Steps for creating a self-signed certificate with the key container created at the machine key set and private key exportable.

Here are the steps for creating a self-signed certificate with the key container created at the machine key set.

Step 1:

Get the CSP handle by creating the key container at the machine key folder.

if (!CryptAcquireContext(&hCryptProv, _T("shmisra"), NULL, PROV_RSA_FULL, CRYPT_MACHINE_KEYSET)) {       // Error       _tprintf(_T("Error 0x%x\n"), GetLastError());         // Try to create a new key container       if (!CryptAcquireContext(&hCryptProv, _T("shmisra"), NULL, PROV_RSA_FULL, CRYPT_NEWKEYSET | CRYPT_MACHINE_KEYSET))       {       ….       }     …. }

Step 2:

Generate a new key pair.

if (!CryptGenKey(hCryptProv, AT_SIGNATURE, 0x08000000 | CRYPT_EXPORTABLE, &hKey)) {     …. }

 

Step 3:

Prepare a key provider structure for self-signed certificate.

CRYPT_KEY_PROV_INFO KeyProvInfo; memset(&KeyProvInfo, 0, sizeof(KeyProvInfo)); KeyProvInfo.pwszContainerName = _T("shmisra"); KeyProvInfo.pwszProvName = NULL; KeyProvInfo.dwProvType = PROV_RSA_FULL; KeyProvInfo.dwFlags = CRYPT_MACHINE_KEYSET; KeyProvInfo.cProvParam = 0; KeyProvInfo.rgProvParam = NULL; KeyProvInfo.dwKeySpec = AT_SIGNATURE;

 

Once you are ready with the above steps you use CertCreateSelfSignCertificate function to create the certificate.

If you follow these steps you created a self-signed certificate with 2048 bit RSA key and the private key is exportable.

References:

https://msdn.microsoft.com/en-us/library/aa376039(VS.85).aspx

-Shamik