Preventing Win 10 from automatically installing certificates from smart cards

Posted on

QUESTION :

A short background on the issue. I have a Yubikey 5 with PIV containing 3 personal certificates. One of the certificates is also installed locally on my Win 10 machine. All the certificates contain the private keys as well.

Whenever I insert Yubikey into this Win 10 machine, the public portion of certificates that are not present in the certificate store are copied there. That’s not a desirable behavior, but I can live with that. However, the certificate (with a private key) that exists on both Yubikey and the certificate store is stripped of its private key on the machine. Hence, I end up with the full certificate on my Yubikey and only a public portion of it on my Win 10 machine.

It is really disruptive and requires a full reinstall of this certificate on the Windows machine only to be messed up again the next time I insert the Yubikey. Is there a way to disable automatic certificate discovery (specifically from PIV-enabled smart cards)? Thanks.

ANSWER :

You need to stop and disable Certificate Propagation Service (CertPropSvc) in services.msc.

Leave a Reply

Your email address will not be published. Required fields are marked *