See cert_create |
-purpose PURPOSES | See cert_create |
attributes | The attribute field in the CSR. This is a list each element of which is a pair consisting of an OID and a list of corresponding values. |
extensions | A subset of the attributes key, formatted for easier processing. See the discussion below. This key may be absent if the attributes do not contain any extensions. |
pubkey | The public key of the requestor. This should be passed to cert_create as the public key argument. |
subject | The subject name of the requestor. This should be passed to cert_create as the subject argument. |
version | The CSR format version number. |
-csp CSP | Specifies the name of the CSP for the container. If unspecified, the default Microsoft CSP for the system is used. |
-csptype CSPTYPE | Indicates the type of CSP. Defaults to prov_rsa_full. See Cryptographic Service Providers for all possible types. |
-keycontainer CONTAINERNAME | Specifies the name of the key container. If unspecified, the default container is used. |
-keysettype KEYSETTYPE | KEYSETTYPE must be user (default) or machine. |
-keyspec KEYSPEC | KEYSPEC must be one of keyexchange (default) or signature. |
-silent BOOLEAN | Normally, the CSP may prompt the user for any information that may be required to create the context. If this option is specified as true, the user is never prompted. Instead the command will raise an error if a user prompt was required. |
duplicate | Creates the new certificate while keeping the existing one. This will create duplicates in the store. |
overwrite | Overwrites the existing certificate with the new one. |
preserve | (default) If a matching certificate exists, it is preserved and a error raised. Otherwise, the new certificate is added. |
update | The new certificate is added if there is no matching certificate or the matching certificate's validity period start time is less than that of the new certificate. Otherwise an error is raised. |
-disposition DISPOSITION | Controls what happens if a matching certificate
already exists in the store. DISPOSITION may
take one of the following values:
|
||||||||
-encoding ENCODING | Specifies the encoding of ENCODEDCERT. ENCODING should be der (default) or pem depending on whether ENCODEDCERT uses DER- or PEM-encoding. |
-exportprivatekeys BOOLEAN | If true, any private keys associated with the exported certificates are included in the returned binary. Default is false. |
-failonmissingkey BOOLEAN | If true, the command raises an error if any certificate claims to have an associated private key but does actually have one. Default is false. |
-failonunexportablekey BOOLEAN | If true, the command raises an error if any certificate claims to have an associated private key but does actually have one that is exportable. Default is false. |
any | Returns every certificate in the store. SEARCHTERM is ignored. |
certificate | Returns certificates that exactly match the certificate context whose handle is specified as SEARCHTERM. |
issuer_name | Returns certificates whose issuer exactly matches SEARCHTERM. SEARCHTERM is a X.509 name in encoded form as returned by cert_name_to_blob. |
issuer_substring | Returns certificates whose issuer contains the string SEARCHTERM. Note SEARCHTERM is a string, not in X.509 encoded form. |
key_identifier | Returns certificates with a matching value for the subject key identifier (OID 2.5.29.14) extension. |
md5_hash | Returns certificates that have a MD5 hash which matches the binary SEARCHTERM. |
property | Returns certificates that have a property with id SEARCHTERM (see cert_property). |
pubkey_md5_hash | Returns certificates whose MD5-hashed public key matches the binary SEARCHTERM. |
public_key | Returns certificates containint the specified public key SEARCHTERM. This is a pair consisting of the algorithm identifier (in the same format as -signaturealgorithm) and a binary containing the public key. |
sha1_hash | Returns certificates that have a SHA1 hash which matches the binary SEARCHTERM. |
signature_hash | Returns certificates that have a signature hash which matches the binary SEARCHTERM. |
subject_name | Returns certificates whose subject exactly matches SEARCHTERM. SEARCHTERM is a X.509 name in encoded form as returned by cert_name_to_blob. |
subject_substring | Returns certificates whose subject contains the string SEARCHTERM. Note SEARCHTERM is a string, not in X.509 encoded form. |
dns | Returns the DNSName choice in the Alternative Name extension if there is one, or the the CN OID 2.5.4.3 from the Subject Name field. If neither is found returns an empty string. |
Returns the first rfc822Name choice in the Alternative Name extension. If not found, returns the name field for the Email OID. Otherwise returns an empty string. | |
friendlydisplay | Returns the CERT_FRIENDLY_NAME_PROP_ID property if there is one. Otherwise behaves as simpledisplay. |
simpledisplay | Returns the first attribute suitable for display purposes from Name or Alternative Name extension. |
oid_common_name | Returns the Common Name (Default). |
rdn | Returns the Subject Name RDN if there is one. If not found, returns the first Directory Name choice from the Alternative Name extension if there is one. Otherwise returns an empty string. The format for this option can be further controlled as described later. |
upn | Returns the UPN from the OID 1.3.6.1.4.1.311.20.2.3 in the OtherName choices from the Alternative Name extension and an empty string if not found. |
url | Returns the URL choice in the Alternative Name extension if there is one. If not found, returns an empty string. |
-format FORMAT | Specifies how the output is to be formatted. FORMAT must be one of x500 (default), oid or simple. |
-noplus BOOLEAN | If true, the plus sign in names is replaced with a single space. Default is false. |
-noquote BOOLEAN | If true, quoting of special characters in RDN names is disabled. Default is false. |
-reverse BOOLEAN | If true, order of RDN components is reversed. Default is false. |
-separator SEPARATOR | Specifies the separator to use between RDN components. SEPARATOR must be one of comma (default), semicolon or newline. |
-backupprivilege BOOLEAN | If true, specifies that the thread's SE_BACKUP_NAME and SE_RESTORE_NAME privileges must be used to open the store. Default is false. |
-create BOOLEAN | If true, a new store is opened only if it did not exist. An error is raised if the store already existed. Default is false so no error is raised in the latter case. |
-deferclose BOOLEAN | Normally changes to any certificate contexts made after the associated store is closed are not persisted. Setting this option to true will defer the closing of the store until all associated certificate contexts have been released. Default is false. |
-existing BOOLEAN | If true, when PATH does not already exist, it is not created. An exception is raised instead. Default is false. |
-includearchived BOOLEAN | By default, enumeration of certificates in a store will not include any that are marked as archived. Setting this option to true will cause those certificates to be included. Default is false. |
-maxpermissions BOOLEAN | If true, the store is opened with the maximum set of access permissions possible. Default is false. |
-readonly BOOLEAN | If true, the store is opened in read-only mode. Depending on the provider, the effect may be to either disallow all changes to the store, or to allow changes to the in-memory cache but not persisting them. Default is false. |
-pfx PFXBLOB | Initializes the temporary store with certificates
imported from a PFX (also known as PKCS #12) formatted packet. In
addition to the certificates, any private keys present are also
imported into the system. Unlike the store itself, these keys are
persisted. The following additional options may be used with
-pfx and -pkcs12:
|
||||||||
-pkcs12 PKCS12BLOB | This an alias for the -pfx option. | ||||||||
-pkcs7 PKCS7BLOB | PKCS7BLOB is a PKCS #7 packet containing certificates. The additional option "-encoding ENCODING" may be used with -pkcs7 where ENCODING must be der (default), or pem to indicate the packet is DER- or PEM-encoded. | ||||||||
-serialized SERIALIZEDBLOB | SERIALIZEDBLOB is a serialized certificate store, such as returned from cert_store_serialize. |
-cacheendcert BOOLEAN | If BOOLEAN is true, the end (leaf) certificate is cached. Default is false. |
-disableauthrootautoupdate BOOLEAN | If BOOLEAN is true, auto-update of third party roots from the Windows update server is disabled. Default is false. |
-engine ENGINE | Specifies the chain engine to be used for verification. ENGINE must be user (default) or machine. The engine indicates the namespace and cache to be used for building the verification chain. |
-hstore HSTORE | Allows specification of another certificate store to be searched for supporting certificates. HSTORE is a handle to a certificate store as returned by commands like cert_system_store_open. |
-ignoreerrors ERRORLIST | Specifies that certain errors in verification are to be ignored. See description later. |
-revocationcheck REVOCATIONSPEC | Specifies which certificates in the chain are checked for revocation. REVOCATIONSPEC must be one of all (default) indicating all certificates are to be checked, leaf indicating only the leaf certificate is to be checked, none which disables revocation checks, and excluderoot which indicates all certificates other than the root are to be checked. |
-revocationcheckcacheonly BOOLEAN | If BOOLEAN is true, only cached revocation lists are checked when verifying revocation. Default is false. |
-server SERVER | Specifies that the certificate being verified is
for a server with name SERVER. If this option is
not specified, the verification is done assuming the certificate
represents a client. In the former case, it also verifies that the
name in the certificate matches SERVER. The
command does not verify names in the case of client
certificates. If neither of the options -usageall or -usageany is explicitly specified, they default to server_auth and client_auth respectively depending on whether -server is specified or not. |
-trustedroots HCERTLIST | Windows requires the root of the certificate verification chain belong to one the Windows' trusted stores. Under some circumstances, such as use of a private certificate authority whose root certificate is not in the Windows trusted store list, the command will return a status of untrustedroot. Instead of ignoring this error through the -ignoreerrors unknownca option, the caller can provide a list of certificate contexts HCERTLIST that are acceptable as trusted root certificates in addition to those in the Windows trusted store. |
-urlretrievalcacheonly BOOLEAN | If BOOLEAN is true, only cached URLs are used in building the certificate chain without searching the network. Default is false. |
-usageall USAGELIST | Specifies that the certificate enhanced key usage field must include all the values for USAGELIST. USAGELIST is a list containing OID's or the following values: server_auth, client_auth, code_signing, email_protection, ipsec_end_system, ipsec_tunnel, ipsec_user, timestamp_signing or ipsec_ike_intermediate. |
-usageany USAGELIST | Specifies that the certificate enhanced key usage field must include any of the values for USAGELIST. USAGELIST is as described for the -usageall option above. |
basicconstraints | Ignore errors in basic constraints. |
criticalextensions | Ignore errors pertaining to extensions marked as critical that are not understood by CryptoAPI. |
name | Ignore errors in name validation. |
policy | Ignore invalid policy errors. |
revocation | Ignore errors related to certificate revocation. |
time | Ignore errors in validity period checks. |
unknownca | Allow the root certificate to not be in the trusted roots list. |
usage | Ignore errors related to the -usageall and -usageany options. |
signature | Signature verification failed |
revoked | Certificate has been revoked |
untrustedroot | The root certificate is not in the Windows trusted root list |
chaining | Invalid certificate chain |
wrongusage | Certificate usage extension did not match specified usage. |
expired | Certificate has expired. |
name | Name does not match |
policy | Certificate did not match policy conditions |
basicconstraints | Basic constraints check failed |
criticalextension | Certificate includes an unsupported extension marked as critical |
validityperiodnesting | Time periods for certificates in the chain are not nested. |
norevocationcheck | Revocation checks could not be made because of errors. |
revocationoffline | Revocation checks could not be done because the revocation server was offline. |
cnmatch | Common name does not match -server option. |
purpose | The specified purpose is different from the one specified by the issuing CA. |
carole | The certificate that can be marked for use as a CA is being used as a leaf or vice-versa. |
-create BOOLEAN | If specified as true, the key container is created if it does not exist. If false (default) an error is generated if the key container does not exist. |
-csp CSP | Specifies the name of the CSP to be used. If unspecified, the default Microsoft CSP for the system is used. |
-csptype CSPTYPE | Indicates the type of CSP. Defaults to prov_rsa_full. See Cryptographic Service Providers for all possible types. |
-keysettype KEYSETTYPE | KEYSETTYPE must be user (default) or machine. Normally the key container is stored in the user's profile. If KEYSETTYPE is machine, the key container is treated as a computer container. This is needed when an application must access the keys from a process where the user profile is not loaded. |
-silent BOOLEAN | Normally, the CSP may prompt the user for any information that may be required to create the context. If this option is specified as true, the user is never prompted. Instead the command will raise an error if a user prompt was required. |
-verifycontext BOOLEAN | If specified as true, the context is intended for use with ephemeral keys which are not persisted. Default is false. When true, -keycontainer must not be specified if the CSP is file-based. If specified as false, the returned context provides access to persisted private keys in the container. Specifying this option as true results in a key container being created in memory and deleted when the cryptographic context is released. See the Microsoft knowledgebase article for more details. |
-csp CSP | Specifies the name of the CSP for the key container. If unspecified, the default Microsoft CSP for the system is used. |
-csptype CSPTYPE | Indicates the type of CSP. Defaults to prov_rsa_full. See Cryptographic Service Providers for all possible types. |
-force | Must be specified when deleting the default container. |
-keysettype KEYSETTYPE | KEYSETTYPE must be user (default) or machine. Normally the key container is stored in the user's profile. If KEYSETTYPE is machine, the key container is treated as a computer container. |
-archivable BOOLEAN | If true, the key can be exported until its handle is freed after which it is no longer exportable. |
-exportable BOOLEAN | If true, the key is exportable. If false, session keys and private keys are not exportable. |
-pregen BOOLEAN | If true, specifies an initial Diffie-Hellman or DSS key generation. Not applicable for other algorithms. |
-userprotected BOOLEAN | If true, the user is notified by some CSP-specific means for some uses of the key. |
-size KEYSIZE | Specifies the key size to override the default key size. Since default key sizes are platform dependent, Microsoft recommends key size be explicitly set. |
-audit BOOLEAN | If true, an audit event is generated. Default is false. |
-description DESCRIPTION | A descriptive string that is stored with the encrypted data. |
-hwnd HWND | The handle to the parent window if a dialog is to be shown to the user. |
-localmachine BOOLEAN | If false (default), only the same user can decrypt the data. If true, any user on the same machine can do the decryption. |
-noui BOOLEAN | If true, the operation fails if any user dialog is required to be shown. Default is false. |
-prompt PROMPTSTRING | If specified, the user is shown a dialog with the specified PROMPTSTRING to set the security level of the encrypted data. The user will also be prompted at the time the data is decrypted. |
-withdescription BOOLEAN | By default the command returns just the decrypted data. If specified as true, the command returns a list of two elements - the decrypted data and a descriptive string that is stored with the encrypted data. |
-hwnd HWND | The handle to the parent window if a dialog is to be shown to the user. |
-noui BOOLEAN | If true, the operation fails if any user dialog is required to be shown. Default is false. |
-prompt PROMPTSTRING | If specified, the user is shown a dialog with the specified PROMPTSTRING. |
Copyright © 2007-2013 Ashok P. Nadkarni