Do CNG certificates work on Windows XP?

Hi all,

I posted some time ago about some issues that .NET 2.0/3.0/3.5 had with CNG certificates: "Invalid provider type specified" error when accessing X509Certificate2.PrivateKey on CNG certificates. This issue happened to us on Windows Vista/Server 2008 and later. But the weird thing is that if we tried the very same .NET code with the very same certificate on i.e. Windows XP, it worked. Why?

If we analyze the certificate with “certutil -dump mytestcert.pfx”, we can see something like this on i.e. Windows 2008:

Key Container = {...}
Unique container name: ...
Provider = Microsoft Software Key Storage Provider


Microsoft Software Key Storage Provider is a CNG KSP, and not a legacy CSP (Cryptographic Service Provider).

CNG Key Storage Providers
Unlike Cryptography API (CryptoAPI), Cryptography API: Next Generation (CNG) separates cryptographic providers from key storage providers (KSPs). KSPs can be used to create, delete, export, import, open and store keys. Depending on implementation, they can also be used for asymmetric encryption, secret agreement, and signing. Microsoft installs the following KSPs beginning with Windows Vista and Windows Server 2008.

As we saw, .NET doesn’t know how to work with CNG KSPs yet.

Now, XP doesn’t know about CNG stuff. If we use certutil on the same pfx file on XP, we can see this:
Key Container = {...}
Provider = Microsoft Strong Cryptographic Provider
ProviderType = 1
Flags = 0
KeySpec = 1


So a CNG certificate will be associated to a legacy CSP (Microsoft Strong Cryptographic Provider in this case) on systems like XP where CNG is not supported. As .NET will work without problems with a certificate associated to a legacy CSP, that explains why our code works on XP.



Alex (Alejandro Campos Magencio)

Comments (1)

Skip to main content