I imported a pfx in windows certificate store via GUI. When I checked the output of 'certutil -store my CN'
it showed CSP as 'Microsoft Enhanced Cryptographic Provider v1.0' which is legacy CSP not the new CNG one. I'm using windows 2012 server.
( I know I can import via certutil -csp "csp_name" and get new CSP like 'Microsoft Software Key Storage Provider' )
I want to set DACL on the private key corresponding the certificate. with that said as I have legacy CSP, I have to use 'CryptSetProvParam' and not the CNG equivalent. The legacy CSP on my machine supports 'PP_KEYSET_SEC_DESCR' flag but my customer might be using a legacy CSP which doesn't support this flag.
1. Is there a way to check if the legacy CSP supports this 'PP_KEYSET_SEC_DESCR' flag?
I know a CNG equivalent flag 'NCRYPT_SECURITY_DESCR_SUPPORT_PROPERTY' but if I acquire NCrypt handle to the key using 'CryptAcquireCertificatePrivateKey', the API 'NCryptGetProperty' fails with error NTE_BAD_KEY_STATE.
2. Why does 'NCryptGetProperty' fail if the handle is NCrypt but underlying CSP is legacy?