I cant understand how a certificate is aware of being linked to a private key. For example under windows when you click on a certificate that comes from a smart card it says "You have a private key that corresponds to this certificate". How does the certificate know this? I've been reading RFC5280, however i don't see any field within the X509 certificate that specifies whether the certificate is connected to a private key or not. What am i missing?
In general, any public key is contained in its private key. Regardless of operating system, storage mechanism or library, given a just a X.509 certificate and a private key, the public key value can be extracted from a private key and compared to the public key values in the certificate. If they match, the private key belongs with the certificate.
For example, an RSA private key is made up of
The first two, PublicExponent and Modulus make up the public key and are stored in the X.509 certificate. (The above optional fields can be calculated from the first 4 but are usually included in the private key since it takes a lot of CPU power to calculate them)
For your specific example, the MMC certificate snap-in queries the Crypto API (CAPI) for installed certificates. CAPI uses Cryptographic Service Provider (CSP) modules, which can provide, amongst other things, certificate stores. As part of the CSP certificate store specification, the store provides an attribute "PP_Container" for each stored certificate. This attribute tells CAPI the name of the CSP container that holds the matching private key (if any). This "separation" allows for the private key to be stored on a smart card or hardware security module, while the certificate is stored on the Windows system itself.