Microsoft CNG Key Storage Provider

Updated: July 25, 2017


The Microsoft CNG Key Storage Provider (KSP) for Windows 64-bit can be downloaded here.


SmartKeyKmsClient.msi installs the CNG Provider, as well as an EKM provider and PKCS#11 library.

The KMS CNG Provider is installed at C:\Windows\System32\FortanixKmsCngProvider.dll and is registered with Windows during installation.

The certutil command on Windows can be used to verify that the CNG Provider is registered. To display all registered cryptographic service providers on the system, run

certutil -csplist

You should be able to locate Fortanix KMS CNG Provider in this list.


Uninstall SmartKeyKmsClient.msi (click Uninstall from the context menu or uninstall via Windows’s “Programs and Features” manager).


The Fortanix KMS Server URL and proxy information are configured in the Windows registry for the local machine or current user with C:\Program Files\Fortanix\KmsClient\FortanixKmsClientConfig.exe.

The machine key store uses the local machine configuration, and the user key store uses the current user configuration.

For example, to configure the Fortanix KMS Server URL for the local machine, run

FortanixKmsClientConfig.exe machine --api-endpoint

To configure the Fortanix KMS Server URL for the current user, run

FortanixKmsClientConfig.exe user --api-endpoint

To configure proxy information, add --proxy or --proxy none to unconfigure proxy.

The CNG does not provide an API for logging in with a credential, so the API Key for the Fortanix KMS CNG Provider is stored in the Windows registry, encrypted using the Windows Data Protection API.

The API key needs to be generated ahead of time by adding an application to SmartKey. Then, it may be configured for the machine key store:

FortanixKmsClientConfig.exe machine --api-key <key>

or the user key store:

FortanixKmsClientConfig.exe user --api-key <key>