Key Counting

The nShield CSP supports the PP_CRYPT_COUNT_KEY_USE parameter to CryptAcquireContext as long as the module with NVRAM is attached. Setting this parameter to a nonzero value causes all keys generated from that point to have nonvolatile use counters. The counter persists until CryptReleaseContext is called or until the PP_CRYPT_COUNT_KEY_USE parameter is reset to 0.

Key counting is not directly supported by end-user applications such as IIS. It is only supported by Microsoft Certificate Services under Windows 2003 and later. However, it is possible to create a certificate that uses a key counter in cases where key counting is not directly supported.
Key counting is not supported in HSM Pool mode.

Keys that have counters can only be loaded on one module at a time. The key-generation and key-loading functions enforce this behavior. When you generate these keys, you must present your Administrator Cards in order to authorize the creation of the new NVRAM area.

You must not insert your Administrator Cards in an untrusted host.

To minimize the exposure of the Security Officer root key (KNSO) when you generate a key with key counting enabled, you should create the Security World with an NVRAM delegation key that requires the presentation of fewer Administrative Cards than are required to load KNSO.

If you reinitialize your module for any reason, all the NVRAM areas on that module are erased. You must then use cspnvfix to recreate the NVRAM areas for all the keys that have counters.