When importing a device certificate/private key through CERTLM, the GUI seems to choose a deprecated Cryptography Service Provider (CSP) called "Microsoft Strong Cryptographic Provider"; I'm wondering if there is a way to change this to "Microsoft Software Key Storage Provider" through the wizard or group policy or (other means).
More details: A vendor asked me to import a PFX to a Windows 11 local machine certificate store through the following line command syntax:
certutil -csp "Microsoft Software Key Storage Provider" -importpfx MyPathToCertificate.pfx NoExport
This worked great with their software, however when I had previously tried to import the same PFX, I had used CERTLM (GUI) to import the certificate to same place (local machine / personal store). This seemed to work at the time (certificate appeared there) but caused decryption errors as indicated in the vendor's logs.
Here's how I had imported through the CERTLM:
- I launched Command Prompt via UAC / Choose Certificates (local machine)
- I imported the PFX using the default options to the Personal store
After running the following command:
Certutil -store My
I noticed the certificate had the following line:
Provider = Microsoft Strong Cryptographic Provider
whereas the certutil command explicitly chose "Microsoft Software Key Storage Provider"
According to https://www.pkisolutions.com/understanding-microsoft-crypto-providers/ "Microsoft Strong Cryptographic Provider" is a deprecated legacy provider whereas "Microsoft Software Key Storage Provider" is a modern, preferred choice for working with new keys.
The different CSP explains why the vendor's app was not working after the original import, and I understand why MS would choose an "old" provider as a default for backward compatibility, but I'm curious if there are ways to specify the CSP when performing the import through CERTLM going forward.
certutil.exe -importPfx
without the-csp
option to import.certutil.exe
but using the CSP, does the application fail or work?