Installing a credential using CertUtil

For authentication credentials, it is strongly recommended to issue certificates directly to the smart card. This ensures that the private key is generated on the smart card, and never leaves the card.

For testing, however, it is sometimes useful to import a certificate. You can use the VSEC_CMS utility to import a certificate, but another way to do this is to use Certutil.exe, the certificate utility included with Microsoft Windows.

First make sure to adjust or add the following registry settings to enable the import of keys.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider]

To import a certificate contained in the file "testcert.pfx", open an elevated command prompt and run:

certutil -v -csp "Microsoft Base Smart Card Crypto Provider" -p password -importpfx testcert.pfx

  • -csp should be the Microsoft Base CSP for the C2, or if using 3rd party middleware, the CSP for that middleware
  • -p should be the password used to secure the .pfx containing the certificate and associated key
  • -importpfx should be the path to the certificate pfx file
  • -v provides verbose error messages


Have more questions? Submit a request


Article is closed for comments.
Powered by Zendesk