Manually importing keys into a smart card
Published Jan 24 2020 01:42 PM 2,493 Views

First published on TECHNET on Nov 13, 2007


Have you thought about moving a certificate including its (exportable) keys from a user's profile into a smart card? There are three simple steps required to do this if the Microsoft Base Smart Card Crypto Service Provider is available on a computer.








1. As the first step, two registry keys must be modified to permit the import operation.








· HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto








· HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto












Those registry keys are also documented in the Smart Card Minidriver Specification for Windows Base Cryptographic Service Provider (Base CSP) an... and the SmartCard Infrastructure blog.








2. As a next step, the certificate and the keys must be made available as a PFX file. The easiest way to create the file is with the Certificate Export Wizard.




a. Click Start , Run and type certmgr.msc




b. In the left pane, click Personal , Certificates




c. Select a certificate in the right pane .




d. From the Action menu, click All Tasks and then Export .




e. Make sure that the private key is exported.




Look after the PFX file, because it contains a private key!








3. Finally, importing a key into a smart card is a single command at a command-line. The certutil-version that ships with Windows Server 2003 SP1 or a later Windows version is required to perform the operation.








certutil –csp " Microsoft Base Smart Card Crypto Provider " –importpfx {PFXfile}








After the import has finished, remove the PFX file that was created in step #2.


Version history
Last update:
‎Feb 20 2020 02:44 PM
Updated by: