KSP

[KSP]
AliasList=none
AllowCertificate=
AllowToken=0xFF
BlockDuringManagement=1
ComponentEnable=1
ComponentDisable=0
DisableSilent=0
FriendlyName={subject:2.5.4.3} ({issuer:2.5.4.3})
IgnoreLogout=0
:ImplementationType=1
:LoadMyself=0
:MaxContext=0
:NoCheckEvent=0
:NoSlotIdName=0
:ProviderName={product-name} - KSP
:RegisterCardCSP=0
:SortCertificate=0
:UseCritical=1
UseInternalPin=1
:UseKeyIdAsName=0

AliasList

The AliasList parameter maps certificates from CSP to KSP.

[KSP]
AliasList=

Values

Example 1. Setting AliasList values.
AliasList with no value.
[KSP]
AliasList= (1)
1 AliasList without a value is the same as the value none. AliasList without a value is the default. In that case the value is read from the setting CSP>ProviderName.
Using variables.
[KSP]
AliasList={product-name} - CSP (1)
1 It is possible to use variables.
Using multiple values.
[KSP]
AliasList={product-name} - CSP;{product-name} CSP; (1)
1 Use a semicolon to separate values.

AllowCertificate

The KSP allows all certificates by default, but there are scenarios when some certificates should be ignored. This parameter specifies the matching condition to be fulfilled to allow a certificate.

[KSP]
AllowCertificate={MatchCertificateKSP}

Values

No matching condition allows all certificates. See Match for more information.

AllowToken

The KSP allows all tokens by default, but there are scenarios when some tokens should be ignored. The AllowToken parameter specifies the matching condition. See Tokens for more information.

[KSP]
AllowToken=0xFF

Values

See Tokens for more information.

BlockDuringManagement

During token management there can be an eternal loop, because of the behavior of the underlaying security system. This parameter is added to avoid this loop.

[KSP]
BlockDuringManagement=1

Values

0

off

1

on

ComponentEnable, ComponentDisable

The ComponentEnable and ComponentDisable parameters allows the use of conditions to blacklist and/or whitelist an applications' use of the KSP.

[KSP]
ComponentEnable=1
ComponentDisable=0

Values

0

off

1

on

DisableSilent

The CRYPT_SILENT flag can be specified by an application when communicating with the KSP. When this flag is specified, it tells that the KSP is not allowed to open any dialogs. But sometimes the calling application have forgotten that a PIN dialog is needed, so a parameter is added to ignore this flag.

[KSP]
DisableSilent=0

Values

0

off

1

on

FriendlyName

FriendlyName is the description that sometimes is used to represent the certificate. This parameter is used to specify the format of this text.

[KSP]
FriendlyName={subject:2.5.4.3} ({issuer:2.5.4.3})

IgnoreLogout

The IgnoreLogout parameter disables all attempts to logout a smart card by the caller, to avoid interference with single sign-on.

[KSP]
IgnoreLogout=0

Values

0

off

1

on

ImplementationType

ImplementationType sets the value the KSP uses during its registration. The following values are defined:

#define CRYPT_IMPL_HARDWARE 1
#define CRYPT_IMPL_SOFTWARE 2
#define CRYPT_IMPL_MIXED 3
#define CRYPT_IMPL_UNKNOWN 4
#define CRYPT_IMPL_REMOVABLE 8

[KSP]
ImplementationType=1

KeepConnected

Set KeepConnected to 1 to always keep the PKCS11 component loaded.

Values

0

off

1

on

LoadMyself

The LoadMyself flag is used to load the library one extra time to avoid unloading. This behavior is not recommended, but is available to allow for the same behavior as CSP.

[KSP]
LoadMyself=0

Values

0

off

1

on

MaxContext

The MaxContext parameter sets the maximum number of simultaneous KSP contexts. The minimum value is 10.

[KSP]
MaxContext=10

NoCheckEvent

Usually the KSP checks for token events and act on those. For example when smart cards are removed or inserted. But in some scenarios, you may want to turn off this event checking.

[KSP]
NoCheckEvent=0

Values

0

off

1

on

NoSlotIdInName

The default container name is generated from certificate thumbprint and ended with slot ID. The slot ID is usually not required and can be ignored.

[KSP]
NoSlotIdInName=0

Values

0

off

1

on

ProviderName

The ProviderName parameter specifies the name of our KSP.

[KSP]
Name={product-name} - KSP

RegisterCardCSP

There is no separate registration of smart cards towards KSP. Instead it is an option when registering the CSP.

Example 2. Standard registration
[KSP]
RegisterCardCSP=0
[HKLM\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Net iD - SetCosXpresso 0]
"Crypto Provider"="Net iD CSP"
"ATR"=hex:3b,7d,00,00,00,80,31,80,65,b0,03,00,00,00,83,00,00,00
"ATRMask"=hex:ff,ff,00,ff,ff,ff,ff,ff,ff,ff,0f,00,00,00,ff,ff,00,00
Example 3. KSP registration
[KSP]
RegisterCardCSP=1

KSP registration includes "Smart Card Key Storage Provider":

[HKLM\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Net iD - SetCosXpresso 0]
"Crypto Provider"="Net iD CSP"
"ATR"=hex:3b,7d,00,00,00,80,31,80,65,b0,03,00,00,00,83,00,00,00
"ATRMask"=hex:ff,ff,00,ff,ff,ff,ff,ff,ff,ff,0f,00,00,00,ff,ff,00,00
"Smart Card Key Storage Provider"="Net iD KSP"

For more information about registration, consult the external website docs.microsoft.com (external link that opens in new tab) External link that opens in new tab..

SortCertificate

The certificate can be sorted before returned to the calling application. This allows some kind of default certificate control, but should probably not be used any longer since it only tells in what sequence the KSP will return certificates. The intended function is to control the order of certificates for a certificate selection dialog, but there are too many layers of interfaces to predict the outcome. That is, order can be updated by CryptoAPI or the certificate selection dialog.

// 0x01 => Newest first
// 0x02 => Oldest first
// 0x04 => Invert

[KSP]
SortCertificate=0x00

UseCritical

The UseCritical parameter adds a critical section for each KSP call. It blocks multi-threaded access, and makes sure that each call is atomic.

[KSP]
UseCritical=1

Values

0

off

1

on

UseInternalPin

The KSP can show PIN dialog, but can also run in silent mode.

[KSP]
UseInternalPin=1

Values

0

off, register the PIN as AlphaNumericPin and expect the caller to show the PIN dialog.

1

on, register the PIN as Empty and expect the caller to call us without showing a PIN dialog.

UseKeyIdAsName

Our KSP can use key ID as container name, but is usually generated from the certificate thumbprint.

[KSP]
UseKeyIdAsName=0

Values

0

off

1

on