First published on TECHNET on Nov 13, 2007
Have you thought about moving a certificate including its (exportable) keys from a user's profile into a smart card? There are three simple steps required to do this if the Microsoft Base Smart Card Crypto Service Provider is available on a computer.
1. As the first step, two registry keys must be modified to permit the import operation.
· HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto
Provider\AllowPrivateExchangeKeyImport=DWORD:0x1
· HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto
Provider\AllowPrivateSignatureKeyImport=DWORD:0x1
Those registry keys are also documented in the Smart Card Minidriver Specification for Windows Base Cryptographic Service Provider (Base CSP) an... and the SmartCard Infrastructure blog.
2. As a next step, the certificate and the keys must be made available as a PFX file. The easiest way to create the file is with the Certificate Export Wizard.
a. Click Start , Run and type certmgr.msc
b. In the left pane, click Personal , Certificates
c. Select a certificate in the right pane .
d. From the Action menu, click All Tasks and then Export .
e. Make sure that the private key is exported.
Look after the PFX file, because it contains a private key!
3. Finally, importing a key into a smart card is a single command at a command-line. The certutil-version that ships with Windows Server 2003 SP1 or a later Windows version is required to perform the operation.
certutil –csp " Microsoft Base Smart Card Crypto Provider " –importpfx {PFXfile}
After the import has finished, remove the PFX file that was created in step #2.
