Installing a credential using CertUtil

For authentication credentials, it is strongly recommended to issue certificates directly to the smart card. This ensures that the private key is generated on the smart card, and never leaves the card.

For testing, however, it is sometimes useful to import a certificate. You can use the VSec CMS utility to import a certificate, but another way to do this is to use Certutil.exe, the certificate utility included with Microsoft Windows.

First make sure to set the following registry settings to enable the import of keys.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider]

Then run the following command. Make sure to run this with administrator rights.

certutil -v -csp "Microsoft Base Smart Card Crypto Provider" -p password -importpfx testcert.pfx

-csp should be the Microsoft Base CSP for the C2, or if using 3rd party middleware, the CSP for that middleware.

-p should be the password used to secure the .pfx continging the certificate and associated key,

-importpfx should be the path to the certificate pfx

-v provides verbose error messages.


Have more questions? Submit a request


Please sign in to leave a comment.
Powered by Zendesk