1 Determine the name of the smart card
Open a command line and type “certutil -SCInfo”. Look at the line name “card”.
Readers : 1 0: FS USB Token 0 --- Reader : FS USB Token 0 --- Status : SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED --- Status : Card available. --- Card : ePass2003 --- ATR : 3b 9f 95 81 31 fe 9f 00 66 46 53 05 01 00 11 71 ;...1...fFS....q df 00 00 00 00 00 13 .......
In this example, it is “ePass2003”
Note : if the smart card contains already some cryptographic material, for each container, a line named “Provider” is added. This line contains the name of the CSP required. You can skip the next step.
2 Determine the CSP (the driver) of the smart card
Launch regedit.exe and open HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Calais\SmartCards Open the subkey named as the name of the smart card. Look at the key “Crypto Provider” to get the name of the CSP
3 If the CSP is “Microsoft Base Smart Card Crypto Provider”
by default, importing a P12 file is forbidden if the CSP is “Microsoft Base Smart Card Crypto Provider”. Set the following keys to disable this protection :
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider\AllowPrivateExchangeKeyImport=DWORD:0x1
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider\AllowPrivateSignatureKeyImport=DWORD:0x1
If this tweak is not applied, the import fails in CryptImportKey with the return code NTE_BAD_TYPE (0x8009000A)
.reg file :
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider] "AllowPrivateSignatureKeyImport"=dword:00000001 "AllowPrivateExchangeKeyImport"=dword:00000001
4 Import the p12 file
Run the command : certutil –csp {the name of the CSP} –importpfx {PFXfile}
Ex: certutil –csp “Microsoft Base Smart Card Crypto Provider” –importpfx foo.pfx
Reference : http://blogs.technet.com/b/pki/archive/2007/11/13/manually-importing-keys-into-a-smart-card.aspx