Microsoft Cryptographic Store and Passwords

We've been experimenting with with the use of user certificates for VPN access to the lab. Issuing, and using them isn't the problem. The problem is that there's no way of enforcing a password on the use of the private key. You can use private key protection on the certificate template, but that still doesn't enforce a password requirement. The user still has the option to choosing for the notification instead of a password.

Certificate Template - Request Handling OptionsThere's an option to enforce a password, but that's system wide for the Microsoft Cryptographic Service Provider, and we don't want to enforce passwords for ALL certificates. We just want to enforce passwords for this specific template.

Registry setting for private key password enforcementAdd the following DWORD-key: ForceKeyProtection to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Cryptography, and give it a value of 2.

Why is there a 'prompt only' security measure? You should have two choices in the template;

  • No Security - No questions asked and the system / user can access the private key without any user input.
  • Security - The user must provide a password for accessing the private key.

The Certificate Template Request Handling as I would like to see it.

Note that Firefox doesn't have the prompt option. It's password or not. Nothing more, nothing less. But unfortunately, the (SSL)VPN client uses the standard Microsoft CSP interface...

Posted on August 12, 2010 by Willem and filed under Annoying, Microsoft, Security and tagged CSP certificates.