Archived Forum Post

Index of archived forum posts

Question:

CADES Sign

Aug 22 '13 at 14:26

When i try signing a document with CADES using a certificate from currentuserstore. I get this error. When i use this certificate in internet explorer a dialog shows to enter a password. I don't know how enter this password using chilkat. The lasterrorText obtained is:

ChilkatLog:
CreateDetachedSignature:
DllDate: Aug 5 2012
UnlockPrefix: 30-day trial
Username: PORTATIL:Ernesto
Architecture: Little Endian; 32-bit
Language: ActiveX
VerboseLogging: 0
hcCurDate: Fri, 16 Nov 2012 21:05:32 +0100
hcExpire: 11/2012
SigningCert:
SubjectDN: C=ES, SN=36137603A, Surname=ALCONADA, OID.2.5.4.42=ERNESTO, CN="ALCONADA GARCIA, ERNESTO (FIRMA)"
SerialNumber: 2C49846E0FF992DC4F50D11B09CC3BD4
--SigningCert
No private key seems to be available for signing (5)
Continuing anyway in case it's a hardware CSP...
Will use CryptoAPI for signing.
Cannot produce CAdES signatures when forced to use the MS-Crypto API because of inability to access the private key.
The certificate (PFX) must be installed with the private key marked as exportable.
Failed.
--CreateDetachedSignature
--ChilkatLog


Answer

There are two solutions:

1) Re-import the PFX containing the certificate and private key onto the system, but this time allow the private key to be exportable. This will allow the Chilkat internals to gain access to the private key material such that it can produce the CAdES signature.

2) Use the PFX directly, and in this case you'll need to provide the PFX password in the call to AddPfxSourceFile.


Answer

Hi, I've the same problem, but the certificate I use to sign is on a SmartCard, so it's impossible (?) to "1) Re-import the PFX..." or "2) Use the PFX directly...". How can I sign a document with CAdES using a SmartCard? Thanks


Answer

You cannot using Chilkat. When the private key is on a smartcard, Chilkat must use the underlying MS Crypto API (instead of it's own PKCS7 implementation) to do the signing. The Crypto API does not have CAdES capability. Therefore, the only choice is to use Chilkat's PKCS7 functionality.

Unfortunately, what Microsoft considers to be the "exporting" of the private key includes the act of accessing the private key in-memory. When Crypto-API does the same, Microsoft doesn't consider it to be "exporting" the private key.