create a certificate for microsoft office using pkcs11 library

Question

I have a PKCS#11 library that contacts with the vendor's smart card. The low level details are not provided and I'm not interested in them either.

BTW the smart card has no internal certificate associated with it, its just a dumb smart card with a private key store.

So my question is:

1. What kind of code should I write to obtain a certificate from the PKCS#11 library, or do I need to write such code? does PKCS#11 supports exporting certificates?(I heard openssl supports using 3rd party PKCS#11 libraries. Can I use that to export a certificate from a smart card?)

2. If the answer to previous question is yes, in what kind of format is the certificate created? What kind of conversions should I to do in order to convert the raw created certificate into office supported format certificate?

3. and the last question is how to apply that certificate into microsoft office(2013) in order to digitally sign documents? It looks like that office itself doesn't like internal certificates and it keeps requesting us to get one from verisign (?) what's wrong here and how can I force office to use my own created certificate using the aforementioned method?

Answer 1

PKCS#11 interface lets you read ("export") the certificate from the hardware. However you need not just a certificate, but also a private key. Most hardware devices won't let you export a private key. PKCS#11 has a set of functions which let you perform cryptographic operations using private keys stored in the hardware, but not to export those keys.

The certificate is usually exported in native DER format, which can later be put to the PFX file. However without a private key it doesn't make sense.

Unfortunately I don't know what MS Office expects. I assume that Office in your case accepts only certificates which can be validated up to the trusted root certificate.