Back Up and Restore Using YubiHSM KSP

YubiHSM Key Storage Provider (KSP) enables backing up and restoring the keys managed using this tool.

Note

Microsoft Active Directory Certificate Services (ADCS) does not set the NCRYPT_ALLOW_EXPORT_FLAG when generating a key, either through the setup UI or the Install-ADCSCertificationAuthority PowerShell module.

When creating an ADCS root CA key using the YubiHSM 2, we add the exportable-under-wrap Capability by default. Back up and restore functionality is therefore available using the following manual processes.

  1. Identify Your Private Key Container Name
  2. Back Up the Target Certificate
  3. Back Up the Target Private Key
  4. Restore the Target Private Key
  5. Restore the Target Certificate.

Identify Your Private Key Container Name

Step 1:To view the currently installed certificates in the Local Machine “My” store, open an elevated command prompt/shell by using the certutil command PS1> certutil -store My
Step 2:Find the target certificate in the list and then find its Key Container property. The Provider property should be the same as YubiHSM Key Storage Provider.
Step 3:To identify the certificate, record the Cert Hash property.

Back Up the Target Certificate

Using any available means (certmgr.msc, PowerShell, certutil), export the target certificate, but without the private key in DER format.

Note

The YubiHSM does not provide a mechanism for returning the raw private key to Windows, so generating a PKCS#12 container is not currently possible.

For example, to export the certificate in .crt format to a file named <Cert Hash>.crt, use the command PS1> certutil -split -store My <Cert Hash>.

Back Up the Target Private Key

Export the target private key with the label property equal to the Key Container property. To do this,

  1. Use an Authentication Key with the export-wrapped capability set.
  2. Use the instructions for exporting a private key under wrap via yubihsm-shell (see Back Up).

Restore the Target Private Key

Import the target private key file to your backup YubiHSM. To do this,

  1. Use an Authentication Key with the import-wrapped capability set.
  2. Use the instructions for importing a private key under wrap via yubihsm-shell (see Restore).

The imported key object should have the same Label property as the original object.

Restore the Target Certificate

Before the certificate is imported to the local machine, it does not have an associated private key.

Step 1:

Move the target certificate file generated as per Back Up to the target machine by importing the certificate to the LocalMachine “My” store. Use your preferred method.

Step 2:

Re-associate the certificate to the private key by using the -repairstore functionality of certutil.

Step 3:

Verify that the target private key is visible via the YubiHSM KSP: list all private keys (and their corresponding container names - which are equal to the Label property in the YubiHSM visible to the current Authentication Key) by using

PS1> certutil -key -csp "YubiHSM Key Storage Provider"

Step 4:

Open an elevated prompt and execute the command:

PS1> certutil -repairstore MY <Cert Hash>

Step 5:

To verify that the certificate has been associated with the YubiHSM Key Storage Provider and has the correct Key Container property value, repeat the steps under Identify Your Private Key Container Name.