A cryptographic service provider (CSP) is the program that performs authentication, encoding, and encryption services that Windows-based applications access through the Microsoft Cryptography application programming interface (CryptoAPI). Each CSP provides a different implementation of the CryptoAPI. Some provide stronger cryptographic algorithms, while others use hardware components, such as smart cards.

When you generate a request for a new certificate, the information in that request is first sent from the requesting program to CryptoAPI. CryptoAPI provides the proper data to a CSP that is installed on your computer or on a device that is accessible to your computer. If the CSP is software-based, it generates a public key and a private key, often referred to as a key pair, on your computer. If the CSP is hardware-based, such as a smart card CSP, it instructs a piece of hardware to generate the key pair.

After the keys are generated, a software-based CSP encrypts and then secures the private key. A smart card CSP stores the private key on a smart card. The smart card then controls access to the key.

The public key is sent to the certification authority (CA), along with the certificate-requester information. After the CA verifies the certificate request according to its policies, it uses its own private key to create a digital signature in the certificate and then issue it to the requester. The CA presents the certificate to the certificate requester along with the option to install it in the appropriate certificate store on the computer or hardware device.

For more information, see Request a Certificate and Guidelines for Using Alternate Signature Formats.