It often happens that you plug in a hardware device (e.g., a SmartCard or USB CryptoToken) and access its certificates via TElWinCertStorage in a UI application. But when you copy your code to a service application, the certificate is not accessible.

This is a common situation with hardware. The problem is that cheap user-oriented hardware (CryptoCards and USB tokens) usually map the certificates to the CryptoAPI's MY certificate storage for the "current user". If you plug in the device as an interactive user (and you do this always), such a certificate is not accessible from under other accounts, such as the SERVICE or SYSTEM accounts.

The possibility to use the certificate via CryptoAPI and TElWinCertStorage in this scenario depends on whether the hardware's controlling software can be configured to map certificates to other accounts or to the Local Machine (rather than the Current User) storage.

If you can reconfigure it, then there's a chance for your approach to work. If you can't reconfigure it, then using PKCS#11 is the only way to solve the problem.