3.3. Windows Cryptographic Service Provider
The Microsoft Windows version of the Enterprise Security Client installs a Windows Cryptographic Service Provider (CSP) that is compatible with the Certificate System-supported smart cards.
Microsoft Windows supports a software library designed to implement the Microsoft Cryptographic Application Programming Interface (CAPI). CAPI allows Windows-based applications, such as the Windows version of the Enterprise Security Client, to be developed to perform secure, cryptographic functions. This API, also known as CryptoAPI, provides a layer between an application which supports it, such as Certificate System, and the details of the cryptographic services provided by the API.
The CAPI interface can be used to create custom CSP libraries. In Certificate System, custom CSP libraries have been created to use the Certificate System-supported smart cards.
The Certificate System CSP, which has been signed by Microsoft, provides the following features:
Allows the user to send and receive encrypted and signed emails with Microsoft Outlook.
Allows the user to visit SSL-protected websites with Microsoft Internet Explorer.
Allows the user to use smart cards with certain VPN clients, which provides secure access to protected networks.
The required CSP libraries are automatically installed with the Enterprise Security Client. There are several common situations when a Windows user interacts directly with the CSP.
When a smart card is enrolled with the Enterprise Security Client, the newly created certificates are automatically inserted into the user's CAPI store.
When a smart card is formatted, the certificates associated with that card are removed from the CAPI store.
When using applications such as Microsoft Outlook or Microsoft Internet Explorer, the user may be prompted to enter the smart card's password. This is required when the smart card is asked to perform protected cryptographic operations such as creating digital signatures.