CAPI driver (and IIS 7.x) configuration

The cryptographic application programming interface (CAPI) application driver installs certificates and private keys in the CAPI store of a Windows host running Windows Remote Management (WinRM).

The CAPI driver relies on native Windows functionality, fully supported by Microsoft, and has minimal port requirements, which greatly simplifies its integration in even the largest organizations.

To help you prevent system outages, you could also choose to use elliptic curve cryptography (ECC) as your method of encrypting keys. Both the CAPI and Apache drivers support provisioning certificates that use elliptic curve cryptography (ECC) keys using central or remote generation. Following provisioning, certificates and keys are extracted and, if using remote generation, download certificates and keys in all supported certificate store formats.

For more information about ECC, see About RSA and elliptic curve cryptography (ECC) key algorithms.

Although optional, the CAPI driver can bind the installed certificates and private keys to an IIS web site. Therefore, it is the best choice for provisioning certificates to IIS 7.0 and later.

DID YOU KNOW?  As Microsoft Windows® evolved from a consumer to an enterprise operating system, Microsoft introduced a cryptographic application programming interface (CryptoAPI) built around an operating system-centric certificate and key store commonly referred to as the CAPI store.

Today, nearly all Microsoft (and some third-party) applications that use certificates access them from the CAPI store. Server-based applications such as IIS®, Exchange®, SQL Server®, and Lync® are all designed to work with certificates in the Local Computer\Personal CAPI store.

In 2006, Microsoft released a new scripting language called PowerShell. But it wasn't until the release of Windows Management Framework 2.0 that Windows had a native feature analogous to SSH. WinRM introduced the ability to securely execute commands on remote Windows systems. PowerShell provides robust support for manipulating certificates in the CAPI store and for configuring IIS. Together, WinRM and PowerShell form the foundation of the CAPI driver included with Trust Protection Platform.

NOTE  For information about the trust store, see About creating and configuring trust stores.

This section provides the information you need to correctly configure a CAPI driver object and contains the following sections:

TIP  To browse topics in this section, use the menu on the left side of this page.