Move Software Keys to Key Storage Provider
If the target private key is managed by the Microsoft Software Key Storage Provider, another software provider, or any other KSP that allows export via PKCS#12 PFX, it is possible to move your key to the YubiHSM 2, but results may vary.
This process relies on using the
-repairstore functionality of the
certutil command, so the private key must only be present via the YubiHSM Key Storage Provider when performing this step. Please refer to the source storage provider documentation for how to cleanly and completely delete a private key.
Because KSP implementations differ, we recommend testing this procedure using your existing provider before affecting a live system.
Export your Existing Private Key and Certificate
Refer to your current KSP documentation on how to obtain a PKCS#12 PFX export of your certificate and private key.
Once you have obtained your PFX file, split the certificate from the PFX file using
PS1> certutil -split -dump <pfx file>
This will create a file named
If you are moving the key to the YubiHSM 2 on the same machine, you must delete the original private key in your current provider. To do so, first execute
PS1> certutil -key
Locate the key that corresponds with the CA. It may look something like this:
Microsoft Software Key Storage Provider: EXAMPLE-CA abcdef1234fedcba4321abcdef123456_9cfc1053-1b5a-44d7-8a7e -3a8a1c0d0db0 RSA AT_KEYEXCHANGE
To delete this example private key, execute:
PS1> certutil -delkey -csp "Microsoft Software Key Storage Provider" "abcdef1234fedcba4321abcdef123456_9cfc1053-1b5a-44d7-8a7e-3a8a1c0d0db0"
Import the Target Private Key
Using the instructions for importing a PFX private key via
yubihsm-shell, import the target private key file to your YubiHSM 2.
Record the Label property of your imported key.
certutil utility does not provide an easy way to split a key exported from the Software KSP into an unencrypted PEM file. It may be necessary to use another tool like OpenSSL to convert the key file to an unencrypted format for import into the HSM. For example, to export the private key, execute
PS1> openssl pkcs12 -in <pfx file> -nocerts -out ca.key -nodes
To remove the passphrase from the private key, execute
PS1> openssl rsa -in ca.key -out ca.key
Restore the Target Certificate
Move the target certificate file (
<Cert Hash>.crt) to the target machine.
Import the certificate to the LocalMachine “My” store via your favorite method. At this point, the certificate will not have an associated private key. We’ll use the
-repairstore functionality of
certutil to re-associate the certificate to the private key.
Make sure that the target private key is visible via the YubiHSM KSP, using
PS1> certutil -key -csp "YubiHSM Key Storage Provider"
This command will list all private keys (and their corresponding container names - which are equal to the Label property in the YubiHSM 2) visible to the current Authentication Key.
Open an elevated prompt and execute the command
PS1> certutil -repairstore MY <Cert Hash>
Verify that the certificate has been associated with the YubiHSM KSP and has the correct
Key Container property value by running
PS1> certutil -store My
and inspecting the
Key Container and
If you are moving your CA key to the YubiHSM 2 on the same machine, Windows Certificate Services (CertSvc) on the local machine writes the name of the KSP to its configuration section in the registry. When signing requests, the certificate service will fail if the KSP name does not match the name in the registry.
To update the KSP name for the local certificate service, open an elevated prompt and execute the commands:
PS1> certutil -setreg CA\CSP\Provider "YubiHSM Key Storage Provider" PS1> certutil -setreg CA\EncryptionCSP\Provider "YubiHSM Key Storage Provider"
If you have multiple CAs on the same machine, or prefer to edit the registry directly, these settings can be found under
HKLM\System\CurrentControlSet\Services\CertSVC\Configuration\ <CA Name>\[CSP | EncryptionCSP]