0

Scenario:

  1. Using Amazon CloudHSM with CloudHSM Windows Client installed and configured.
  2. Created CSR for a Code Signing certificate with certreq.exe and provider Cavium Key Storage Provider.
  3. Submitted CSR for signing to CA
  4. Accepted signed certificate with certreq.exe

Now I have a certificate on one server that is linked to the private key on our Amazon CloudHSM.

I need this same certificate on another server. I have installed and configured Windows CloudHSM client on the other server and am able to use the Cavium HSM command line utilities to connect to the HSM and see the keys for the certificate I created earlier from the other server.

I have tried importing the certificate (without private key) into this server's certificate store (success) and then linking the certificate with the private key on the HSM using certutil.exe -repairstore but I am unable to get it to work.

>certutil -csp "Cavium Key Storage Provider" -repairstore my 1
my "Personal"
================ Certificate 1 ================
Serial Number: 82af82b36ca545710000000655668982
Issuer: CN=Entrust Code Signing CA - OVCS1, OU=(c) 2015 Entrust, Inc. - for authorized use only, OU=See http://www.entrust.net/legal-terms, O=Entrust, Inc., C=US
 NotBefore: 2/12/2019 11:12 AM
 NotAfter: 3/3/2020 11:42 AM
Subject: CN=A Company, O=An organization, L=Los Angeles, S=California, C=US
Non-root Certificate
Cert Hash(sha1): f63e9db72dece2e7950c8ac878ae96388b8875c7
        SDK Version: 2.03
No key provider information
Cannot find the certificate and private key for decryption.
CertUtil: -repairstore command FAILED: 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)
CertUtil: Cannot find object or property.

In the certificate store, there is no key provider information because I just imported the certificate without the private key.

So, how do I import the certificate in a way that it is linked to the Cavium Key Storage Provider or how do I set the certificate's key provider after importing so that I can link it with certutil -repairstore to the private key on the HSM?

And if that's the wrong path, my ultimate question is: How do I install an HSM backed certificate on a second server?

MikeJansen
  • 101
  • 2

1 Answers1

1

Your guess about certutil is correct and certutil -repairstore should do the trick. The only requirement is that HSM middleware must be installed on a target machine and target machine can access keys on HSM.

Alternatively, you may try to use CertSetCertificateContextProperty CryptoAPI function and set CERT_KEY_PROV_INFO_PROP_ID property that will include provider name and key container name within provider. This information can be retrieved from machine where private key is recognized.

Crypt32
  • 5,750
  • 12
  • 24
  • I haven't done C++ in over 15 years so I'm looking for a .NET managed way to set certificate properties (and not just a PInvoke translation of the C/C++ calls) to see if this works. If I can't find one, I'll attempt PInvoke or native C++. – MikeJansen Mar 04 '19 at 15:25
  • The fact that `certutil` is responding "No key provider information" seems to be reflecting that the fact that the imported certificate had no key provider information and seems to be ignoring the key provider I specified on the command line. So unless `certutil` has other parameter combinations that will make it work, I don't think it will work for me. – MikeJansen Mar 04 '19 at 15:27
  • 1
    `If I can't find one` you won't find, because there is no managed solution in .NET. Only translated p/invoke solution. Also, I would try to export source certificate as serialized store, import the `.sst` file on destination machine and see if certutil will work. SST will copy key container information along with the certificate. – Crypt32 Mar 04 '19 at 15:53