I've got two windows systems tied to the AWS CloudHSM v2 (the cavium HSM). On one, I generated the CSR, and accepts/added the cert purchased with that CSR. I can sign and the private key is pulled properly from the HSM via the Key Container.
The other signing is my production signing system and it is working properly with the existing cert but when I try to add the new cert, no Key Container is setup. I'm used to needing to run the repair process but in this case I have no ID to provide the file.
- Authenticate
"\Program Files\Amazon\CloudHSM\tools\set_cloudhsm_credentials.exe" --user REDACTED --password "..." - Add the cert
certutil -addstore my my-new-cert.crt - Dump the store details
certutil -store my > cert_store_details.txt
Serial Number: REDACTED
Issuer: CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O=DigiCert, Inc., C=US
NotBefore: 1/25/2022 12:00 AM
NotAfter: 1/25/2023 11:59 PM
Subject: CN=REDACTED, C=US, SERIALNUMBER=REDACTED, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization
Non-root Certificate
Cert Hash(sha1): REDACTED
No key provider information
Cannot find the certificate and private key for decryption.
Normally, I'd create a repair.txt like so with Key Container id between the = and & on the Container however, I don't got one of those so I'm out of luck
[Properties]
11 = "" ; Add friendly name property
2 = "{text}" ; Add Key Provider Information property
_continue_="Container=&"
_continue_="Provider=Cavium Key Storage Provider&"
_continue_="Flags=0&"
_continue_="KeySpec=2"
If I just run a repair certutil -repairstore my "REDACTED" then I get asked for a smart card. Oh and this machine is a Windows Core 2016 (so there's NO UI or limited UI).
Ok, here's the answer from AWS support - hopefully, they will add it to their docs
Determine CloudHSM file handles for private and public key (you can do this by dumping the modulus from the cert and using the hsm tools to hunt for the key. However, I reported on handles prior to generating my CSR and after so I could add them to my secure documentation - so I didn't need to do that
Create a KSP container
This should output something similar to: "Represented 1 keypairs in Cavium Key Storage Provider."
If you receive an error message "n3fips_password is not set" make sure to set the login credentials for the HSM on your system as detailed in [4] below.
"Cavius Key Storage Provider" may not be the name given to your key container. This name is retrieved from the output generated from the first step.
If the container was successfully created, the output should be similar to the following:
certutil verb -repairstoreto update the certificate serial number. This command would look something similar to the following:You'll expect something like this
If
Key Container = CNGRSAPriv-...dshows the proper container, then you know the cert KSP relationship is goodIf you see
Private key is NOT exportableandEncryption test passedyou know that you are using the corrent file handles.If you use signtool, you will need to add
/smto force it to use machine store and not user store as the process above generates the container tied to the machine store. There's no option around that.