Skip to main content
Perform the following tasks to import the certificates into the Windows Certificate Store.

Import the certificates

Perform the following steps to import the certificates by using Microsoft Management Console (MMC) and the Certificates Snap-In:
1
Open Microsoft Management Console by pressing Windows+R to open Run, then type “mmc” in the empty box and select [ OK ].
2
At the top of the MMC window, select File > Add/Remove Snap-in.
3
In the Add or Remove Snap-ins window, select Certificates and select [ Add ].
4
Select the Computer account radio button and select [ Next ].
5
Select Local computer (selected by default) and select [ Finish ].
6
Back in the Add or Remove Snap-ins window, select [ OK ].
7
In the MMC main console, expand the Certificate snap-in.
8
Go to the Personal > Certificates pane.
9
Right-click within the Certificates panel and select All Tasks > Import to start the Certificate Import Wizard.
10
Select Local Machine as the Store Location. Select [ Next ] to continue.
11
Select [ Browse ], find and select the leaf certificate file (such as leaf-cert.pem), and select [ Next ].
12
Leave the default option selected to place all certificates in the Personal certificate store, and select [ Next ].
13
Review the summary of the selected options, and select [ Finish ].
A notification window states that the import was successful.
14
Go to the Trusted Root Certificate Authorities > Certificates pane.
15
Right-click within the Certificates panel and select All Tasks > Import to start the Certificate Import Wizard.
16
Local Machine should be selected as the Store Location. Select [ Next ] to continue.
17
Select [ Browse ], find and select the CA certificate file (root-ca.pem), then select [ Next ].
18
Leave the default option selected to place all certificates in the Trusted Root Certificate Authorities certificate store, and select [ Next ].
19
Review the summary of the selected options, and select [ Finish ].

Associate the certificates

Perform the following steps to associate the certificates with their corresponding private keys stored on the HSM by using certutil:
1
Note the serial numbers of both the CA certificate and the leaf certificate for use in the following certutil commands. To do so, double-click on each certificate, go to the Details tab, and note down the listed serial number value.
2
Open Windows PowerShell or Command Prompt as an administrator.
3
Run the following command to associate the leaf certificate with its corresponding private key stored on the HSM:
Be sure to substitute “serial_number” with the actual certificate serial number value.
My represents the Personal certificate store.
Powershell
$ certutil -repairstore -csp "Futurex FXCL KMES CNG" My "serial_number"
4
Run the following command to associate the CA certificate with its corresponding private key stored on the CryptoHub:
Root represents the Trusted Root Certification Authorities certificate store.
Powershell
$ certutil -repairstore -csp "Futurex FXCL KMES CNG" Root "serial_number"
5
For further confirmation that both certificates are now associated with their corresponding private keys on the CryptoHub, double-click each certificate in the MMC Certificates snap-in, and you should see a message saying: You have a private key that corresponds to this certificate.