Skip to main content
This appendix shows the necessary steps to migrate a certificate private key, currently stored in software, to a Vectera Plus HSM. You can use the following methods to export a private key from a Windows Certificate Store: Use the MMC Certificates Snap-In or PowerShell commands. Both involve exporting the private key as a PKCS #12 file. Regardless of which method you choose to export the PKCS #12 file from Windows, you must use FXCLI to import the private key contained within the PKCS #12 file into the Vectera Plus HSM.
Before exporting the PKCS #12, mark the private key of the certificate as exportable.

Export the private key

You can export the private key from the Windows Certificate Store as a PKCS #12 file by using one of the following methods:
  1. Use the MMC Certificates Snap-In.
  2. Use PowerShell commands.
Select the appropriate method and follow the steps: MMC Certificates Snap-In:
1
In the MMC Certificates snap-in, right-click the certificate that you want to export and select All Tasks > Export to start the Certificate Export Wizard.
2
In the first dialog, select [ Next ] to continue.
3
Select the Yes, export the private key radio button, and select [ Next ].
4
Select the Personal Information Exchange - PKCS #12 (.PFX) radio button (selected by default), and select the Delete the private key if the export is successful option checkbox. Then, select [ Next ].
5
Select the Password checkbox and enter a password. This protects the private key in the PKCS #12 file. Select [ Next ].
6
Select [ Browse ], enter a name for the export file, select the save location, and select [ Next ].
Use either a .p12 or .pfx extension for the file.
7
Review the summary of the selected options and select [ Finish ].
A notification window pops up stating that the export was successful.
PowerShell:
1
Open Windows PowerShell as an administrator.
2
Run the following command to determine the Thumbprint of the certificate or private key you want to export:
Powershell
PS C:\>ls Cert:\LocalMachine\My\
The My directory in the file path represents the Personal certificate store.
3
Run the following command to save a password string into the $mypwd variable. This is the password for the PKCS #12 file.
Powershell
PS C:\>$mypwd = ConvertTo-SecureString -String "safest" -Force -AsPlainText
4
Use the following command to export the PKCS #12 file, substituting Thumbprint with the actual thumbprint value of the certificate that you want to export in the -Path flag.:
Powershell
PS C:\>Get-ChildItem -Path Cert:\LocalMachine\My\Thumbprint | Export-PfxCertificate -FilePath "C:\Path\To\Desired\Save\Location\file.pfx" -Password $mypwd
5
PowerShell does not provide an option in the Export-PfxCertificate command to delete the private key after successfully exporting the PKCS #12 file. To delete the private key, you must use the Remove-Item PowerShell command. This command also deletes the certificate, so you must reimport the certificate afterward.First, run the following commands to export the certificate so that you can reimport it:
Powershell
PS C:\>$cert = Get-ChildItem -Path Cert:\LocalMachine\My\Thumbprint

PS C:\>Export-Certificate -Cert $cert -FilePath "C:\Path\To\Desired\Save\Location\file.cer"
Then run the following command to delete the certificate and its private key:
Powershell
PS C:\>Remove-Item -Path Cert:\LocalMachine\My\Thumbprint -DeleteKey
6
Run the following command to import the certificate back into the Personal Certificate Store, defining the actual location of the certificate in the -FilePath flag.:
Powershell
PS C:\>Import-Certificate -FilePath "C:\Path\To\Certificate\file.cer" -CertStoreLocation Cert:\LocalMachine\My

Import the PKCS #12 file

Perform the following steps to import the PKCS #12 file into the Vectera Plus using FXCLI:
1
Run the FXCLI application.
2
Configure TLS certificates for communication between FXCLI and the HSM by using the tls commands.
Run tls help to access syntax documentation.
3
Run the following command to connect to the HSM:
FXCLI
  connect tcp --connect hsm_ip:9009
4
Log in to the HSM with the default Admin1 and Admin2 identities by running the following command twice, entering the username and password when prompted:
FXCLI
  login user
5
Run the following command to import the PKCS #12 file, modifying the file path to match the actual location of the PKCS #12 file that you exported from Windows:
FXCLI
  pkcs12 import --file /path/to/pkcs12/file.pfx --slot next --label MigrationDemoKeyPair --win-system-dacl
When prompted, enter the password of the PKCS #12 file.
The preceding command imports only the private key contained within the PKCS #12 file into the HSM. It does not import the certificate.
6
Confirm the key slot of the imported private key:
FXCLI
  keytable list
7
Because certutil needs you to set an external label so it can find the key, run the following command to assign a PKCS11 label to the key:
The PKCS11 label value should match the value that you set in the --label field while importing the PKCS #12 file.
FXCLI
  keytable extdata --slot 3 --p11-attr label --p11-value MigrationDemoKeyPair

Reassociate the certificate

Perform the following steps to reassociate the certificate stored in Windows with the private key stored on the HSM:
1
Double-click the certificate in the MMC Certificates snap-in, go to the Details tab, and note down the listed serial number value.
2
Open Windows PowerShell or Command Prompt as an administrator.
3
Run the following command to associate the certificate with its corresponding private key stored on the HSM, substituting the serial_number placeholder with the actual serial number value of the certificate:
Powershell
certutil -repairstore -csp "Futurex CNG" My "serial_number"
If the command succeeds, the following message displays:
Powershell
CertUtil: -repairstore command completed successfully.
4
To confirm that the certificate is now associated with its corresponding private key on the HSM, double-click the certificate in the MMC Certificates snap-in.
You should see the following message: You have a private key that corresponds to this certificate.