Install the certificates on the IIS server
1
Import the CA certificate into the machine Trusted Root Certification Authorities store
(and any intermediates into Intermediate Certification Authorities) so the chain is trusted:
PowerShell
2
Import the leaf (server) certificate into the machine Personal store:
PowerShell
The certificate appears in
certlm.msc > Personal > Certificates. At this point it
does not yet show an associated private key. The next step creates that association.3
Bind the installed certificate to its CryptoHub-resident key through the FXCL CNG provider. Use
the certificate’s serial number (visible in
certlm.msc or through Get-ChildItem Cert:\LocalMachine\My):PowerShell
The output should include
Signature test passed, confirming the installed certificate is
bound to the HSM-resident key through the Futurex provider, and certlm.msc now shows the
certificate with an associated private key.4
Confirm the certificate resolves to the Futurex provider (not the Microsoft Software KSP):
PowerShell
HasPrivateKey is True and the provider reports Futurex FXCL KMES CNG.
