Move Software Keys to Key Storage Provider

If the target private key is managed by the Microsoft Software Key Storage Provider, another software provider, or any other Key Storage Provider that allows export via PKCS#12 PFX, it is possible to move your key to the YubiHSM 2, but results may vary.

This process relies on using the -repairstore functionality of the certutil command, so the private key must only be present via the YubiHSM Key Storage Provider when performing this step. Please refer to the source storage provider documentation for how to cleanly and completely delete a private key.

Because Key Storage Provider implementations differ, we recommend testing this procedure using your existing provider before affecting a live system.

Export your Existing Private Key and Certificate

Refer to your current Key Storage Provider documentation for how to obtain a PKCS#12 PFX export of your certificate and private key.

Once you have obtained your PFX file, split the certificate from the PFX file using certutil:

PS1> certutil -split -dump <pfx file>

This will create a file named <Cert Hash>.crt.

If you are moving the key to the YubiHSM 2 on the same machine, you must delete the original private key in your current provider. To do so, first execute

PS1> certutil -key

Locate the key that corresponds with the CA. It may look something like

``` Microsoft Software Key Storage Provider: EXAMPLE-CA abcdef1234fedcba4321abcdef123456_9cfc1053-1b5a-44d7-8a7e-3a8a1c0d0db0 RSA AT_KEYEXCHANGE ``` To actually delete this example private key, execute

PS1> certutil -delkey -csp "Microsoft Software Key Storage Provider" "abcdef1234fedcba4321abcdef123456_9cfc1053-1b5a-44d7-8a7e-3a8a1c0d0db0"

Import the Target Private Key

Using the instructions for importing a PFX private key via yubihsm-shell, import the target private key file to your YubiHSM 2.

Record the Label property of your imported key.

The certutil utility doesn’t provide an easy way to split a key exported from the Software KSP into an un-encrypted PEM file. It may be necessary to use another tool like OpenSSL to convert the key file to an un-encrypted format for import into the HSM. For example, to export the private key, execute
PS1> openssl pkcs12 -in <pfx file> -nocerts -out ca.key -nodes

To remove the passphrase from the private key, execute

PS1> openssl rsa -in ca.key -out ca.key

Restore the Target Certificate

Move the target certificate file (<Cert Hash>.crt) to the target machine.

Import the certificate to the LocalMachine "My" store via your favorite method. At this point, the certificate will not have an associated private key. We’ll use the -repairstore functionality of certutil to re-associate the certificate to the private key.

Make sure that the target private key is visible via the YubiHSM KSP, using

PS1> certutil -key -csp "YubiHSM Key Storage Provider"

This command will list all private keys (and their corresponding container names — which are equal to the Label property in the YubiHSM 2) visible to the current Authentication Key.

Open an elevated prompt and execute the command

PS1> certutil -repairstore MY <Cert Hash>

Verify that the certificate has been associated with the YubiHSM Key Storage Provider and has the correct Key Container property value, by running

PS1> certutil -store My

and inspecting the Key Container and Provider properties.

If you are moving your CA key to the YubiHSM 2 on the same machine, Windows Certificate Services (CertSvc) on the local machine writes the name of the Key Storage Provider to its configuration section in the registry. When signing requests, the certificate service will fail if the KSP name doesn’t match the name in the registry.

To update the KSP name for the local certificate service, open an elevated prompt and execute the commands:

PS1> certutil -setreg CA\CSP\Provider "YubiHSM Key Storage Provider"
PS1> certutil -setreg CA\EncryptionCSP\Provider "YubiHSM Key Storage Provider"

If you have multiple CAs on the same machine, or prefer to edit the registry directly, these settings can be found under

HKLM\System\CurrentControlSet\Services\CertSVC\Configuration\<CA Name>\[CSP | EncryptionCSP]