Manually importing keys into a smart card

Have you thought about moving a certificate including its (exportable) keys from a user's profile into a smart card? There are three simple steps required to do this if the Microsoft Base Smart Card Crypto Service Provider is available on a computer.

1.    As the first step, two registry keys must be modified to permit the import operation.

?         HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto

Provider\AllowPrivateExchangeKeyImport=DWORD:0x1

?         HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto

Provider\AllowPrivateSignatureKeyImport=DWORD:0x1

Those registry keys are also documented in the Smart Card Minidriver Specification for Windows Base Cryptographic Service Provider (Base CSP) and Smart Card Key Storage Provider (KSP) and the SmartCard Infrastructure blog.

2.    As a next step, the certificate and the keys must be made available as a PFX file. The easiest way to create the file is with the Certificate Export Wizard.

a.     Click Start, Run and type certmgr.msc

b.    In the left pane, click Personal, Certificates

c.     Select a certificate in the right pane.

d.    From the Action menu, click All Tasks and then Export.

e.     Make sure that the private key is exported.

Look after the PFX file, because it contains a private key!

3.    Finally, importing a key into a smart card is a single command at a command-line. The certutil-version that ships with Windows Server 2003 SP1 or a later Windows version is required to perform the operation.

certutil ?csp "Microsoft Base Smart Card Crypto Provider" ?importpfx {PFXfile}

After the import has finished, remove the PFX file that was created in step #2.