Sometimes it is necessary to import a certificate that uses a software key into a smart card.
First, the certificate including the private key must be exported to a PKCS#12 (PFX) file.
The Cryptographic Service Provider (CSP) or the Key Storage Provider (KSP) must allow the import of keys. To do this, a corresponding registry value must be set for the corresponding provider. Here is the example for the Microsoft Base Smart Card Crypto Provider:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider]
"AllowPrivateSignatureKeyImport"=dword:00000001
"AllowPrivateExchangeKeyImport"=dword:00000001
The above values must be copied to a text file and saved with the .reg extension.
Then the registry file must be imported. Local administrator permissions are required for this.
Then the PFX file can be imported with the following command:
certutil ^
-user ^
-csp "Microsoft Base Smart Card Crypto Provider" ^
-importpfx {path-to-PFX-file>.pfx
Administrator permissions are also required for this. The password for the PFX file to be imported and the PIN of the smartcard are required.
Related links:
External sources
- Manually importing keys into a smart card (Microsoft)
English 
Deutsch
3 thoughts on “Importieren eines Zertifikats in eine Smartcard”
Comments are closed.