Change default key container

[Valentinos24]

Hello everyone,

I need help changing the default key container.
Maybe someone knows if this is possible with the Smartcard/Crypt-API from Microsoft.
I would be very grateful for any ideas or solutions.

[dengert]

Why?
What card?
What software or minidriver?

[Valentinos24]

-Why: Different applications (NCP VPN Client, Citrix Workspace App...) access the default container/certificate. Initially, however, the wrong container/cert is set as the default for some cards
-Card: For test purposes TPM-Smartcard, in use case "Thales SafeNet (Gemalto) IDPrime 930"
-Microsoft Smartcard Minidriver

[Valentinos24]

Mindriver Specification v7.07

[dengert]

Microsoft left it up to to the card vendor to create a container ID from info on the card, such as a serial number or other data.
The container ID is stored so windows can use it to find the card and minidriver and ask user to insert the card and is saved somewhere with the certificate in the Microsoft cert store (certutil -scinfo should show the container ID) when the certificate is first seen. You may need to delete the certificate from the store if something is out of sync.

Most card vendors provide a minidriver which maybe downloaded using plug-and-play when a card is first used. Unfortunately OpenSC minidriver for your card may not derived the same container ID as the card vendor's minidriver. So switching between OpenSC minidriver and a vendor's minidriver does not change the container id in the cert store.

It could also be a problem if a code change to a minidriver changed how it calculates a container ID.

Look in registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards for you card, and the 80000001 points at the minidriver. (and look at HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Calais\SmartCards for 32 bit apps) Your problem maybe 64 and 32 bit apps are using different minidrivers. i.e. vendor vs OpenSC.

[Valentinos24]

First of all, thank you for the detailed answer.

I realized that I wrote something nonsensical (Minidriver aspect):
The mindivriver is axaltocm.dll as part of the Gemalto Minidriver (for IDPrime Cards).

To be honest, I don't know exactly how that answers the question.
The original occasion for the question related more to the APIs, with which it may be possible to change the default container (certutil -scinfo shows this with square brackets).

Perhaps you could write something about it.

[dengert]

Your question appears to have nothing to do with OpenSC as you are using Gemalto minidriver.

The user or the user applications do not call the minidriver directly, only Microsoft code does to get info about the card to use in creating the info stored in the cert store so given a certificate, Microsoft code can call the correct minidriver for a card and tell user to insert the card if not present.

So there is nothing else I can do.

[Valentinos24]

Ok, thanks anyway

[dengert]

One last comment. Citrix Workspace and other apps like Microsoft Remote Desktop Connection may be able to use a smartcard over the network at the PC/SC layer (or other layer) so the cert store and container ID may be on the remote host and not the host with the smart card. Virtualized smart card readers may have a different name from the real name. These may part other problem. Login vs user signing something may also be different, and if the sharing is not at PC/SC layer. I have used RDC but never Citrix.