Save a pfx/p12 file to a smart card

1 Determine the name of the smart card

Open a command line and type “certutil -SCInfo”. Look at the line name “card”.

import_pfx_certutil

Readers : 1
  0: FS USB Token 0
--- Reader : FS USB Token 0
--- Status : SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
--- Status : Card available.
---   Card : ePass2003
---    ATR :
        3b 9f 95 81 31 fe 9f 00  66 46 53 05 01 00 11 71   ;...1...fFS....q
        df 00 00 00 00 00 13                               .......

In this example, it is “ePass2003”

Note : if the smart card contains already some cryptographic material, for each container, a line named “Provider” is added. This line contains the name of the CSP required. You can skip the next step.

2 Determine the CSP (the driver) of the smart card

Launch regedit.exe and open HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Calais\SmartCards Open the subkey named as the name of the smart card. Look at the key “Crypto Provider” to get the name of the CSP

import_pfx_regedit

3 If the CSP is “Microsoft Base Smart Card Crypto Provider”

by default, importing a P12 file is forbidden if the CSP is “Microsoft Base Smart Card Crypto Provider”. Set the following keys to disable this protection :

HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider\AllowPrivateExchangeKeyImport=DWORD:0x1

HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider\AllowPrivateSignatureKeyImport=DWORD:0x1

If this tweak is not applied, the import fails in CryptImportKey with the return code NTE_BAD_TYPE (0x8009000A)

import_pfx_regedit_policy

.reg file :

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider]
"AllowPrivateSignatureKeyImport"=dword:00000001
"AllowPrivateExchangeKeyImport"=dword:00000001

4 Import the p12 file

Run the command : certutil –csp {the name of the CSP} –importpfx {PFXfile}

Ex: certutil –csp “Microsoft Base Smart Card Crypto Provider” –importpfx foo.pfx
Reference : http://blogs.technet.com/b/pki/archive/2007/11/13/manually-importing-keys-into-a-smart-card.aspx