Conteiners
This screen allows you to manage MS CAP containers.
The container, within the concept defined by Microsoft for the MS CAPI(Microsoft Cryptography API) standard, is the place (physical or virtual) where the private keys can be found. Each container can have one or two specialized RSA private keys; in the case of two keys, one is for signing and the other is for secrecy (usually symmetric key cryptography).
Listed in the table are the containers recognized by HSM's MSCAPI Provider.
Containers
The interface allows you to create, edit and remove containers. To add or remove containers, use the Add
e Delete
. The name of the RSA key in each container must be selected from the list opened by clicking on the fields Signature Key e Encryption key on the line corresponding to the container name.
To create a new container, choose the name and then choose the signature and encryption keys that will be part of the container. Clicking on the key column will display a list of the RSA keys available to the user. The connection to the HSM must be working OK to use these options.
Containers can be created without keys, with one key or with two keys.
To edit an existing container, simply click on it and edit mode is activated. Pressing F2 starts editing the name of the selected container. Finish with Enter
(saves the changes) or Esc (dismisses the changes).
Physically, the CSP container of the MS CAPI Provider Dinamo is an entry in the Containers from the CSP configuration file. Each container is identified on a line with two key name entries, separated by ;
. Each key has the format <id usuario>/<id chave>
or just <id chave>
. Note that the string <id usuario>/<id chave>
must have a maximum length of 32 characters.
Certificate Association
To use a certificate in windows, you need to associate a container with a certificate, which is created automatically when you enter the certificate table. It is no longer necessary for the user to manually create and associate containers. This relationship between the certificate and the key in the HSM is maintained in the operating system's own certificate base, which allows Windows APIs to use the private key related to the certificate without needing to know details of the key or the cryptographic provider (CSP) that holds the private key corresponding to that certificate.
Manually created containers can have the two RSA private key identification slots filled in as:
- Different signing and confidentiality keys
- Equal signing and confidentiality keys
- Signature key only( empty secrecyslot )
- Secret key only( signatureslot empty)
- No key (both slots empty)
In the process of associating a private key with a certificate, Windows defines a property(flag) for the use of the key, which can be an acronym or a signature.
During the association with a container created manually by the user, the console sets the signature or secrecy property according to the slots of the chosen container:
- If the same key is in both slots, set to secret
- If the corresponding key is only in one of the slots, set accordingly (secret or signature).
To promote the association manually, you need to use the Crypto API, but to create the containers and associate them automatically, just go to the Certificates table under the Certificates option in HSM on the home screen.