Here are the steps for creating a self-signed certificate with the key container created at the machine key set.

Step 1:

Get the CSP handle by creating the key container at the machine key folder.

if (!CryptAcquireContext(&hCryptProv, _T("shmisra"), NULL, PROV_RSA_FULL, CRYPT_MACHINE_KEYSET))

{

      // Error

      _tprintf(_T("Error 0x%x\n"), GetLastError());

 

      // Try to create a new key container

      if (!CryptAcquireContext(&hCryptProv, _T("shmisra"), NULL, PROV_RSA_FULL, CRYPT_NEWKEYSET | CRYPT_MACHINE_KEYSET))

      {

      ….

      }

    ….

}

 

Step 2:

Generate a new key pair.

if (!CryptGenKey(hCryptProv, AT_SIGNATURE, 0x08000000 | CRYPT_EXPORTABLE, &hKey))

{

    ….

}

 

Step 3:

Prepare a key provider structure for self-signed certificate.

CRYPT_KEY_PROV_INFO KeyProvInfo;

memset(&KeyProvInfo, 0, sizeof(KeyProvInfo));

KeyProvInfo.pwszContainerName = _T("shmisra");

KeyProvInfo.pwszProvName = NULL;

KeyProvInfo.dwProvType = PROV_RSA_FULL;

KeyProvInfo.dwFlags = CRYPT_MACHINE_KEYSET;

KeyProvInfo.cProvParam = 0;

KeyProvInfo.rgProvParam = NULL;

KeyProvInfo.dwKeySpec = AT_SIGNATURE;

 

Once you are ready with the above steps you use CertCreateSelfSignCertificate function to create the certificate.

If you follow these steps you created a self-signed certificate with 2048 bit RSA key and the private key is exportable.

 

References:

http://msdn.microsoft.com/en-us/library/aa376039(VS.85).aspx

-Shamik