CryptoNextGeneration (CNG)

What it is

CryptoAPI Next Generation (CNG) is the second generation of the CryptoAPI and the long-term replacement for the CryptoAPI.

CNG is designed to be extensible at many levels and cryptography agnostic in behavior. CNG allows you to replace existing algorithm providers with your own providers and add new algorithms as they become available. CNG also allows the same APIs to be used from user and kernel mode applications.

Microsoft is slowly leaving CAPI in favour of CNG. We have seen it happen in outlook.exe and in some .Net Framework scenarios from version 4.7.2.

Developing with CNG

Start here: https://docs.microsoft.com/en-us/windows/win32/seccng/cng-portal

Some advices

# Avoid working with cards
# Avoid working with containers
# Avoid working with labels
# Avoid working with keys

Just go for the certificates in Mystore

The KSP

You cannot see who's taking care of your certificates in Mystore via the certificate snap-in:

To find out what KSPs handling your certificates in Mystore just type:

certutil -store -user MY

In this case we can see that the certificate in the picture above is registered by "Net iD KSP":

And here we can see CNG working with Net iD KSP when doing mutual TLS with Edge: