Certificate Propagation

“Certificate Mover” function in Net iD has always existed. The function reads inserted smart card and publishes certificates to “MyStore” which is central to much of the certificate functionality in CryptoAPI. The certificates are then accessible for i.e Internet Explorer.

See how you do in a Citrix-Solutions

“Certificate Mover” is whats ”spinning” in taskbar when you insert a smart card:

Certificate Propagation

Windows has its own function for this, called “Certificate Propagation” service. This function never removes certificates from MyStore when smart card is removed. This could be very problematic in same scenarios.

MyStore after smart card inserted with ”Certificate Mover” in Net iD:

Certificate Propagation

MyStore after smart card removed with ”Certificate Mover” in Net iD:

Certificate Propagation

MyStore after smart card removed with ”Certificate Propagation” service, certificates not removed and still accessible by other applications but they cannot be used since smart card and corresponding private key is not present:

Certificate Propagation

Five certificates are available from the calling application but only one is actually present and can be used since Certificate Propagation service has not removed the previously inserted smart card certificates.

Certificate Propagation

Selecting the ”wrong” certificate will result in this dialog confusing the user:

Certificate Propagation

This is especially problematic on shared computers since a lot of user certificates will pass MyStore and all will be shown for each user.

But there is a solution!

Below are some tips to avoid interference between Net iD and Windows own Certificate Propagation service.
(Certificate Propagation service is still dependent on Net iD CSP to be able to publish the certificates.)


Following has worked well in test performed by SecMaker but should not be taken as a garanty for successful solution in other environments. Large IT-solutions often have complex combinations and changes to registry and services could have unwanted results. Proceed with caution and preferably in a test-environment before applying in production.

Always make sure the latest drivers for your smart card readers are installed. Don’t use Microsoft CCID-driver!

Windows 7/8.1/10

1) Disable GPO:

2) Stop and disable service:

Certificate Propagation

Dela denna artikel