The certificate will be an Encrypting File System (EFS) self-signed smart card certificate.
- Control Panel > User Accounts > Manage your file encryption certificates
Create new and store locally
- Applications > PIV > PIN Management
- Change Management Key
If this is the first time then check 'Use default'.
Generate a new management key and store a copy for later. - Change PUK
If this is the first time then check 'Use default'. - Change PIN
If this is the first time then check 'Use default'.
- Change Management Key
- Applications > PIV > Configure Certificates > Card Authentication > Import
You will need the password for the certificate and the PIV management key.
To associate the object identifier (also known as OID) of this certificate with BitLocker, you need to modify the associated Group Policy setting.
$> certutil -scinfo
Look for the EFS certificate and find Application[0] = 1.3.6.1.4.1.311.10.3.4 Encrypting File System. The dotted number is the OID.
- gpedit.msc
- Computer Configuration > Administrative templates > Windows Components > BitLocker Drive Encryption
- Validate smart card certificate usage rule compliance
- Enabled
- Set Object identifier
Allow the use of self-signed certificates.
- regedit
- \HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE
- New DWORD (32-bit) Value
- 'SelfSignedCertificates'
- Value data '1'
Now to add the drive to BitLocker.
- Control Panel > System and Security > BitLocker Drive Encryption
- Select the drive and Turn BitLocker on
- Use my smart card to unlock the drive