Smart Card Deployment: Manually Importing User Certificates


Generating and importing user certificates as a .pfx file

In environments where the user certificates cannot be generated on the YubiKey, they can be generated on a Windows PC as a .pfx file and imported to a YubiKey for use.

To use an enrollment agent to generate a .pfx file for import

  1. Right-click the Windows Start button and select Run.

  2. In the window that appears, type mmc and press Enter.

  3. Add a Certificates snap-in for My User account: in the console tree, expand the Personal store, and then click Certificates.

  4. On the Action menu, point to All Tasks, point to Advanced Operations, and then click Enroll on behalf of to open the Certificate Enrollment wizard. Click Next.

  5. Browse to the Enrollment Agent certificate that you will use to sign the certificate request that you are processing. Click Next.

  6. Select the type of certificate that you want to enroll for and click Enroll.

  7. After the Certificate Enrollment Wizard has successfully finished, click Close.

Exporting a certificate with Private Key

  1. On the workstation where you enrolled the smart card certificates, choose Start, choose Run, and then in the Open box, type MMC. Choose OK.

  2. On the Console page, on the File menu, select Add/Remove Snap in.

  3. On the Add/Remove Snap-in dialog box, choose Add. The Add Standalone Snap-in page appears. Select Certificates and then choose Add.

  4. On the Certificates snap-in page, select My user account, and then choose Finish. On the Add or Remove Snap-in page, choose Close, and then on the Add/Remove Snap-in page, choose OK.

  5. On the Console page, in the navigation pane, expand Certificates - Current User and then expand Personal. In the navigation pane, select Certificates.

  6. In the details pane, locate the certification authority certificate that was issued for the Smart Card template. This file should have the name of your Smart card user. Right-click this certificate, select All Tasks, and then choose Export.

  7. The Welcome to the Certificate Wizard dialog box appears. Choose Next to continue.

  8. On the Export Private Key page, select Yes, export the private key. Choose Next.

  9. On the Export File Format page, make sure that you select Personal Information Exchange – PKCS #12(.PFX). Make sure that you select the Enable strong protection box. Choose Next.

  10. On the Password page, supply a password, and then choose Next.

  11. On the File to Export page, type the path and filename of the .pfx file. For example, C:\usercert.pfx. Choose Next.

  12. Choose Finish. On the Certificate Export Wizard page, choose OK to confirm that the export was successful.

  13. Repeat steps 7 through 12. For each user certificate to export.

Importing a .pfx file using CertUtil

Optional: Enabling Support for ECDSA and ECDHE Certificates

Windows Smart Card KSP by default does not support certificates associated with ECDSA and ECDHE algorithm keys, and the permissions to use them must be enabled in the registry. If you are code signing with just certificates associated with RSA keys, this section may be skipped.

The registry keys for the smart card KSP are in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cryptography\Providers\Microsoft Smart Card Key Storage Provider.

Two entries need to be changed to have a value of "1":

Registry Key Description
AllowPrivateECDHEKeyImport This value allows Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) private keys to be imported for use in key archival scenarios.
AllowPrivateECDSAKeyImport This value allows Elliptic Curve Digital Signature Algorithm (ECDSA) private keys to be imported for use in key archival scenarios.
  1. Open PowerShell as Administrator.

  2. Run: reg add “HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider” /v AllowPrivateExchangeKeyImport /t REG_DWORD /d 1

  3. Run: reg add “HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider” /v AllowPrivateSignatureKeyImport /t REG_DWORD /d 1

  4. Run: certutil –csp "Microsoft Base Smart Card Crypto Provider" –importpfx C:\Path\to\your.pfx

    When prompted, enter the PIN. If you have not set a PIN, the default value is 123456.

  5. Repeat step 4 for each .pfx file to import.

Importing a .pfx file using the YubiKey Manager

Note: If you intend to import more than one certificate to the YubiKey for authentication, follow the CertUtil import method instead. This is the only way to ensure the YubiKey smart card minidriver is involved in the import and can properly maintain the container map file on the YubiKey.

  1. Open YubiKey Manager and click Applications, Select PIV, Select Configure Certificates.

  2. Select the Slot you wish to import the certificate to in this case it's Authentication (9a) 

  3. To import an existing certificate, click Import.

  4. Browse to the .pfx file you want to import (created in steps 7-12 of the previous section), and click Open.

  5. To confirm the password that was set for the certificate, type the password and click OK. (see step 10 of the previous section)

  6. Click OK.

Next: Deploying the YubiKey Minidriver to Workstations and Servers