How to Determine if a Certificate is Using a CAPI1 or CNG key

From Windows Vista and on, a certificate can be associated with a CAPI1 cryptographic service provider or a Cryptography Next Generation (CNG) key provider.

If the private key is associated with the certificate because it is installed in a certificate store, then the CERT_KEY_PROV_INFO_PROP_ID will have two fields that can be used to tell if the key is a CNG private key. If the ProviderType (rgProvParam) and KeySpec (dwKeySpec) are zero, it’s a CNG private key. Use the following command to dump the certificate properties:

certutil -v -store [StoreName]

For example, use one of the following commands:

certutil -v -store my

Use certutil –store –? to get help on the –store command.

If all you have is the certificate but no private key, there’s no detectable difference in the certificate itself between a CAPI1 and a CNG certificate. What you can do, is to check the certificate's public key algorithm OID. To do so, dump the certificate with the following command and see the Public Key Algorithm section in the commands output.

certutil {certificatefile}