The code below tries to renew existing certificate. The certificate is renewed, but new public/private key is generated despite that the option X509RequestInheritOptions.InheritPrivateKey is specified.
What is wrong in the code below, because the intention was to keep the existing private key? In the certficates management console, I can renew the certificate and keep the exisintg private key.
string certificateSerial = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
X509Certificate certificate = getCertificate(certificateSerial);
var objPkcs7 = new CX509CertificateRequestPkcs7();
objPkcs7.InitializeFromCertificate(X509CertificateEnrollmentContext.ContextUser, true,
Convert.ToBase64String(enrollmentAgentCertificate.GetRawCertData()),
EncodingType.XCN_CRYPT_STRING_BASE64,
X509RequestInheritOptions.InheritPrivateKey & X509RequestInheritOptions.InheritValidityPeriodFlag);
IX509Enrollment ca = new CX509EnrollmentClass();
ca.InitializeFromRequest(objPkcs7);
ca.Enroll();
Thanks
It seems the problem is in the MSDN documentation:
https://msdn.microsoft.com/en-us/library/windows/desktop/aa379430%28v=vs.85%29.aspx
The page states: "..You can also use a bitwise-AND operation to combine the key inheritance choice with InheritNone or with any combination of the following flags...".
However, if we use bitwise-AND between InheritPrivateKey = 0x00000003 and InheritValidityPeriodFlag= 0x00000400 we get 0 which is InheritDefault (i.e. no private key inheritance)
For my use case we need to use bitwise-OR. It seems the C++ SDK example does the same:
https://github.com/theonlylawislove/WindowsSDK7-Samples/blob/master/security/x509%20certificate%20enrollment/vc/enrollpkcs7/enrollPKCS7.cpp
In that context the code above shall be modified as: