Using Certutil to import a User or Machine Credential

Introduction

In a production environment it is strongly recommended that User and Machine certificate keys are generated on the smart card or TPM when the certificate is requested.  When using the Windows Smart Card certificate template this is done automatically.

If keys do need to loaded, for example for Encryption Certificates that need to have key backup, it is strongly recommended to use a credential or card management system.  This ensures that the process can happen in a secure and auditable manner.

However, for testing or migration purposes it may be useful to import a certificate and keys. This can be done using the CSSI utilities, or with Certutil.  The advantage of Certutil is that it can be scripted.

Prerequisites

Make sure that the certificate you are importing is not already imported as a "soft certificate".  You must delete the certificate and associate private key from the certificate store before importing it again. otherwise windows will associate the certificate with the wrong key store.

You will need to export the credential into a .PFX file secured with a password.  The .PFX file should contain at least the Certificate and associated private key.

Certutil ImportPFX Command

The basic ImportPFX command requires the following:

certutil.exe -csp [csp_name] -importpfx [file_name]

-csp [csp_name]

Choose the relevant CSP for you product:

Product Key Storage Location CSP Name
CSSI Smartcard or token "Charismathics Smart Security Interface CSP"
CVSC TPM or IPT "Microsoft Base Smart Card Crypto Provider"
CTSS TPM "Charismathics Smart Security Interface Platform"

-importpfx [file_name]

The full path to a password protected PFX file. This can be generated by exporting the certificate and keys using windows the "Save to File" wizard.

Optional Variables

-password [password]

By default the password is requested when executing Certutil. For scrpts you can include the password in the command.

Importing a User Credential

Call Certutil as user with the following:

certutil.exe -csp <csp_Name> -importpfx <file_name>

This will import the key in the pfx file, and place the certificate into the "personal" certificate store of the user.

Importing a Machine Credential

Call Certutil as admin with the following:

certutil.exe -csp <csp_Name> -importpfx <file_name>

This will import the key in the pfx file, and place the certificate into the "personal" certificate store of the computer.

Example

C:\CTSS>certutil -csp "Charismathics Smart Security Interface Platform" -importpfx computercert.pfx
    CRYPT_IMPL_HARDWARE -- 1
    CRYPT_IMPL_SOFTWARE -- 2
    CRYPT_IMPL_MIXED -- 3
    CRYPT_IMPL_REMOVABLE -- 8
Enter PFX password:
Certificate "E=administrator@charismathics.com, CN=Administrator, CN=Users, DC=charismathics, DC=us" added to store.

Troubleshooting

Depending on the security policies on your PC you may have to set the following registry settings:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider]
"AllowPrivateSignatureKeyImport"=dword:00000001
"AllowPrivateExchangeKeyImport"=dword:00000001

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk