A newer version of this documentation is available.

CSP

This section specifies the behavior for the Microsoft CryptoAPI CSP.

AcceptBothKeySet

This entry will enable/disable usage of both key set types for internal key container format. Some CryptoAPI applications will not check for correct values in the certificate store instead assume the key type.

0: Only correct key set may be retrieved
1: Both key sets may be retrieved

Default value is 0; only correct key set may be retrieved.

AcceptIssuers

This entry specifies a list of issuers which will be registered in user store for CryptoAPI, use ; to separate different issuers. Default none, all certificate are registered.

May use [CSP]>DenyIssuers to specify a list that will be denied.

AllowedDuplicateUsage

This entry can be used to limit extended usage for duplicate certificates. Specify object identifier for the extended usages that should be allowed, separate with ';'. Use text string <none> to allow nothing. Default empty, no special handling for duplicate certificates.

Typical use for this entry is to continue to allow to use a certificate for decryption even after that the certificate has been replaced with a new certificate.

CacheCard

This entry can be used to enable/disable writing of certificate/container information to a cache file. The cache is used by Credential Provider when it is used in pass-through mode. Microsoft has some limitations regarding multiple access, so this is used to avoid extra access from the Credential Provider towards the CSP when used with Microsoft Provider.

0: Certificate information is not written
1: Certificate information is written

Default value is 1; certificate information is written.

DO NOT EDIT, default value should be used.

CertificateStoreMode

This entry is used to sort certificates for CSP via PP_USERCERT_STORE.

0x01: Newest certificate first
0x02: Oldest certificate first
0x04: Invert list

CertificateStoreMode=app.exe,0x01;app2.exe,0x04

ClearUserPinCache

This entry will enable or disable clear of user PIN cache by the internal certificate propagation service.

0: Will not clear user PIN cache
1: Will clear user PIN cache for logged on user
2: Will clear all user PIN cache for all smart cards
4: Will clear all user PIN cache for all tokens in same session

Default value is 2; will clear user PIN cache for all users.

In terminal server sessions the value 2 should never be used. It cleares the PIN cache for other users. In terminal server default value 5 (4+1) is used.

ConnectPCSC

This entry specifies a list of applications, separated by using ;, that will have their own PCSC connection from CSP.

ConnectPCSC=lsass.exe;iexplore.exe

Default none; no applications will be handled.

ContainerNameMode

This entry specifies the name format of the container representing certificates and corresponding private key.

0: 'thumbprint (slotid)'
1: '\\.\cardreader\thumbprint (slotid)'
2: 'thumbprint'
3: '\\.\cardreader\thumbprint'

Default value is 0; 'thumbprint (slotid)'.

DeleteAtNewKeySet

This entry will enable/disable deletion of old key set when generating a new key.

0: Will not delete old key set
1: Will delete old key set

Default value is 0; will not delete key set.

Typically used with certificate enrollment for CA’s without support for delete key set. Normal behavior is that a delete operation is called before generating a new key set.

DenyIssuers

This entry specifies a list of issuers which will not be registered in user store for CryptoAPI, use ; to separate different issuers. Default none; all certificates are registered.

May use [CSP]>AcceptIssuers to specify a list that will be accepted.

DisableInsert

This entry will enable/disable showing of insert card dialog when requested smart card is not present.

0: Will show possible insert card dialog
1: Will not show possible insert card dialog, operation will fail.

Default value is 0; will show insert card dialog when needed.

DisableNonRep

This entry will try to enable/disable use of non-repudiation certificates for Microsoft CryptoAPI.

0: Will not disable certificates
1: Will disable certificates

Default value is 1; will try to disable use of non-repudiation certificates.

Will set extended key usage to document signing only for certificates with key usage non-repudiation if extended key usage is not available.

Will disable usage for all CryptoAPI applications using CryptoAPI to get the extended key usage property, but not applications retrieving this information from the certificate value.

DisableRandom

This entry will enable/disable use of Net iD CSP for generating random values.

0: Will allow to generate random values
1: Will not allow to generate random values

Default value is 1; will allow generating of random values.

Microsoft will generate two signatures during Windows smart card logon when CSP is used to generate random values, but only one signature when random is disabled. This will increase performance for smart cards with slow RSA operations.

DisableSilent

This entry will enable/disable check of CRYPT_SILENT flag when creating new CryptoAPI contexts with CryptAcquireContext. Setting the CRYPT_SILENT flag when creating new CryptoAPI context means that the calling application will not allow the CSP to show any dialogs.

0: Will check silent flag
1: Will ignore silent flag.

Default value is 0; will check silent flag.

Some CryptoAPI applications require silent operation, but forget to transmit PIN when accessing the private key. This allows CSP to show dialog even when silent operation is specified.

Enable

This entry is used to enable/disable to storage of certificates in CryptoAPI user store.

0: Certificate not registered
1: Certificate registered

Default value is 1; will register certificate in CryptoAPI user store.

FriendlyName

This entry is used to register a friendly name for the certificate in CryptoAPI user certificate store. The following wild cards may be used:

%label%
%issuer.<object identifier>%
%subject.<object identifier>%

Label is the certificate label stored with the certificate object, issuer and subject are any of the object identifiers available in the subject or issuer field from the certificate. Any combination of static text and wild cards above may be used.

Default value is "%subject.2.5.4.3% (%issuer.2.5.4.3%)".

For unknown reason some CryptoAPI applications require friendly name to be static for a certificate. This may cause problems when both Net iD Enterprise certificate service and Microsoft is registering the certificate in CryptoAPI user certificate store, since Microsoft will not specify any friendly name.

InitChangePin

This entry is used to initialize a change PIN dialog, when PIN is about to expire.

0: Will not initiate a change PIN
1: Will initiate a change PIN

Default value is 0; no change PIN dialog.

InstallCaCert

This entry can be used to control installation of CA certificates to CryptoAPI store.

0: Will not install
1: Will install

Default value is 1; will install CA certificates.

LoadExternal

This entry can be used to enable/disable loading of Net iD Enterprise main library directly when the CSP is loaded. This may increase performance, but may cause unloading to be slightly slower.

0: Will not load external
1: Will load external

Default value is 0; will not load external.

Do not use in terminal server sessions, since this may cause library to never be unloaded. If not unloaded this will cause memory leaks.

LoadMyself

This entry is used to control loading and unloading of the CSP, when enabled the CSP library will not be unloaded. This was recommended by Microsoft for enhanced performance, but is no longer recommended by Microsoft.

0: Will not load myself
1: Will load myself

Default value is 1; will load myself.

DO NEVER use in terminal server sessions, since it will cause memory leaks.

Recommended to use in normal client packages when not using a single-sign-on component. This loading will start automatic caching of PIN status to avoid multiple PIN dialogs for CryptoAPI applications.

KeepCertificates

This entry is used to control the behavior of certificate storage when a smart card is removed. Normally certificates will be removed from CryptoAPI user certificate store when smart cards are removed.

0: Will not keep certificates
1: Will keep certificates

Default value is 0; will not keep any certificates.

Certificate stored in CryptoAPI store will cause a smart card insert dialog if any application tries to use the certificate when the smart card is removed.

Do not keep certificates on a computer which is used by several different users, since all users' certificates will be available for selection.

KeepSessionAlive

This entry is used to control the behavior of CryptoAPI contexts. Normally the PKCS#11 sessions will be closed as soon as the context is released, using this parameter will cause the session to be alive and wait for a new identical session. This behavior may increase performance.

0: Will not keep session alive
1: Will keep session alive

It is also possible to specify a list of application names instead of 1, specified applications will have value 1 (all other 0).

Default value is 0; will not keep session alive.

KeepSessionAlive=1

KeepSessionAlive=iexplore.exe;lsass.exe

NamePrefix

This entry is used as prefix for names when registered for smart card logon during installation.
Default value is empty; none.

OverwriteCertificate

This entry is used to control the behavior of registering certificates in CryptoAPI stores. Normally Net iD Enterprise always will try to register the certificates to Net iD CSP, even if another CSP already has registered the certificate.

0: Will not overwrite certificate
1: Will overwrite certificate

Default value is 1; will overwrite certificate.

PublishMachineStore

This entry is used to control the behavior of registering certificates in CryptoAPI stores. Normally Net iD Enterprise always will try to register the certificate both for the user and the machine. This will allow applications running in system environment to use the certificate.

0: Will not publish in machine store
1: Will publish in machine store

Default value is 1; will try to publish in machine store.

ReplaceCertificate

This entry is used to control the behavior when writing certificates with the CSP. Normally we only write the certificate, but this parameter may be used to initiate a search for identical certificates and remove those if found. Identical means same issuer/subject/key.

0: Will not replace certificate
1: Will replace certificate

Default value is 0; will not replace certificate.

Replace certificate is useful for auto-enrollment to delete old certificate when new certificate is written.

StoreContainerName

This entry is used to when the container name has a special meaning for the calling application and needs to be used for future calls, i.e. Entrust. This will limit the use of secondary certificates and should be avoided.

0: Container name is automatically generated
1: Container name is stored and will be remembered

Default value is 0; container name is automatically generated.

UseCritical

This entry is used to add a critical section for all CryptoAPI contexts. This should normally not be needed, since the same context should not be used by multiple threads simultaneously. It will also be possible to add a global critical section, this will only allow one single thread at each time to access the CSP.

0: Critical section not present
1: Critical section present
2: Global critical section present

Default value is 1; will add a critical section.

VerifyCertificate

This entry will enable/disable validation of certificates before registration in CryptoAPI store. The validation is only made on the certificate value and signature if the CA certificate is available, no check is made regarding certificate revocation.

0: Will not verify certificate
1: Will verify certificate

Default value is 0; will not verify certificate.