Loading a certificate on PIVKey using Certutil

For authentication credentials, it is strongly recommended to issue certificates directly to the smart card. This ensures that the private key is generated on the smart card, and never leaves the card.

For testing, however, it is sometimes useful to import a certificate. You can use a utility, like VSec CMS, to import a certificate, but another way to do this is to use Certutil.exe, the certificate utility included with Microsoft Windows.

First make sure to set the following registry settings to enable the import of keys.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider]

Then run the following command. Make sure to run this with administrator rights.

certutil -v -csp "Microsoft Base Smart Card Crypto Provider" -p password -importpfx testcert.pfx

-csp should be the Microsoft Base CSP for the C2, or if using 3rd party middleware, the CSP for that middleware.

-p should be the password used to secure the .pfx continging the certificate and associated key,

-importpfx should be the path to the certificate pfx

-v provides verbose error messages for debugging.

Have more questions? Submit a request


  • 0
    Rodney Thayer

    this article tells how to load a key pair into windows, not how to load a keypair into the card.

    "loading a certificate on pivkey" sounds like onto the card (note use of "on")

Please sign in to leave a comment.
Powered by Zendesk