Here are the steps for creating a self-signed certificate with the key container created at the machine key set.

Step 1:

Get the CSP handle by creating the key container at the machine key folder.

if (!CryptAcquireContext(&hCryptProv, _T("shmisra"), NULL, PROV_RSA_FULL, CRYPT_MACHINE_KEYSET))


      // Error

      _tprintf(_T("Error 0x%x\n"), GetLastError());


      // Try to create a new key container

      if (!CryptAcquireContext(&hCryptProv, _T("shmisra"), NULL, PROV_RSA_FULL, CRYPT_NEWKEYSET | CRYPT_MACHINE_KEYSET))







Step 2:

Generate a new key pair.

if (!CryptGenKey(hCryptProv, AT_SIGNATURE, 0x08000000 | CRYPT_EXPORTABLE, &hKey))





Step 3:

Prepare a key provider structure for self-signed certificate.


memset(&KeyProvInfo, 0, sizeof(KeyProvInfo));

KeyProvInfo.pwszContainerName = _T("shmisra");

KeyProvInfo.pwszProvName = NULL;

KeyProvInfo.dwProvType = PROV_RSA_FULL;


KeyProvInfo.cProvParam = 0;

KeyProvInfo.rgProvParam = NULL;

KeyProvInfo.dwKeySpec = AT_SIGNATURE;


Once you are ready with the above steps you use CertCreateSelfSignCertificate function to create the certificate.

If you follow these steps you created a self-signed certificate with 2048 bit RSA key and the private key is exportable.