CSP
[CSP]
AcceptBothKeySet=0
:AlgorithmInfo=RC2,off;RC4,off;DES,off;MD5,off;ECDH,off;ECDSA,off
AllowCertificate=
:AllowCustomProperty=0xFF
:AllowEmptyMemoryStore=1
AllowSoftAtNewKeySet=0
AllowToken=0xFF
BlockDuringManagement=1
:CheckUpdateCounter=0
:CheckWinStationContainer=lsass.exe
ComponentDisable=0
ComponentEnable=1
ContainerNameMode=0
:DefaultCertificate=
:DefaultPin=
DeleteAtNewKeySet=0
DisableInsert=0
DisableRandom=0
DisableSilent=0
FriendlyName={subject:2.5.4.3} ({issuer:2.5.4.3})
:KeepConnected=0
:LoadMyself=0
NoInternalContainerName=0
:OtherStoreList=TrustedPeople;addressbook
ProviderName={product-name} - CSP
:ProviderType=1
RegisterCardPrefix={product-name} -
:RememberFailedAttempt=1
:RemoteCheck=lsass.exe
RemoteRegister=1|{TS}||0|*
:RequireTokenPresentMode=wait 3000
SortCertificate=0
StoreContainerName=1
UniqueContainerName=0
:UseCritical=1
VerifySignature=0
AcceptBothKeySet
Our CSP translates all certificates to unique containers, where the key type will be set based on the certificate key usage. Some applications have a problem understanding the use of key types and require the use of a specific key type instead of checking the certificate. This parameter allows both key types to be used and will return the same key.
[CSP]
AcceptBothKeySet=0
AlgorithmInfo
The CSP supports all algorithms available from the PKCS#11 by default, but you can limit this list.
[CSP]
AlgorithmInfo=RC2,off;RC4,off;DES,off;MD5,off;ECDH,off;ECDSA,off
AllowCertificate
The CSP allows all certificates by default, but there are scenarios when some certificates should be ignored. This parameter specifies the matching condition to be fulfilled to allow a certificate.
[CSP]
AllowCertificate={MatchCertificateCSP}
Values
No matching condition allows all certificates. See Match for more information.
AllowCustomProperty
The AllowCustomProperty is used to control custom properties for CSP certificate store.
-
define ALLOW_SLOT_ID_PROP_ID 0x0001
-
define ALLOW_SLOT_NAME_PROP_ID 0x0002
-
define ALLOW_TOKEN_NUMBER_PROP_ID 0x0004
-
define ALLOW_TOKEN_FLAGS_PROP_ID 0x0008
-
define ALLOW_PROTECTED_PIN_PROP_ID 0x0010
-
define ALLOW_INTERNAL_FLAGS_PROP_ID 0x0020
-
define ALLOW_ALL_CUSTOM_PROP_ID 0x00FF
[CSP]
AllowCustomProperty=0xFF
AllowEmptyMemoryStore
An application can ask the CSP for certificates using the memory store. The default behavior is to return success with an empty store, but it can also return an error when no certificates are found.
When calling CryptGetProvParam with the parameters PP_ROOT_CERTSTORE or PP_USER_CERTSTORE, this parameter controls the behavior when no certificates are available.
[CSP]
AllowEmptyMemoryStore=1
AllowSoftAtNewKeySet
Our CSP can create and generate new containers. This behavior is not well documented. Thus, management applications have based their implementation on a specific CSP and expect the same behavior from other CSPs. This parameter was added to avoid the creation of unwanted soft tokens. Usually, the management software is only for smart cards.
[CSP]
AllowSoftAtNewKeySet=0
AllowToken
The CSP allows all tokens by default, but there are scenarios when some tokens should be ignored. The AllowToken parameter specifies the matching condition.
[CSP]
AllowToken=0xFF
Values
See Tokens for more information.
CheckWinStationContainer
The remote/virtual CSP will need to detect which desktop session is using a specific certificate. This is done automatically for processes running within a desktop, but it is not possible for the processes running as services.
[CSP]
CheckWinStationContainer=lsass.exe
ContainerNameMode
The container name is usually generated from the certificate. But there are applications that have specific requirements on the container name format, so some container name modes are added.
[CSP]
ContainerNameMode=0
DefaultCertificate
Some applications require a default certificate. Use a matching condition to control the selection.
[CSP]
DefaultCertificate={Match}
DefaultPin
For diagnostic purposes, you can specify a default PIN value. This value is used instead of opening a PIN dialog.
[CSP]
DefaultPin=123456
FriendlyName
The friendly name is the description that sometimes is used to represent the certificate. This parameter is used to specify the format of this text.
[CSP]
FriendlyName={subject:2.5.4.3} ({issuer:2.5.4.3})
OtherStoreList
This parameter identifies the stores to use to read certificates that are not connected with the current user. That is when encrypting to other people.
[CSP]
OtherStoreList=TrustedPeople;addressbook
ProviderName
The provider name parameter specifies the name of the CSP.
[CSP]
ProviderName={product-name} - CSP
ProviderType
This parameter tells the provider type. There are some supported values according to CryptoAPI. We have been using RSA_FULL since the beginning, but we could also use RSA_AES.
#define PROV_RSA_FULL 1
#define PROV_RSA_AES 24
[CSP]
ProviderType=1
RegisterCardPrefix
The register card prefix tells the prefix to use when registering the supported smart cards.
[CSP]
RegisterCardPrefix={product-name} -
RememberFailedAttempt
A calling application can send the PIN to the CSP by using CryptSetProvParam
.
Normally each attempt will result in a call to the smart card.
This parameter can be used to avoid the locking of the PIN.
The last failed attempt with a specific PIN value and container will be remembered, and the call will return failed without an attempt to the smart card.
[CSP]
RememberFailedAttempt=1
RemoteCheck
The RemoteCheck is used to specify process to check for possible current desktop from registered certificate in SSO-cache.
[CSP]
RemoteCheck=lsass.exe
RemoteRegister
Remote register will register a certificate to be used during Windows logon for a specific Windows desktop. This will be used in Terminal Server enviroment for Windows logon application (lsass.exe) to find the remote client using virtual channel. The value is used by applications in the CSP > RemoteCheck list.
SortCertificate
The certificate can be sorted before it is returned to the calling application. This allows some kind of default certificate control but should probably not be used any longer since it only tells in what sequence the CSP will return certificates. The intended purpose is to control the sequence of certificates for a certificate selection dialog, but there are too many layers of interfaces to predict the outcome. For example, the order can be updated by CryptoAPI or the certificate selection dialog.
// 0x01 => Newest first
// 0x02 => Oldest first
// 0x04 => Invert
[CSP]
SortCertificate=0x00
UniqueContainerName
A container name is used when opening a context towards the CSP (CryptAcquireContext).
It is also possible to get the container name from the CSP (CryptGetProvParam) as either PP_CONTAINER
or PP_UNIQUE_CONTAINER
.
This parameter allows for updating of the retrieved container name.
// 0x00 => Use container name specified at acquire context
// 0x1? => Both unique and non-unique name should be updated
// 0x?1 => Use "<unique container name>"
// 0x?2 => Use "\\.\<reader name>\<unique container name>"
[CSP]
UniqueContainerName=0