Associate private key to certificate for PFXExportCertStoreEx

Question

I'm trying to export certificate to pfx file. Here's what I do (simplified):

h = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, NULL, CERT_STORE_CREATE_NEW_FLAG, NULL); 
p = CertCreateCertificateContext(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
                  CertBlob.pbData, CertBlob.cbData);
CertSetCertificateContextProperty(p, CERT_KEY_PROV_HANDLE_PROP_ID, 0, &hPrivKey);
CertAddCertificateContextToStore(h, p, CERT_STORE_ADD_ALWAYS, NULL);
PFXExportCertStoreEx(h, &SomeBlob, L"", NULL, EXPORT_PRIVATE_KEYS);

PFX created, no private key exported. Anyone ever exported private key to pfx? What's the proper way to attach private key to certificate so that it could be exported?

Answer 1

Apparently, CertSetCertificateContextProperty(p, CERT_KEY_PROV_HANDLE_PROP_ID ...)

is not good. Need to do this instead:

CRYPT_KEY_PROV_INFO kpi;
ZeroMemory( & kpi, sizeof(kpi) );
kpi.pwszContainerName = "my-container-name";
kpi.dwProvType = PROV_RSA_FULL;
kpi.dwKeySpec = AT_KEYEXCHANGE;
kpi.dwFlags = CRYPT_MACHINE_KEYSET;
CertSetCertificateContextProperty( pCert, CERT_KEY_PROV_INFO_PROP_ID, 0, & kpi);

It's critical that provider name and other crap match the information that was used to generate actual key. It's not needed to set provider handle or any of that stuff. It also must be done before CertAddCertificateContextToStore.

This is the only way that I found to attach private key to a certificate.

Answer 2

For the posterity:

The problem is related to the CertAddCertificateContextToStore call. Indeed, it does not copy the CERT_KEY_PROV_HANDLE_PROP_ID property to the next context. (this fact is noted in the remark)

Solution:

Fill the last parameter with a handle to the new context and copy the property from the old context to the next one.