PKCS#11 interface support on Windows 2000/Server 2003

  • Article

Hi all, welcome back,

I recently had some issues involving PKCS#11 interface on Windows, and it seems quite clear that we don't support it, at least on Windows 2000 & Server 2003, and as far as I know on any other version of Windows: 

Public Key Interoperability
"
Hardware Support
...
Windows 2000 uses CryptoAPI to abstract hardware-based key management from applications and uses the PC/SC standard instead of PKCS#11 to communicate with smart cards and readers. Entrust, Netscape and Baltimore have their own cryptographic APIs and use PKCS#11 to interface to hardware tokens like smart cards. IBM uses CDSA as its cryptographic framework that includes support for hardware devices. Because Windows 2000 requires hardware devices to also support Plug and Play and Power Management features, and Microsoft's implementation of PC/SC includes support for these ease-of-use features, there are no plans to add support for PKCS#11 in Windows 2000.
"

Evaluating Factors That Affect Extended Trusts
"
Algorithm Support
...
Windows Server 2003 uses CryptoAPI to abstract hardware-based key management from applications, and it uses the PC/SC standard instead of PKCS#11 to communicate with smart cards and readers. Many third-party CAs have their own cryptographic APIs and use PKCS#11 to interface to hardware tokens such as smart cards. Because Windows 2000 and Windows Server 2003 require hardware devices to support Plug and Play and power management features, and PC/SC includes support for these ease-of-use features, Windows Server 2003 does not support PKCS#11.
Note
•             The Windows Server 2003 PKI can use third-party CSPs, and can enroll users for certificates that have keys that were generated by third-party CSPs.
"

So if you have any issues with a PKCS#11 interface, Microsoft Technical Support is not the one you should contact, but the provider of the interface instead.

I hope this helps.

Cheers,

 

Alex (Alejandro Campos Magencio)