Appendix: Migrate a key from software storage to the Vectera Plus

5min
The following appendix shows the necessary steps to migrate a certificate private key, currently stored in software, to a  HSM.
You can use the following methods to export a private key from a Windows Certificate Store: Use the MMC Certificates Snap-In or  PowerShell commands. Both involve exporting the private key as a PKCS #12 file.
Regardless of which method you choose to export the PKCS #12 file from Windows, you must use FXCLI to import the private key contained within the PKCS #12 file into the  HSM.
Before exporting the PKCS #12, mark the private key of the certificate as exportable.
Export the private key from the Windows Certificate Store as a PKCS #12 file
You can export the private key as a PKCS #12 file by using one of the following methods:
Use the MMC Certificates Snap-In.
Use Powershell commands.
Select the appropriate method and follow the steps:
Use MMC Certificates Snap-In
Use Powershell commands
1
In the MMC Certificates snap-in, right-click the certificate that you want to export and select All Tasks > Export to start the Certificate Export Wizard.
2
In the first dialog, select [ Next ] to continue.
3
Select the Yes, export the private key radio button, and select [ Next ].
4
Select the Personal Information Exchange - PKCS #12 (.PFX) radio button (selected by default), and select the Delete the private key if the export is successful option checkbox. Then, select [ Next ].
5
Select the Password checkbox and enter a password. This protects the private key in the PKCS #12 file. Select [ Next ].
6
Select [ Browse ], enter a name for the export file, select the save location, and select [ Next ].
Use either a .p12 or .pfx extension for the file.
7
Review the summary of the selected options and select [ Finish ].
A notification window pops up stating that the export was successful.
1
Open Windows PowerShell as an administrator.
2
Run the following command to determine the Thumbprint of the certificate or private key you want to export:
PowerShell
PS C:\>ls Cert:\LocalMachine\My\
PS C:\>ls Cert:\LocalMachine\My\
﻿
The My directory in the file path represents the Personal certificate store.
3
Run the following command to save a password string into the $mypwd variable. This is the password for the PKCS #12 file.
PowerShell
PS C:\>$mypwd = ConvertTo-SecureString -String "safest" -Force -AsPlainText
PS C:\>$mypwd = ConvertTo-SecureString -String "safest" -Force -AsPlainText
﻿
4
Use the following command to export the PKCS #12 file, substituting Thumbprint with the actual thumbprint value of the certificate that you want to export in the -Path flag.:
PowerShell
PS C:\>Get-ChildItem -Path Cert:\LocalMachine\My\Thumbprint | Export-PfxCertificate -FilePath "C:\Path\To\Desired\Save\Location\file.pfx" -Password $mypwd
PS C:\>Get-ChildItem -Path Cert:\LocalMachine\My\Thumbprint | Export-PfxCertificate -FilePath "C:\Path\To\Desired\Save\Location\file.pfx" -Password $mypwd
﻿
5
PowerShell does not provide an option in the Export-PfxCertificate command to delete the private key after successfully exporting the PKCS #12 file. To delete the private key, you must use the Remove-Item PowerShell command. This command also deletes the certificate, so you must reimport the certificate afterward.
First, run the following commands to export the certificate so that you can reimport it:
PowerShell
PS C:\>$cert = Get-ChildItem -Path Cert:\LocalMachine\My\Thumbprint

PS C:\>Export-Certificate -Cert $cert -FilePath "C:\Path\To\Desired\Save\Location\file.cer"
PS C:\>$cert = Get-ChildItem -Path Cert:\LocalMachine\My\Thumbprint

PS C:\>Export-Certificate -Cert $cert -FilePath "C:\Path\To\Desired\Save\Location\file.cer"
﻿
Then run the following command to delete the certificate and its private key:
PowerShell
PS C:\>Remove-Item -Path Cert:\LocalMachine\My\Thumbprint -DeleteKey
PS C:\>Remove-Item -Path Cert:\LocalMachine\My\Thumbprint -DeleteKey
﻿
6
Run the following command to import the certificate back into the Personal Certificate Store, defining the actual location of the certificate in the -FilePath flag.:
PowerShell
PS C:\>Import-Certificate -FilePath "C:\Path\To\Certificate\file.cer" -CertStoreLocation Cert:\LocalMachine\My
PS C:\>Import-Certificate -FilePath "C:\Path\To\Certificate\file.cer" -CertStoreLocation Cert:\LocalMachine\My
﻿
Import the PKCS #12 file into the Vectera Plus using FXCLI
1
Run the FXCLI application.
2
Configure TLS certificates for communication between FXCLI and the HSM by using the tls commands.
Run tls help to access syntax documentation.
3
Run the following command to connect to the HSM:
FXCLI
connect tcp --connect hsm_ip:9009
connect tcp --connect hsm_ip:9009
﻿
4
Log in to the HSM with the default Admin1 and Admin2 identities by running the following command twice, entering the username and password when prompted:
FXCLI
login user
login user
﻿
5
Run the following command to import the PKCS #12 file, modifying the file path to match the actual location of the PKCS #12 file that you exported from Windows:
FXCLI
pkcs12 import --file /path/to/pkcs12/file.pfx --slot next --label MigrationDemoKeyPair --win-system-dacl
pkcs12 import --file /path/to/pkcs12/file.pfx --slot next --label MigrationDemoKeyPair --win-system-dacl
﻿
When prompted, enter the password of the PKCS #12 file. 
The preceding command imports only the private key contained within the PKCS #12 file into the HSM. It does not import the certificate.
6
Confirm the key slot of the imported private key:
FXCLI
keytable list
keytable list
﻿
7
Because certutil needs you to set an external label so it can find the key, run the following command to assign a PKCS11 label to the key:
The PKCS11 label value should match the value that you set in the --label field while importing the PKCS #12 file.
FXCLI
keytable extdata --slot 3 --p11-attr label --p11-value MigrationDemoKeyPair
keytable extdata --slot 3 --p11-attr label --p11-value MigrationDemoKeyPair
﻿
Reassociate the certificate stored in Windows with the private key stored on the HSM
1
Double-click the certificate in the MMC Certificates snap-in, go to the Details tab, and note down the listed serial number value.
2
Open Windows PowerShell or Command Prompt as an administrator.
3
Run the following command to associate the certificate with its corresponding private key stored on the HSM, substituting serial_number placeholder with the actual serial number value of the certificate:
PowerShell
certutil -repairstore -csp "Futurex CNG" My "serial_number"
certutil -repairstore -csp "Futurex CNG" My "serial_number"
﻿
If the command succeeds, the following message displays:
PowerShell
CertUtil: -repairstore command completed successfully.
CertUtil: -repairstore command completed successfully.
﻿
4
To confirm that the certificate is now associated with its corresponding private key on the HSM, double-click the certificate in the MMC Certificates snap-in. 
You should see the following message: You have a private key that corresponds to this certificate.
﻿
Updated 09 Aug 2024
Did this page help you?
Import certificates into Windows Certificate Store and associate them with the private keys
Venafi Control Plane for Machine Identities