Certutil asking to connect a Smart Card

Question

I am trying to run certutil -repairstore and keep getting prompted for a smart card. This is a VM on AWS and a smart card is not an option. Any thoughts on how to bypass the smart card and get the repair to complete are appreciated

I tried to install the hotfix (https://support.microsoft.com/en-us/help/2955631/you-are-always-prompted-for-the-virtual-smart-card-pin-when-you-use-th) in Windows Server 2012 R2 but ended up with "The update is not applicable to your computer" — Saravanan Sachi, Jun 27 '18 at 03:58
In my case since I had the .cer file and the .key file I used openssl to get my certificate loaded; explained here: https://stackoverflow.com/questions/19199293/create-a-pfx-file-from-a-cer-and-a-pem-file — denvercoder9, May 15 '19 at 20:19

score 4 · Answer 1 · answered May 17 '21 at 21:25

One of the other answers touched on it, but I wanted to add some context/detail as well as I spent a lot of time searching for the root of this problem. Killing the smart card-related services did not work, nor did disabling the related policy with gpedit.

When you run certutil with the -repairstore option, Windows runs through its list of CSPs (Configuration Service Providers), one of which is the "Microsoft Smart Card Key Storage Provider" - that's the one that causes the prompt to enter your smart card. As the above answer stated, the most likely cause is that you are attempting to install a certificate file (.crt, .cer, .pem, etc.) that does not have a corresponding key on the VM, so Windows is cycling through the various CSPs looking for a valid key but cannot find one. There are two possible solutions to this problem:

You should generate your CSR (Certificate Signing Request) through IIS > Server Certificates > Create Certificate Request. This will ensure that the key is generated locally and the appropriate key store is aware of it. Use that CSR to get your certificate from GoDaddy or whoever your provider is, then you should be able to go to IIS > Server Certificates > Complete Certificate Request to install the certificate and avoid certutil altogether.
If you still can't get it to work and are sure the key was generated locally, the -csp option for certutil will allow you to specify which CSP to use when validating the certificate thereby eliminating the need for Windows to try the smart card CSP. You can get the installed CSPs on your system by running certutil -csplist - the "Provider Name" value is what you pass to certutil. For example, certutil -csp "Microsoft Software Key Storage Provider" -repairstore ... would force certutil to validate against the Microsoft Software Key Storage Provider. Make sure you use quotes since there are spaces in the names.

what would other examples of providers? Is this the provider of the Cert like godaddy? — whisk, Jul 14 '22 at 14:11

score 0 · Answer 2 · answered Sep 16 '20 at 23:14

0

Make sure you make the original certificate request on the same windows server where the domain is hosted. Then complete the request with the p7b provided by the ssl supplier and you won't have any problems.

answered Sep 16 '20 at 23:14

user1471801

1
1

score 0 · Answer 3 · answered Mar 31 '22 at 05:35

This question might be a bit old but I came across this error with another cause:

I have mutliple servers trying to import the certificate. However, the cert request was generated from one server. In that case, I imported to the original server which create the request and export everything from the mmc (including private key) and re-import the pfx file to the over servers.

score -2 · Answer 4 · answered Jul 05 '20 at 07:18

-2

Try to add -silent to the command

answered Jul 05 '20 at 07:18

user3821710

1

Certutil asking to connect a Smart Card

4 Answers4