For authentication credentials, it is strongly recommended to issue certificates directly to the smart card. This ensures that the private key is generated on the smart card, and never leaves the card.
For testing, however, it is sometimes useful to import a certificate and its associated keys from a PFX file.To import from a PFX file you can use a utility, such as vSEC_CMS, or Certutil, the certificate utility included with Microsoft Windows.
Important: The PIVKey minidriver must be installed to load or delete certificates from the PIVKey (without the PIVKey minidriver, the PIVKey will be read-only).
First make sure to set the following registry settings to enable the import of keys.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider]
"AllowPrivateSignatureKeyImport"=dword:00000001
"AllowPrivateExchangeKeyImport"=dword:00000001
To import a certificate contained in the file "testcert.pfx", open an elevated command prompt and run:
certutil -v -csp "Microsoft Base Smart Card Crypto Provider" -p password -importpfx testcert.pfx
-csp should be the Microsoft Base Smart Card Crypto Provider, or if using 3rd party middleware, the CSP for that middleware.
-p should be the password used to secure the .pfx containing the certificate and associated key
-importpfx should be the path to the certificate pfx
-v provides verbose error messages for debugging.
2 Comments