When importing a device certificate/private key through CERTLM, the GUI seems to choose a deprecated Cryptography Service Provider (CSP) called "Microsoft Strong Cryptographic Provider"; I'm wondering if there is a way to change this to "Microsoft Software Key Storage Provider" through the wizard or group policy or (other means).
More details: A vendor asked me to import a PFX to a Windows 11 local machine certificate store through the following line command syntax:
certutil -csp "Microsoft Software Key Storage Provider" -importpfx MyPathToCertificate.pfx NoExport
This worked great with their software, however when I had previously tried to import the same PFX, I had used CERTLM (GUI) to import the certificate to same place (local machine / personal store). This seemed to work at the time (certificate appeared there) but caused decryption errors as indicated in the vendor's logs.
Here's how I had imported through the CERTLM:
- I launched Command Prompt via UAC / Choose Certificates (local machine)
- I imported the PFX using the default options to the Personal store
After running the following command:
Certutil -store My
I noticed the certificate had the following line:
Provider = Microsoft Strong Cryptographic Provider
whereas the certutil command explicitly chose "Microsoft Software Key Storage Provider"
According to https://www.pkisolutions.com/understanding-microsoft-crypto-providers/ "Microsoft Strong Cryptographic Provider" is a deprecated legacy provider whereas "Microsoft Software Key Storage Provider" is a modern, preferred choice for working with new keys.
The different CSP explains why the vendor's app was not working after the original import, and I understand why MS would choose an "old" provider as a default for backward compatibility, but I'm curious if there are ways to specify the CSP when performing the import through CERTLM going forward.
The short answer to your question: no, you cannot specify provider during import in MMC GUI, you have to use certutil.
Certificates MMC (
certmgr.mscandcertlm.msc) attempts to import keys into same provider as specified in PKCS#12 file as attribute (Windows machines set this attribute during certificate export to PFX and import logic respects this attribute). If provider not specified or not available, keys are imported into legacy CSP. The reason is that in 2023 there are many applications that do not support CNG providers and CERTLM uses the most compatible provider.If you want to use different provider, you have to use
certutil -importPFXwith-cspparameter.Crypt32 had the best short answer, but I will try to embellish with some additional gotchas:
Answer: You shouldn't need to choose
"Microsoft Software Key Storage Provider"if the original certificate was created with that same provider and exported through CERTLM as a pfx. And if you do need to specify your provider, you can override it (e.g. withcertutil -importPFXwith-cspparameter).More details: If you're just starting out like me, you may have read Microsoft's documentation here which provides a way to create self-signed certificates through PowerShell and the
New-SelfSignedCertificatecommand.Everything I read online suggested that the
New-SelfSignedCertificatecommand creates certificates with"Microsoft Software Key Storage Provider"as the provider by default. However, when you follow the steps in Microsoft's document, you end up withMicrosoft Strong Cryptographic Provideras your provider. Why?The issue is the following line:
KeySpec = 'Signature'According to Microsoft's documentation on the PS command itself, the KeySpec is essentially a legacy property:
By including a value for KeySpec, we end up creating a certificate that uses the default legacy provider (
Microsoft Strong Cryptographic Provider).How do we fix this? Just replace that property with the following two:
Final example looks something like this:
And if you run this command after that:
certutil -user -store MyYou should see a line that saysProvider = Microsoft Software Key Storage Providerafter that certificate.