Store personal certificates encrypted in Windows?
Solution 1:
Your certificate was imported into Windows Certificate Store, where it is kept encrypted with a key tied to your Windows account (which is in turn encrypted with your Windows login password).
You can use certmgr.msc
to manage certificates (look under Personal).
Personal certificates can be protected in several ways. In XP, both options are only presented when importing from a PKCS#12 file. You will have to remove and re-import the certificate/key in order to change them.
Non-exportable: When importing the certificate, disable "Mark this key as exportable". This way, programs can still use the certificate to sign and decrypt, but they cannot access the private key itself.
-
Strong protection: When importing the certificate, check "Enable strong private key protection". After completing the import, you will be asked to choose a CryptoAPI security level.
Medium – Windows will ask for confirmation every time the key is used
High – you can enter a protection password, which Windows will ask for whenever the key is used.
(At least in Windows XP, there is a slight bug: You must choose "High" in order to change the "description" field from the default CryptoAPI Private Key. This has no effect on actual security, however.)