Smart Card Deployment: Manually Importing User Certificates

Generating and importing user certificates as a .pfx file

In environments where the user certificates cannot be generated on the YubiKey, they can be generated on a Windows PC as a .pfx file and imported to a YubiKey for use.

To use an enrollment agent to generate a .pfx file for import

  1. Right-click the Windows Start button and select Run.

  2. In the window that appears, type mmc and press Enter.

  3. Add a Certificates snap-in for My User account: in the console tree, expand the Personal store, and then click Certificates.

  4. On the Action menu, point to All Tasks, point to Advanced Operations, and then click Enroll on behalf of to open the Certificate Enrollment wizard. Click Next.

  5. Browse to the Enrollment Agent certificate that you will use to sign the certificate request that you are processing. Click Next.

  6. Select the type of certificate that you want to enroll for and click Enroll.

  7. After the Certificate Enrollment Wizard has successfully finished, click Close.

Exporting a certificate with Private Key

  1. On the workstation where you enrolled the smart card certificates, choose Start, choose Run, and then in the Open box, type MMC. Choose OK.

  2. On the Console page, on the File menu, select Add/Remove Snap in.

  3. On the Add/Remove Snap-in dialog box, choose Add. The Add Standalone Snap-in page appears. Select Certificates and then choose Add.

  4. On the Certificates snap-in page, select My user account, and then choose Finish. On the Add or Remove Snap-in page, choose Close, and then on the Add/Remove Snap-in page, choose OK.

  5. On the Console page, in the navigation pane, expand Certificates - Current User and then expand Personal. In the navigation pane, select Certificates.

  6. In the details pane, locate the certification authority certificate that was issued for the Smart Card template. This file should have the name of your Smart card user. Right-click this certificate, select All Tasks, and then choose Export.

  7. The Welcome to the Certificate Wizard dialog box appears. Choose Next to continue.

  8. On the Export Private Key page, select Yes, export the private key. Choose Next.

  9. On the Export File Format page, make sure that you select Personal Information Exchange – PKCS #12(.PFX). Make sure that you select the Enable strong protection box. Choose Next.

  10. On the Password page, supply a password, and then choose Next.

  11. On the File to Export page, type the path and filename of the .pfx file. For example, C:\usercert.pfx. Choose Next.

  12. Choose Finish. On the Certificate Export Wizard page, choose OK to confirm that the export was successful.

  13. Repeat steps 7 through 12. For each user certificate to export.

Importing a .pfx file using CertUtil

  1. On the workstation where you enrolled the smart card certificates, choose Start, choose Run, and then in the Open box, type CMD. Choose OK.

  2. On the Command Line Interface, enter the command:
    certutil -csp “Microsoft Base Smart Card Crypto Provider” -importpfx certname.pfx
    Where certname.pfx is the name of the .pfx file to import.

  3. Repeat step 2 for each .pfx file to import.

Importing a .pfx file using the YubiKey Manager

  1. Open YubiKey Manager and click Applications, Select PIV, Select Configure Certificates.

  2. Select the Slot you wish to import the certificate to in this case it's Authentication (9a) 

  3. To import an existing certificate, click Import.

  4. Browse to the .pfx file you want to import (created in steps 7-12 of the previous section), and click Open.

  5. To confirm the password that was set for the certificate, type the password and click OK. (see step 10 of the previous section)

  6. Click OK.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.