A newer version of this documentation is available.

View Latest

CSP

CSP configuration example settings
[CSP]
AcceptBothKeySet=0
:AlgorithmInfo=RC2,off;RC4,off;DES,off;MD5,off;ECDH,off;ECDSA,off
AllowCertificate=
:AllowCustomProperty=0xFF
:AllowEmptyMemoryStore=1
AllowSoftAtNewKeySet=0
AllowToken=0xFF
BlockDuringManagement=1
:CheckUpdateCounter=0
:CheckWinStationContainer=lsass.exe
ComponentDisable=0
ComponentEnable=1
ContainerNameMode=0
:DefaultCertificate=
:DefaultPin=
DeleteAtNewKeySet=0
DisableInsert=0
DisableRandom=0
DisableSilent=0
FriendlyName={subject:2.5.4.3} ({issuer:2.5.4.3})
:KeepConnected=0
:LoadMyself=0
NoInternalContainerName=0
:OtherStoreList=TrustedPeople;addressbook
ProviderName={product-name} - CSP
:ProviderType=1
RegisterCardPrefix={product-name} -
:RememberFailedAttempt=1
:RemoteCheck=lsass.exe
RemoteRegister=1|{TS}||0|*
:RequireTokenPresentMode=wait 3000
SortCertificate=0
StoreContainerName=1
UniqueContainerName=0
:UseCritical=1
VerifySignature=0

AcceptBothKeySet

Our CSP translates all certificates to unique containers, where the key type will be set based on the certificate key usage. Some applications have a problem understanding the use of key types and require the use of a specific key type instead of checking the certificate. This parameter allows both key types to be used and will return the same key.

[CSP]
AcceptBothKeySet=0

Values

0

off

1

on

AlgorithmInfo

The CSP supports all algorithms available from the PKCS#11 by default, but you can limit this list.

[CSP]
AlgorithmInfo=RC2,off;RC4,off;DES,off;MD5,off;ECDH,off;ECDSA,off

Values

RC2

Rivest Cipher 2

RC4

Rivest Cipher 4

DES

Data Encryption Standard

MD5

The MD5 message-digest algorithm.

ECDH

Elliptic-curve Diffie–Hellman

ECDSA

Elliptic Curve Digital Signature Algorithm

AllowCertificate

The CSP allows all certificates by default, but there are scenarios when some certificates should be ignored. This parameter specifies the matching condition to be fulfilled to allow a certificate.

[CSP]
AllowCertificate={MatchCertificateCSP}

Values

No matching condition allows all certificates. See Match for more information.

AllowCustomProperty

The AllowCustomProperty is used to control custom properties for CSP certificate store.

  • define ALLOW_SLOT_ID_PROP_ID 0x0001

  • define ALLOW_SLOT_NAME_PROP_ID 0x0002

  • define ALLOW_TOKEN_NUMBER_PROP_ID 0x0004

  • define ALLOW_TOKEN_FLAGS_PROP_ID 0x0008

  • define ALLOW_PROTECTED_PIN_PROP_ID 0x0010

  • define ALLOW_INTERNAL_FLAGS_PROP_ID 0x0020

  • define ALLOW_ALL_CUSTOM_PROP_ID 0x00FF

[CSP]
AllowCustomProperty=0xFF

AllowEmptyMemoryStore

An application can ask the CSP for certificates using the memory store. The default behavior is to return success with an empty store, but it can also return an error when no certificates are found.

When calling CryptGetProvParam with the parameters PP_ROOT_CERTSTORE or PP_USER_CERTSTORE, this parameter controls the behavior when no certificates are available.

[CSP]
AllowEmptyMemoryStore=1

Values

0

CryptGetProvParam returns FALSE.

1

CryptGetProvParam returns TRUE, but the returned memory store is empty. 1 is the default value.

AllowSoftAtNewKeySet

Our CSP can create and generate new containers. This behavior is not well documented. Thus, management applications have based their implementation on a specific CSP and expect the same behavior from other CSPs. This parameter was added to avoid the creation of unwanted soft tokens. Usually, the management software is only for smart cards.

[CSP]
AllowSoftAtNewKeySet=0

Values

0

off

1

on

AllowToken

The CSP allows all tokens by default, but there are scenarios when some tokens should be ignored. The AllowToken parameter specifies the matching condition.

[CSP]
AllowToken=0xFF

Values

See Tokens for more information.

BlockDuringManagement

During token management, there can be an eternal loop because of the behavior of the underlying security system. This parameter is added to avoid this loop.

[CSP]
BlockDuringManagement=1

Values

0

off

1

on

CheckUpdateCounter

There is no update detection included in the CSP specifications. Thus, we added a parameter that at least will read the current update counter to detect failures during diagnostics.

[CSP]
CheckUpdateCounter=0

Values

0

off

1

on

CheckWinStationContainer

The remote/virtual CSP will need to detect which desktop session is using a specific certificate. This is done automatically for processes running within a desktop, but it is not possible for the processes running as services.

[CSP]
CheckWinStationContainer=lsass.exe

Values

The value is a list of applications separated with a semicolon.

ComponentDisable, ComponentEnable

The ComponentDisable and ComponentEnable parameters allow the use of conditions to blacklist and whitelist an applications' use of the CSP.

[CSP]
ComponentDisable=0
ComponentEnable=1

Values

0

off

1

on

ContainerNameMode

The container name is usually generated from the certificate. But there are applications that have specific requirements on the container name format, so some container name modes are added.

[CSP]
ContainerNameMode=0

Values

0

"<certificate thumbprint> (<slotid>)"

1

"\\.\<slot name>\<certificate thumbprint> (<slotid>)"

3

"\\.\<slot name>\<certificate thumbprint>"

DefaultCertificate

Some applications require a default certificate. Use a matching condition to control the selection.

[CSP]
DefaultCertificate={Match}

DefaultPin

For diagnostic purposes, you can specify a default PIN value. This value is used instead of opening a PIN dialog.

[CSP]
DefaultPin=123456

DeleteAtNewKeySet

Some token management applications forget that smart cards have a limited store of potential private keys. This parameter always deletes an existing key before trying to generate a new key.

[CSP]
DeleteAtNewKeySet=0

Values

0

off

1

on

DisableInsert

There are situations when a calling application expects to use a smart card in a smart card reader, but the smart card is not present. Our CSP can show an insert smart card dialog or fail immediately.

[CSP]
DisableInsert=0

Values

0

off

1

on

DisableRandom

Earlier versions of Windows were able to speed up the logging on operations if the CSP did not provide any random values. The CSP can still disable the random generation but fill no purpose.

[CSP]
DisableRandom=0

Values

0

off

1

on

DisableSilent

The CRYPT_SILENT flag tells the CSP not to open any dialogs. But sometimes, the calling application has forgotten that a PIN dialog is needed, so a parameter is added to ignore this flag.

[CSP]
DisableSilent=0

Values

0

off

1

on

FriendlyName

The friendly name is the description that sometimes is used to represent the certificate. This parameter is used to specify the format of this text.

[CSP]
FriendlyName={subject:2.5.4.3} ({issuer:2.5.4.3})

KeepConnected

Set KeepConnected to 1 to always keep the PKCS11 component loaded.

Values

0

off

1

on

LoadMyself

The LoadMyself flag is used to load our library one extra time to avoid unloading. This was once recommended by Microsoft for performance reasons but is no longer recommended.

[CSP]
LoadMyself=0

Values

0

off

1

on

NoInternalContainerName

This parameter ignores all internal container names and only uses the default container name. This was needed for some long-forgotten applications.

[CSP]
NoInternalContainerName=0

Values

0

off

1

on

OtherStoreList

This parameter identifies the stores to use to read certificates that are not connected with the current user. That is when encrypting to other people.

[CSP]
OtherStoreList=TrustedPeople;addressbook

ProviderName

The provider name parameter specifies the name of the CSP.

[CSP]
ProviderName={product-name} - CSP

ProviderType

This parameter tells the provider type. There are some supported values according to CryptoAPI. We have been using RSA_FULL since the beginning, but we could also use RSA_AES.

#define PROV_RSA_FULL 1
#define PROV_RSA_AES 24

[CSP]
ProviderType=1

RegisterCardPrefix

The register card prefix tells the prefix to use when registering the supported smart cards.

[CSP]
RegisterCardPrefix={product-name} -

RememberFailedAttempt

A calling application can send the PIN to the CSP by using CryptSetProvParam. Normally each attempt will result in a call to the smart card. This parameter can be used to avoid the locking of the PIN. The last failed attempt with a specific PIN value and container will be remembered, and the call will return failed without an attempt to the smart card.

[CSP]
RememberFailedAttempt=1

Values

0

off

1

on

RemoteCheck

The RemoteCheck is used to specify process to check for possible current desktop from registered certificate in SSO-cache.

[CSP]
RemoteCheck=lsass.exe

RemoteRegister

Remote register will register a certificate to be used during Windows logon for a specific Windows desktop. This will be used in Terminal Server enviroment for Windows logon application (lsass.exe) to find the remote client using virtual channel. The value is used by applications in the CSP > RemoteCheck list.

Values

0

Remote register is always inactive.

1

Remote register is active when CSP is using virtual channel.

2

Remote register is always active.

RequireTokenPresentMode

The RequireTokenPresentMode tells the behavior when card reader does not exist.

Values

none

off

wait 3000

Wait 3000 milliseconds for card reader to appear.

reload 3

Wati for 3 reloads for card reader to appear.

SortCertificate

The certificate can be sorted before it is returned to the calling application. This allows some kind of default certificate control but should probably not be used any longer since it only tells in what sequence the CSP will return certificates. The intended purpose is to control the sequence of certificates for a certificate selection dialog, but there are too many layers of interfaces to predict the outcome. For example, the order can be updated by CryptoAPI or the certificate selection dialog.

// 0x01 => Newest first
// 0x02 => Oldest first
// 0x04 => Invert

[CSP]
SortCertificate=0x00

StoreContainerName

The StoreContainerName parameter controls the token management application. The used container name can be stored and used later, or it can be ignored and only use the internal format.

[CSP]
StoreContainerName=1

Values

0

off

1

on

UniqueContainerName

A container name is used when opening a context towards the CSP (CryptAcquireContext). It is also possible to get the container name from the CSP (CryptGetProvParam) as either PP_CONTAINER or PP_UNIQUE_CONTAINER. This parameter allows for updating of the retrieved container name.

// 0x00 => Use container name specified at acquire context
// 0x1? => Both unique and non-unique name should be updated
// 0x?1 => Use "<unique container name>"
// 0x?2 => Use "\\.\<reader name>\<unique container name>"

[CSP]
UniqueContainerName=0

UseCritical

The UseCritical parameter adds a critical section for each CSP call. It blocks multi-threaded access and makes sure that each call is atomic.

[CSP]
UseCritical=1

Values

0

off

1

on

VerifySignature

The VerifySignature parameter verifies each created signature. It allows failed verifications but adds a warning message to the trace.

[CSP]
VerifySignature=0

Values

0

off

1

on