If the target private key is managed by the Microsoft Software Key Storage Provider, another software provider, or any other Key Storage Provider that allows export via PKCS#12 PFX, it is possible to move your key to the YubiHSM 2, but results may vary.
This process relies on using the
-repairstore functionality of the
certutil command, so the private key must only be present via the YubiHSM Key Storage Provider when performing this step. Please refer to the source storage provider documentation for how to cleanly and completely delete a private key.
Because Key Storage Provider implementations differ, we recommend testing this procedure using your existing provider before affecting a live system.
Refer to your current Key Storage Provider documentation for how to obtain a PKCS#12 PFX export of your certificate and private key.
Once you have obtained your PFX file, split the certificate from the PFX file using certutil:
PS1> certutil -split -dump <pfx file>
This will create a file named
If you are moving the key to the YubiHSM 2 on the same machine, you must delete the original private key in your current provider. To do so, first execute
PS1> certutil -key
Locate the key that corresponds with the CA. It may look something like
``` Microsoft Software Key Storage Provider: EXAMPLE-CA abcdef1234fedcba4321abcdef123456_9cfc1053-1b5a-44d7-8a7e-3a8a1c0d0db0 RSA AT_KEYEXCHANGE ``` To actually delete this example private key, execute
PS1> certutil -delkey -csp "Microsoft Software Key Storage Provider" "abcdef1234fedcba4321abcdef123456_9cfc1053-1b5a-44d7-8a7e-3a8a1c0d0db0"
Using the instructions for importing a PFX private key via
yubihsm-shell, import the target private key file to your YubiHSM 2.
Record the Label property of your imported key.
PS1> openssl pkcs12 -in <pfx file> -nocerts -out ca.key -nodes
To remove the passphrase from the private key, execute
PS1> openssl rsa -in ca.key -out ca.key
Move the target certificate file (
<Cert Hash>.crt) to the target machine.
Import the certificate to the LocalMachine "My" store via your favorite method. At this point, the certificate will not have an associated private key. We’ll use the
-repairstore functionality of
certutil to re-associate the certificate to the private key.
Make sure that the target private key is visible via the YubiHSM KSP, using
PS1> certutil -key -csp "YubiHSM Key Storage Provider"
This command will list all private keys (and their corresponding container names — which are equal to the Label property in the YubiHSM 2) visible to the current Authentication Key.
Open an elevated prompt and execute the command
PS1> certutil -repairstore MY <Cert Hash>
Verify that the certificate has been associated with the YubiHSM Key Storage Provider and has the correct
Key Container property value, by running
PS1> certutil -store My
and inspecting the
Key Container and
|If you are moving your CA key to the YubiHSM 2 on the same machine, Windows Certificate Services (CertSvc) on the local machine writes the name of the Key Storage Provider to its configuration section in the registry. When signing requests, the certificate service will fail if the KSP name doesn’t match the name in the registry.|
To update the KSP name for the local certificate service, open an elevated prompt and execute the commands:
PS1> certutil -setreg CA\CSP\Provider "YubiHSM Key Storage Provider" PS1> certutil -setreg CA\EncryptionCSP\Provider "YubiHSM Key Storage Provider"
If you have multiple CAs on the same machine, or prefer to edit the registry directly, these settings can be found under
HKLM\System\CurrentControlSet\Services\CertSVC\Configuration\<CA Name>\[CSP | EncryptionCSP]