Article ID: 238187 - View products that this article applies to.
This article was previously published under Q238187
Calls to the CryptAcquireContext function can include various flags. It is important to know when to use these flags. This article provides information on when to use specific flags when you call CryptAcquireContext and the reasons for using these flags.
Private key operations are not performedWhen you are not using a persisted private key, the CRYPT_VERIFYCONTEXT (0xF0000000) flag can be used when CryptAcquireContext is called. This tells CryptoAPI to create a key container in memory that will be released when CryptReleaseContext is called. When this flag is used, the pszContainer parameter must be NULL. The CRYPT_VERIFYCONTEXT flag can be used in the following scenarios:
Private key operations are performedIf you plan to perform private key operations, there are many issues that you must consider.
The best way to acquire a context is to try to open the container. If this attempt fails with "NTE_BAD_KEYSET", then create the container by using the CRYPT_NEWKEYSET flag.
Note Applications must not use the default key container by passing NULL for the container name to store private keys. When multiple applications use the same container, one application can change or destroy the keys that another application needs to have available. If applications use key containers with a unique name, the risk is reduced of other applications tampering with keys that are necessary for proper function.
Using the CRYPT_MACHINE_KEYSET flagIf you are not performing private key operations on a per-user basis and you need global private key operations, then CRYPT_MACHINE_KEYSET should be used. This method creates the private/public key pair on a per-computer basis. Some specific scenarios in which CRYPT_MACHINE_KEYSET should be used are:
Providing access to your containerBy default, when a key container is created, the local system and the creator are the only users who have access to the container. The exception to this is when an administrator creates the key container. The local system and all other administrators will have access to the key container. Any other security context cannot open the container. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
318825If your code will run under more than one security context, you must give the appropriate users access to your container.
(http://support.microsoft.com/kb/318825/ )Changes to the behavior of the default discretionary access control list (DACL) for administrators on a Windows XP-based system
To set the security on the container, call the CryptSetProvParam function with the PP_KEYSET_SEC_DESCR flag after the container is created. This method allows you to set the security descriptor on the container. For more information on how to manipulate security descriptors, click the following article number to view the article in the Microsoft Knowledge Base:
106387The following code demonstrates how to call CryptSetProvParam. This is usually done immediately after creation of the key container.
(http://support.microsoft.com/kb/106387/ )How to share kernel objects between processes
CryptAcquireContext errorsThe following are the most common error codes and possible reasons for the error.
Article ID: 238187 - Last Review: November 21, 2006 - Revision: 6.3