Where to store the X509 certificate for the Windows service?

Question

Where to store the X509 certificate for the Windows service?

I have a Windows service that usually starts using a local system account (although in some installations it can be used as a specific user account).

The service uses WCF, with communication security using X509 certificates.

My question is: where is the best place to store the certificate (and private key)?

If using a certificate store is the best approach that should be used to provide access to the private key only for administrators and the service?

As an alternative, a simple option would be to simply save both the PFX file to disk and use access control lists to provide access only to administrators and the service. What are the pros and cons of this approach or the use of a certificate store?

EDIT To clarify, I am using C # with the .NET Framework 3.5

+3

c # windows certificate cryptography x509

Cocowalla May 6, '10 at 20:25

source share

1 answer

Oleg · Accepted Answer · 2010-05-06T21:18:52+0000

First of all, I recommend that you store the certificate in a certificate store with a private key saved as not exportable. Now some arguments.

. - LsaStorePrivateData LsaRetrievePrivateData API (. http://msdn.microsoft.com/en-us/library/ms721818%28VS.85%29.aspx). , , .

DPAPI (. http://msdn.microsoft.com/en-us/library/ms995355.aspx): CryptProtectData CryptUnprotectData .

, , , .

, , , - ? , , . . . , . . , , , .

PFX . , PFX , PFX. , DPAPI (CryptProtectData CryptUnprotectData) LSA API (LsaStorePrivateData LsaRetrievePrivateData), .

Where to store the X509 certificate for the Windows service?

More articles: