We are trying to implement an automated method of adding of a certificate and private key to the Windows certificate store for encrypting CODESYS projects. We want to do this so that users do not have to deal with details of certificates at all and to prevent user error. We are keen on enforcing strong private key protection since it ensures that a password is required for the certificate to be used to decrypt a CODESYS project.
When we add a certificate to the certificate store and enable strong key protection using the Microsoft Management Console Certificates snap-in, it works as expected. However, through this method the user may mistakenly not enable strong private key protection.
For the certificates we create programmatically (using Microsoftβs Cryptography Next Generation API in .Net 7) bag attributes are added to the certificate and key by the API. These bag attributes are as follows:
Bag Attributes
localKeyID: 01 00 00 00
subject=C = xx, ST = xxx, O = xxx, OU = xxx, CN = xxx
issuer=C = xx, ST = xxx, L = xxx, O = xxx, OU = xxx, CN = xxx
-----BEGIN CERTIFICATE----- [encoded certificate]
-----END CERTIFICATE-----
After using this certificate with bag attributes to encrypt a CODESYS project, it canβt be decrypted, showing this error:
"The specified project could not be loaded. Possible reasons might be:
- The project file is corrupted or invalid
- The project has been saved with a newer version of the programming system. If this is the case, you can open the project in the corresponding version. Choose "Save as..." with the appropriate storage version, and retry again.
- You may not have the necessary permissions to lad the project"
We know that the bag attributes are causing the issue because if we manually edit the certificate file to remove them before using the certificate to encrypt a project, the project can be decrypted as expected. However, we are unable to automatically enforce strong key protection using this method.
UPDATE(2023-09-15): We contacted CODESYS support who told us our certificate was causing an invalid provider cryptography exception. It seems CODESYS doesn't work with the Microsoft Software Key Storage Provider used by CNG. It does work with Microsoft Enhanced Cryptographic Provider v1.0, used by CAPI. I am now trying to enable strong protection for a certificate added to the store using CAPI: https://stackoverflow.com/questions/77113443/how-do-i-set-crypt-force-key-protection-high-to-enforce-high-level-strong-privat
Hello,
We are trying to implement an automated method of adding of a certificate and private key to the Windows certificate store for encrypting CODESYS projects. We want to do this so that users do not have to deal with details of certificates at all and to prevent user error. We are keen on enforcing strong private key protection since it ensures that a password is required for the certificate to be used to decrypt a CODESYS project.
When we add a certificate to the certificate store and enable strong key protection using the Microsoft Management Console Certificates snap-in, it works as expected. However, through this method the user may mistakenly not enable strong private key protection.
For the certificates we create programmatically (using Microsoftβs Cryptography Next Generation API in .Net 7) bag attributes are added to the certificate and key by the API. These bag attributes are as follows:
Bag Attributes
localKeyID: 01 00 00 00
subject=C = xx, ST = xxx, O = xxx, OU = xxx, CN = xxx
issuer=C = xx, ST = xxx, L = xxx, O = xxx, OU = xxx, CN = xxx
-----BEGIN CERTIFICATE-----
[encoded certificate]
-----END CERTIFICATE-----
After using this certificate with bag attributes to encrypt a CODESYS project, it canβt be decrypted, showing this error:
"The specified project could not be loaded. Possible reasons might be:
- The project file is corrupted or invalid
- The project has been saved with a newer version of the programming system. If this is the case, you can open the project in the corresponding version. Choose "Save as..." with the appropriate storage version, and retry again.
- You may not have the necessary permissions to lad the project"
We know that the bag attributes are causing the issue because if we manually edit the certificate file to remove them before using the certificate to encrypt a project, the project can be decrypted as expected. However, we are unable to automatically enforce strong key protection using this method.
Here is a link to a StackOverFlow question that we have posted recently for this issue: https://stackoverflow.com/questions/76922355/enforcing-strong-private-key-protection-for-x509certificate2-objects-in-net-mod
Any help is greatly appreciated.
UPDATE(2023-09-15): We contacted CODESYS support who told us our certificate was causing an invalid provider cryptography exception. It seems CODESYS doesn't work with the Microsoft Software Key Storage Provider used by CNG. It does work with Microsoft Enhanced Cryptographic Provider v1.0, used by CAPI. I am now trying to enable strong protection for a certificate added to the store using CAPI: https://stackoverflow.com/questions/77113443/how-do-i-set-crypt-force-key-protection-high-to-enforce-high-level-strong-privat
Last edit: t-probst 2023-09-15