Manually importing keys into a smart card



Have you thought about moving a certificate including its (exportable) keys from a user's profile into a smart card? There are three simple steps required to do this if the Microsoft Base Smart Card Crypto Service Provider is available on a computer.


 


1.    As the first step, two registry keys must be modified to permit the import operation.


 


·         HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto


Provider\AllowPrivateExchangeKeyImport=DWORD:0x1


·         HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto


Provider\AllowPrivateSignatureKeyImport=DWORD:0x1


 


Those registry keys are also documented in the Smart Card Minidriver Specification for Windows Base Cryptographic Service Provider (Base CSP) and Smart Card Key Storage Provider (KSP) and the SmartCard Infrastructure blog.


 


2.    As a next step, the certificate and the keys must be made available as a PFX file. The easiest way to create the file is with the Certificate Export Wizard.


a.     Click Start, Run and type certmgr.msc


b.    In the left pane, click Personal, Certificates


c.     Select a certificate in the right pane.


d.    From the Action menu, click All Tasks and then Export.


e.     Make sure that the private key is exported.


Look after the PFX file, because it contains a private key!


 


3.    Finally, importing a key into a smart card is a single command at a command-line. The certutil-version that ships with Windows Server 2003 SP1 or a later Windows version is required to perform the operation.


 


certutil –csp "Microsoft Base Smart Card Crypto Provider" –importpfx {PFXfile}


 


After the import has finished, remove the PFX file that was created in step #2.

Comments (7)

  1. Alan says:

    Is it possible to import to a specific Virtual Smart Card? I do not see where this can be done with the provided certutil parameters.

    1. WesH [MSFT] says:

      It is not possible to import into a VSC or MS Platform Crypto provider. The keys must be generated with it.

      1. mainpony says:

        Just used these instructions to import a couple of keys into a VSC. Works great.

  2. sk says:

    Even after adding the registry entries, im still unable to export as .pfx file.

    1. wchar_t says:

      You can’t export a certificate created with the smartcard template. This applies only to certificates created with a template that allows private keys to be exported.

  3. Yizhar says:

    Hi,

    2 things:
    1. When exporting the certificate it ask for password created on exporting and then a popup windows asking for PIN (default is 0000)
    2. Everything went fine and I exported the cert with private key and the above PIN inserted but it gave me the follows after entering certificate password + default PIN code:
    CertUtil:-importPFX command FAILED: 0x8009000a (-2146893814)
    CertUtil: Invild type specified.

    What am I missing here ?

    1. Hi Yizhar,
      Depending on what key material you want to import you might need to specify a different CSP/KSP, e.g.
      -csp “Microsoft Smart Card Key Storage Provider” instead of -csp “Microsoft Base Smart Card Crypto Provider”
      Also, this link here might be helpful for registry settings regarding key import : https://docs.microsoft.com/en-us/windows/access-protection/smart-cards/smart-card-group-policy-and-registry-settings
      Best regards

Skip to main content