Save a pfx/p12 file to a smart card
1 Determine the name of the smart card
Open a command line and type “certutil -SCInfo”. Look at the line name “card”.
Readers : 1
0: FS USB Token 0
--- Reader : FS USB Token 0
--- Status : SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
--- Status : Card available.
--- Card : ePass2003
--- ATR :
3b 9f 95 81 31 fe 9f 00 66 46 53 05 01 00 11 71 ;...1...fFS....q
df 00 00 00 00 00 13 .......
In this example, it is “ePass2003”
Note : if the smart card contains already some cryptographic material, for each container, a line named “Provider” is added. This line contains the name of the CSP required. You can skip the next step.
2 Determine the CSP (the driver) of the smart card
Launch regedit.exe and open HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Calais\SmartCards Open the subkey named as the name of the smart card. Look at the key “Crypto Provider” to get the name of the CSP
3 If the CSP is “Microsoft Base Smart Card Crypto Provider”
by default, importing a P12 file is forbidden if the CSP is “Microsoft Base Smart Card Crypto Provider”
.
Set the following keys to disable this protection :
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider\AllowPrivateExchangeKeyImport=DWORD:0x1 HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider\AllowPrivateSignatureKeyImport=DWORD:0x1
If this tweak is not applied, the import fails in CryptImportKey with the return code NTE_BAD_TYPE (0x8009000A)
.reg file :
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider]
"AllowPrivateSignatureKeyImport"=dword:00000001
"AllowPrivateExchangeKeyImport"=dword:00000001
4 Import the p12 file
Run the command :
certutil –csp {the name of the CSP} –importpfx {PFXfile}
Ex: certutil –csp “Microsoft Base Smart Card Crypto Provider” –importpfx foo.pfx