2

Can someone explain what makes up the anatomy of a certificate’s private key when the key itself is stored on an HSM? I’m using nShield in this example but I’m assuming the principals are the same for any HSM that creates certificates with HSM private key pointers.

There are two areas I’m having a hard time understanding and there isn’t much information out there…or I’m searching for the wrong keywords.

  1. When I open the certificate in the certificate manager (Windows) it shows that I do have a private key to the certificate. I realize this is just the pointer but, nevertheless, Windows recognizes the data as a valid private key, how is that possible? How does it fool Windows into thinking it’s a real private key?
  2. If I attempt to use the private key from the certificate (ie, to sign something) it redirects the private key operations to the HSM. I assume the CSP is responsible for this but how does the certificate know which CSP to use?

I’m trying to get a better understanding so I can write software that allows users to leverage certificates for crypto operations instead of having to rely on PKCS11 or the vendor’s API.

Thanks!!

Kindle Q
  • 155
  • 8
Brian Mitchell
  • 141
  • 2

1 Answers1

1

At a theoretical level this is possible because the public key and private key of a key pair are mathematically linked. This means that it is possible to query a key storage provider if it contains the private key of a given certificate. In Windows, yes, it is the Cryptographic Service Provider (CSP) that handles this. The HSM vendor has provided software that integrates with the Windows Cryptography API. Some details about the architecture can be found in this MSDN article: Key Storage and Retrieval

You don't need to delve into deep details of Windows crypto architecture to write software. Microsoft provides APIs that expose this functionality to application developers. If you are using the .NET framework you can look into the the System.Security.Cryptography and System.Security.Cryptography.X509Certificates namespaces.

pgianna
  • 121
  • 3