Associate an AWS CloudHSM key with a certificate
Before you can use AWS CloudHSM keys with third-party tools, such as Microsoft's SignTool
Step 1: Import your certificate
On Windows, you should be able to double-click the certificate to import it to your local certificate store.
However, if double-clicking doesn't work, use the Microsoft Certreq tool
certreq -acceptcertificatename
If this action fails and you receive the error, Key not found, continue
to Step 2. If the certificate appears in your key store, you've completed the task and
no further action is necessary.
Step 2: Gather certificate-identifying information
If the previous step wasn't successful, you'll need to associate your private key with a certificate. However, before you can create the association, you must first find the certificate's Unique Container Name and Serial Number. Use a utility, such as certutil, to display the needed certificate information. The following sample output from certutil shows the container name and the serial number.
================ Certificate 1 ================ Serial Number: 72000000047f7f7a9d41851b4e000000000004Issuer: CN=Enterprise-CANotBefore: 10/8/2019 11:50 AM NotAfter: 11/8/2020 12:00 PMSubject: CN=www.example.com, OU=Certificate Management, O=Information Technology, L=Seattle, S=Washington, C=USNon-root CertificateCert Hash(sha1): 7f d8 5c 00 27 bf 37 74 3d 71 5b 54 4e c0 94 20 45 75 bc 65No key provider information Simple container name: CertReq-39c04db0-6aa9-4310-93db-db0d9669f42c Unique container name: CertReq-39c04db0-6aa9-4310-93db-db0d9669f42c
Step 3: Associate the AWS CloudHSM private key with the certificate
To associate the key with the certificate, first be sure to start the AWS CloudHSM client daemon. Then, use import_key.exe (which is included in CloudHSM version 3.0 and higher) to associate the private key with the certificate. When specifying the certificate, use its simple container name. The following example shows the command and the response. This action only copies the key's metadata; the key remains on the HSM.
$> import_key.exe –RSA CertReq-39c04db0-6aa9-4310-93db-db0d9669f42c Successfully opened Microsoft Software Key Storage Provider : 0NCryptOpenKey failed : 80090016
Step 4: Update the certificate store
Be certain the AWS CloudHSM client daemon is still running. Then, use the certutil verb,
-repairstore, to update the certificate serial number. The following sample shows
the command and output. See the Microsoft documentation for information about the -repairstore verb
C:\Program Files\Amazon\CloudHSM>certutil -f -csp "Cavium Key Storage Provider"-repairstore my "72000000047f7f7a9d41851b4e000000000004" my "Personal" ================ Certificate 1 ================ Serial Number: 72000000047f7f7a9d41851b4e000000000004 Issuer: CN=Enterprise-CA NotBefore: 10/8/2019 11:50 AM NotAfter: 11/8/2020 12:00 PM Subject: CN=www.example.com, OU=Certificate Management, O=Information Technology, L=Seattle, S=Washington, C=US Non-root CertificateCert Hash(sha1): 7f d8 5c 00 27 bf 37 74 3d 71 5b 54 4e c0 94 20 45 75 bc 65 SDK Version: 3.0 Key Container = CertReq-39c04db0-6aa9-4310-93db-db0d9669f42c Provider = Cavium Key Storage ProviderPrivate key is NOT exportableEncryption test passedCertUtil: -repairstore command completed successfully.
After updating the certificate serial number you can use this certificate and the corresponding AWS CloudHSM private key with any third-party signing tool on Windows.
