On Fri, Dec 7, 2012 at 5:05 AM, LN <lnicu...@yahoo.com> wrote: > > ... > >> MS CAPI has an option to mark a private key as "exportable" when you >> create or install it, which means that the private key can then be read >> anyway, but I don't know if that feature is used by the OpenSSL "CAPI >> Engine". It is almost always a good idea NOT to mark private keys as >> exportable. Note that whatever is decided when the private key is first >> stored by CAPI will be permanent (There is a 3 step workaround for making an >> exportable key non-exportable, but any ability to go the >> other way would compromise security just by being possible). > > Indeed, private keys are not exportable as long as they are not marked as > such when the certificate is imported in the windows store. Unfortunately, I > am forced to use boost::asio::ssl which (AFAIK) does not integrate with CAPI > engine so I cannot ask it to sign or decrypt communication. > Anyway, seems more secure, then, to have the private key in a file encrypted > with a password, then keeping it in the windows store, if I want to pass it > to OpenSSL (through boost::asio::ssl) :) Keys should be stored in DPAPI. See Howard and LeBlanc's "Writing Secure Code," Chapter 9 (http://www.amazon.com/Writing-Secure-Second-Michael-Howard/dp/0735617228).
I'm afraid to ask where Boost is storing them. But I do have a morbid curiosity: would you happen to know? Jeff ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
