I am trying to run certutil -repairstore and keep getting prompted for a smart card. This is a VM on AWS and a smart card is not an option. Any thoughts on how to bypass the smart card and get the repair to complete are appreciated
Navigate to “Computer Configuration>Policies>Windows Settings>Local Policies>Security Options>Interactive logon: Require smart cards” Right-click “Interactive logon: Require smart cards” and select “Edit.” In the Properties dialog, select “Disabled” to turn off this service.
In the navigation pane, select Certificates. In the details pane, locate the certification authority certificate that was issued for the Smart Card template. This file should have the name of your Smart card user. Right-click this certificate, select All Tasks, and then choose Export.
Insert the card in the card reader and wait for the card reader software to start. The card reader software will start the activation process automatically when you place the card in the reader the first time. Enter the activation code in the letter and enter the basic PIN you have decided to use twice (PIN1).
Assign the existing private key to a new certificate Sign in to the computer that issued the certificate request by using an account that has administrative permissions. Select Start, select Run, type mmc, and then select OK. On the File menu, select Add/Remove Snap-in. In the Add/Remove Snap-in dialog box, select Add.
One of the other answers touched on it, but I wanted to add some context/detail as well as I spent a lot of time searching for the root of this problem. Killing the smart card-related services did not work, nor did disabling the related policy with gpedit.
When you run certutil with the -repairstore
option, Windows runs through its list of CSPs (Configuration Service Providers), one of which is the "Microsoft Smart Card Key Storage Provider" - that's the one that causes the prompt to enter your smart card. As the above answer stated, the most likely cause is that you are attempting to install a certificate file (.crt, .cer, .pem, etc.) that does not have a corresponding key on the VM, so Windows is cycling through the various CSPs looking for a valid key but cannot find one. There are two possible solutions to this problem:
You should generate your CSR (Certificate Signing Request) through IIS > Server Certificates > Create Certificate Request. This will ensure that the key is generated locally and the appropriate key store is aware of it. Use that CSR to get your certificate from GoDaddy or whoever your provider is, then you should be able to go to IIS > Server Certificates > Complete Certificate Request to install the certificate and avoid certutil altogether.
If you still can't get it to work and are sure the key was generated locally, the -csp
option for certutil will allow you to specify which CSP to use when validating the certificate thereby eliminating the need for Windows to try the smart card CSP. You can get the installed CSPs on your system by running certutil -csplist
- the "Provider Name" value is what you pass to certutil. For example, certutil -csp "Microsoft Software Key Storage Provider" -repairstore ...
would force certutil to validate against the Microsoft Software Key Storage Provider. Make sure you use quotes since there are spaces in the names.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With