Skip to main content

Importing a Private Key to HSM

To import the private key (from AD CS backup) into the Securosys HSM, perform the following steps:

  • Open a Command Shell with administrator rights
  • Import the private key by using certutil.exe.
note

You will be asked for the passphrase to decrypt the PKCS#12 file (set during the backup procedure). Consult the command help certutil -importpfx -? for further options and modifiers, e.g. if the private key may be exported or not.

certutil -f -v [-p "<passphrase>"] -csp "Securosys Primus HSM Key Storage Provider" -importpfx <myBackupFolder>\<myCAPrivateKeyBackup>.p12 [FriendlyName="<myCAName>",KeyFriendlyName="<myCAName>",NoExport|ExportEncrypted]

Example:

certutil -f -v -csp "Securosys Primus HSM Key Storage Provider" -importpfx myDemoCA\myDemoCA.p12

    CRYPT_IMPL_HARDWARE -- 1
      (CRYPT_IMPL_SOFTWARE -- 2)
      (CRYPT_IMPL_MIXED -- 3)
      (CRYPT_IMPL_UNKNOWN -- 4)
      (CRYPT_IMPL_REMOVABLE -- 8)
Enter PFX password:
Certificate "myDemoCA" added to store.

CertUtil: -importPFX command completed successfully.
  • Re-export the resulting AD CS certificate and private key to a .pfx file:
certutil -exportpfx my myDemoCA myDemoCAPrimus.p12

my "Personal"
================ Certificate 43 ================
Serial Number: 3aa837d2cf1289b241b9ee87a5474b4f
Issuer: CN=myDemoCA
 NotBefore: 10.08.2021 14:14
 NotAfter: 10.08.2026 14:22
Subject: CN=myDemoCA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): 19f647a3f4e60eabc126d73ef1ef6e9f84224997
  Key Container = myDemoCA-5727d8fe-7fce-4c02-9af0-7d0b4de67a2f
  Provider = Securosys Primus HSM Key Storage Provider
Private key is NOT plain text exportable
Signature test passed
Enter new password for output file myDemoCAPrimus.p12:
Enter new password:
Confirm new password:
CertUtil: -exportPFX command completed successfully.
  • Remove the previously imported AD CS key:
certutil -delkey -csp "Securosys Primus HSM Key Storage Provider" myDemoCA-5727d8fe-7fce-4c02-9af0-7d0b4de67a2f

  myDemoCA-5727d8fe-7fce-4c02-9af0-7d0b4de67a2f
CertUtil: -delkey command completed successfully.
  • Restore the exported .pfx file on AD CS to restore it under the original private key name by running the following command:
certutil -restorekey myDemoCAPrimus.p12

Enter PFX password:
Restored keys and certificates for WIN-E99A37QE5JP\myDemoCA from myDemoCAPrimus.p12.
CertUtil: -restoreKey command completed successfully.
The CertSvc service may need to be restarted for changes to take effect.
  • Link the existing CA certificate with the private key in the new key storage provider by using the Microsoft command line tool:
certutil –f -repairstore -csp "Securosys Primus HSM Key Storage Provider" my <OriginalKeyName>|<Cert Hash>|<Serialnumber>

certutil -f -repairstore -csp "Securosys Primus HSM Key Storage Provider" my myDemoCA

my "Personal"
================ Certificate 43 ================
Serial Number: 3aa837d2cf1289b241b9ee87a5474b4f
Issuer: CN=myDemoCA
 NotBefore: 10.08.2021 14:14
 NotAfter: 10.08.2026 14:22
Subject: CN=myDemoCA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): 19f647a3f4e60eabc126d73ef1ef6e9f84224997
  Key Container = myDemoCA
  Provider = Securosys Primus HSM Key Storage Provider
Securosys Primus HSM Key Storage Provider: KeySpec=0
AES256+RSAES_OAEP(RSA:CNG) test skipped
Signature test passed
CertUtil: -repairstore command completed successfully.