Store personal certificates encrypted in Windows?

2

I recently got my self an email S/MIME signing/encrypting certificate. I installed this on my Windows machine, which, obviously, required me to enter the password I used to encrypt the certificate, and fired up Outlook to test it. Sure enough, I was able to send a signed email. What bothered me, however, was that I was never prompted to enter any password. I assume this means that, when I installed my certificate, Windows decrypted the certificate and the private key and stored it somewhere, either in clear text or encrypted using some other key, implicitly tied to my user account.

Personally, for security reasons I would like to have to enter a password each time I would like to use my certificate. Is it possible to get this kind of behaviour in Windows, either out of the box or using some third part add on?

David Nordvall

Posted 2011-06-17T05:44:50.323

Reputation: 219

Answers

2

Your certificate was imported into Windows Certificate Store, where it is kept encrypted with a key tied to your Windows account (which is in turn encrypted with your Windows login password).

You can use certmgr.msc to manage certificates (look under Personal).

Personal certificates can be protected in several ways. In XP, both options are only presented when importing from a PKCS#12 file. You will have to remove and re-import the certificate/key in order to change them.

Certificate Import Wizard

  • Non-exportable: When importing the certificate, disable "Mark this key as exportable". This way, programs can still use the certificate to sign and decrypt, but they cannot access the private key itself.

  • Strong protection: When importing the certificate, check "Enable strong private key protection". After completing the import, you will be asked to choose a CryptoAPI security level.

    Security level

    • Medium – Windows will ask for confirmation every time the key is used

    • High – you can enter a protection password, which Windows will ask for whenever the key is used.

    (At least in Windows XP, there is a slight bug: You must choose "High" in order to change the "description" field from the default CryptoAPI Private Key. This has no effect on actual security, however.)

user1686

Posted 2011-06-17T05:44:50.323

Reputation: 283 655

Asked: 2011-06-17T05:44:50.323

Viewed: 1 024 times

Active: 2011-07-14T12:19:05.437