Importing a certificate into a smart card

Sometimes it is necessary to import a certificate that uses a software key into a smart card.

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

First, the certificate including the private key must be exported to a PKCS#12 (PFX) file.

The Cryptographic Service Provider (CSP) or the Key Storage Provider (KSP) must allow the import of keys. To do this, a corresponding registry value must be set for the corresponding provider. Here is the example for the Microsoft Base Smart Card Crypto Provider:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider]
"AllowPrivateSignatureKeyImport"=dword:00000001
"AllowPrivateExchangeKeyImport"=dword:00000001

The above values must be copied to a text file and saved with the .reg extension.

Then the registry file must be imported. Local administrator permissions are required for this.

Then the PFX file can be imported with the following command:

certutil ^
-user ^
-csp "Microsoft Base Smart Card Crypto Provider" ^
-importpfx {path-to-PFX-file>.pfx

Administrator permissions are also required for this. The password for the PFX file to be imported and the PIN of the smartcard are required.

Related links:

External sources

• Manually importing keys into a smart card (Microsoft)