Skip to main content
The private key stays on the CryptoHub. After exporting the certificate from the CryptoHub (see Create and export the key and certificate on the CryptoHub), you install only the public certificate and its issuing CA chain on the IIS server, then bind the certificate to the CryptoHub key through the FXCL CNG provider.

Install the certificates on the IIS server

1
Import the CA certificate into the machine Trusted Root Certification Authorities store (and any intermediates into Intermediate Certification Authorities) so the chain is trusted:
PowerShell
2
Import the leaf (server) certificate into the machine Personal store:
PowerShell
The certificate appears in certlm.msc > Personal > Certificates. At this point it does not yet show an associated private key. The next step creates that association.
3
Bind the installed certificate to its CryptoHub-resident key through the FXCL CNG provider. Use the certificate’s serial number (visible in certlm.msc or through Get-ChildItem Cert:\LocalMachine\My):
PowerShell
The output should include Signature test passed, confirming the installed certificate is bound to the HSM-resident key through the Futurex provider, and certlm.msc now shows the certificate with an associated private key.
4
Confirm the certificate resolves to the Futurex provider (not the Microsoft Software KSP):
PowerShell
HasPrivateKey is True and the provider reports Futurex FXCL KMES CNG.