Expand Minimize
EN
Este conteúdo não está disponível no seu idioma mas aqui tem a versão em inglês.

PFXExportCertStoreEx function

The PFXExportCertStoreEx function exports the certificates and, if available, their associated private keys from the referenced certificate store. This function replaces the older PfxExportCertStore function. It should be used for its enhanced private key security. The PFX BLOB created by this function is protected by a password.

Syntax


BOOL WINAPI PFXExportCertStoreEx(
  _In_     HCERTSTORE hStore,
  _Inout_  CRYPT_DATA_BLOB *pPFX,
  _In_     LPCWSTR szPassword,
  _In_     void *pvPara,
  _In_     DWORD dwFlags
);

Parameters

hStore [in]

Handle of the certificate store containing the certificates to be exported.

pPFX [in, out]

A pointer to a CRYPT_DATA_BLOB structure to contain the PFX packet with the exported certificates and keys. If pPFX->pbData is NULL, the function calculates the number of bytes needed for the encoded BLOB and returns this in pPFX->cbData. When the function is called with pPFX->pbData pointing to an allocated buffer of the needed size, the function copies the encoded bytes into the buffer and updates pPFX->cbData with the encode byte length.

szPassword [in]

String password used to encrypt and verify the PFX packet. When you have finished using the password, clear the password from memory by calling the SecureZeroMemory function. For more information about protecting passwords, see Handling Passwords.

pvPara [in]

This parameter must be NULL if the dwFlags parameter does not contain PKCS12_PROTECT_TO_DOMAIN_SIDS. Prior to Windows 8 and Windows Server 2012, therefore, this parameter must be NULL.

Beginning with Windows 8 and Windows Server 2012, if the dwFlags parameter contains PKCS12_PROTECT_TO_DOMAIN_SIDS, you can set the pvPara parameter to point to an NCRYPT_DESCRIPTOR_HANDLE value to identify which Active Directory principal the PFX password will be protected to inside of the PFX BLOB. Currently, the password can be protected to an Active Directory user, computer, or group. For more information about protection descriptors, see NCryptCreateProtectionDescriptor.

dwFlags [in]

Flag values can be set to any combination of the following.

ValueMeaning
EXPORT_PRIVATE_KEYS
0x0004

Private keys are exported as well as the certificates.

REPORT_NO_PRIVATE_KEY
0x0001

If a certificate is encountered that has no associated private key, the function returns FALSE with the last error set to either CRYPT_E_NOT_FOUND or NTE_NO_KEY.

REPORT_NOT_ABLE_TO_EXPORT_PRIVATE_KEY
0x0002

If a certificate is encountered that has a non-exportable private key, the function returns FALSE and the last error set to NTE_BAD_KEY, NTE_BAD_KEY_STATE, or NTE_PERM.

PKCS12_INCLUDE_EXTENDED_PROPERTIES
0x0010

Export all extended properties on the certificate.

Windows Server 2003 and Windows XP:  This value is not supported.

PKCS12_PROTECT_TO_DOMAIN_SIDS
0x0020

The PFX BLOB contains an embedded password that will be protected to the Active Directory (AD) protection descriptor pointed to by the pvPara parameter. If the szPassword parameter is not NULL or empty, the specified password is protected. If, however, the szPassword parameter is NULL or an empty string, a random forty (40) character password is created and protected.

PFXImportCertStore uses the specified protection descriptor to decrypt the embedded password, whether specified by the user or randomly generated, and then uses the password to decrypt the PFX BLOB.

Windows 8 and Windows Server 2012:  Support for this flag begins.

 

Return value

Returns TRUE (nonzero) if the function succeeds, and FALSE (zero) if the function fails. For extended error information, call GetLastError.

Remarks

Beginning with Windows 8 and Windows Server 2012, you can protect the PFX password to an Active Directory user, computer, or group. If you choose to do so but do not create a password, a temporary password will be randomly selected. The password is encrypted by using the Active Directory principal and then embedded in the PFX BLOB. For more information, see the pvPara parameter and the PKCS12_PROTECT_TO_DOMAIN_SIDS flag.

Requirements

Minimum supported client

Windows XP [desktop apps only]

Minimum supported server

Windows Server 2003 [desktop apps only]

Header

Wincrypt.h

Library

Crypt32.lib

DLL

Crypt32.dll

See also

PFXExportCertStore
PFXImportCertStore

 

 

Conteúdo da Comunidade

Adicionar
Mostrar:
© 2014 Microsoft