Is there a proper way or full example to use certificates with private keys from Windows Cert Store for encrypt/decrypt?
There is an example out of the lib (as a blog pos) but when used - private keys is not available, an I am unable to decrypt data.
The other issue that is stopping us is that when unknown OID is encountered, the exception is raised and processing stops. But certificates often contain custom "extension" OIDs, especially MS generated ones, or those installed with custom USB/smart-card tokens. Would it be possible to ignore or skip unrecognized OID-s?
Hi, what do you mean by "private keys is not available"? From the example?
"Would it be possible to ignore or skip unrecognized OID-s?". The answer is mixed. In some cases, I could change the code to ignore the OID. However, there are a couple of issues here.
often, an OID is followed by a value that needs to be extracted. Testing all types is feasible but not really desired. I could also skip this phase but that's not "clean".
in many cases, some specific OIDs are expected, to comply with the standard. If a certificate is not well-formed, it will pass decoding although it should not.
Can you send me your cert at bernard[@]tmssoftware[dot]com for investigation of the OIDs?
I tried to use PowerShell created self-signed certificate (ps1 script included). Then import that PFX in Windows Cert Store (Right Click, then Install).
Then I would like to use that certificate but from Windows Store to encrypt something, or sign PDF using TMS components.
A number of clients have certificates installed (by domain admin, or by some 3p software installers) in Windows Store.
# --- settings you can change ---
$subject = 'CN=PDF Signing Dev Cert, O=MyCompany'
$pfxPath = 'C:\Certs\pdf-signing-dev.pfx'
$cerPath = 'C:\Certs\pdf-signing-dev.cer'
$pemCertPath = 'C:\Certs\pdf-signing-dev.crt.pem'
$pemKeyPath = 'C:\Certs\pdf-signing-dev.key.pem'
$pfxPassword = 'StrongP@ssw0rd!' # choose something strong
# --- create self-signed certificate in CurrentUser\My ---
$cert = New-SelfSignedCertificate `
-Subject $subject `
-Type Custom `
-KeyAlgorithm RSA `
-KeyLength 3072 `
-HashAlgorithm SHA256 `
-KeyExportPolicy Exportable `
-KeyUsage DigitalSignature `
-KeySpec Signature `
-NotAfter (Get-Date).AddYears(3) `
-CertStoreLocation 'Cert:\CurrentUser\My'
# --- export to PFX with modern encryption ---
$sec = ConvertTo-SecureString -String $pfxPassword -AsPlainText -Force
Export-PfxCertificate -Cert $cert -FilePath $pfxPath -Password $sec `
-CryptoAlgorithmOption AES256_SHA256
# --- export public CER (optional, for distributing the public part) ---
Export-Certificate -Cert $cert -FilePath $cerPath | Out-Null
# --- export to PEM format (certificate) ---
$pemCert = @(
'-----BEGIN CERTIFICATE-----'
[System.Convert]::ToBase64String($cert.RawData, 'InsertLineBreaks')
'-----END CERTIFICATE-----'
)
$pemCert | Out-File -FilePath $pemCertPath -Encoding ascii
Write-Host "Certificate exported to PEM: $pemCertPath" -ForegroundColor Green
# Show where it went
$cert | Format-List Subject, Thumbprint, NotAfter, PSParentPath