Loading a certificate on PIVKey using Certutil

For authentication credentials, it is strongly recommended to issue certificates directly to the smart card. This ensures that the private key is generated on the smart card, and never leaves the card.

For testing, however, it is sometimes useful to import a certificate.To import a certificate use a utility, such as vSEC_CMS, or Certutil, the certificate utility included with Microsoft Windows.  The PIVKey minidriver must be installed to load or delete certificates from the PIVKey (without the PIVKey minidriver, the PIVKey will be read-only).

First make sure to set the following registry settings to enable the import of keys.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider]
"AllowPrivateSignatureKeyImport"=dword:00000001
"AllowPrivateExchangeKeyImport"=dword:00000001

To import a certificate contained in the file "testcert.pfx", open an elevated command prompt and run:

certutil -v -csp "Microsoft Base Smart Card Crypto Provider" -p password -importpfx testcert.pfx

-csp should be the Microsoft Base Smart Card Crypto Provider, or if using 3rd party middleware, the CSP for that middleware.

-p should be the password used to secure the .pfx containing the certificate and associated key

-importpfx should be the path to the certificate pfx

-v provides verbose error messages for debugging.

Have more questions? Submit a request

2 Comments

  • 0
    Avatar
    Rodney Thayer

    this article tells how to load a key pair into windows, not how to load a keypair into the card.

    "loading a certificate on pivkey" sounds like onto the card (note use of "on")

  • 0
    Avatar
    Marci Tenpas

    Hi Rodney,

    Thanks so much for visiting our website and for your comment!

    I'm not sure why you don't believe the article tells you how to load a certificate onto a smart card, because the command

    certutil -v -csp "Microsoft Base Smart Card Crypto Provider" -p password -importpfx testcert.pfx

    does indeed load the certificate located in the testcert.pfx file onto the smart card inserted into the reader.  Note that you do need to have the PIVKey software installed in order for certutil to load or delete certificates on/off the card.

    If you had trouble with the command not doing what you expected, please feel free to submit a support ticket, we'd be glad to help!

    ~Marci Tenpas, Taglio Support

    Edited by Marci Tenpas
Please sign in to leave a comment.
Powered by Zendesk