Signature and Exchange key types– what are they and when to use each ( Makecert -sky )?

-sky switch Specifies the subject's key type, which must be sign开发者_StackOverflow社区ature, exchange, or an integer that represents a provider type. By default, you can pass 1 for an exchange key and 2 for a signature key.

If I understand this correctly, then signature and exchange are two key types? In what situations is each used?

thank you

That is correct, these are the two type of asymmetric keys (public/private keys). Asymmetric keys are generally used for two purposes, 1)encrypt session keys 2)creating a digital signature

When talking about the key type: Exchange = encrypt session keys Signature = create digital signature

Here is a link that has a good explanation. Asymmetric Keys

The answer is hidden in the very end of the article referenced in other answer.

TL;DR: There is no technical difference between Signature and Exchange keys.

It is just about the key storage. Typical user will have two different key pairs for two different purposes ("exchange" and "sign"). They will be stored in corresponding "slots" of the key store. And the key store can actually contain more key pairs, if needed.

1. For Microsoft Legacy CSP:

There is a difference between SIGNATURE or EXCHANGE key types. Key type: Exchange - used for both signing and encryption Key type: Signature - used only for signing Unless otherwise advised, when you create your CSR, you would choose the key type Exchange.

2. If you are using a Cryptography Next Generation (CNG) providers, then this conversation is not applicable. New(er) providers don't have a key type option to choose.

I have the same question. I did not find any documentation about this but my guess is the options determine the intended usage of the key and the certificate, whether it is for signing or key exchange. In most situations we need a signature key.