Appendix: Migrate a key from software storage to the Vectera Plus

the following appendix shows the necessary steps to migrate a certificate private key, currently stored in software, to a {{vectera}} hsm you can use the following methods to export a private key from a windows certificate store use the mmc certificates snap in or powershell commands both involve exporting the private key as a pkcs #12 file regardless of which method you choose to export the pkcs #12 file from windows, you must use fxcli to import the private key contained within the pkcs #12 file into the {{vectera}} hsm before exporting the pkcs #12, mark the private key of the certificate as exportable export the private key from the windows certificate store as a pkcs #12 file you can export the private key as a pkcs #12 file by using one of the following methods use the mmc certificates snap in use powershell commands select the appropriate method and follow the steps in the mmc certificates snap in, right click the certificate that you want to export and select all tasks > export to start the certificate export wizard in the first dialog, select \[ next ] to continue select the yes, export the private key radio button, and select \[ next ] select the personal information exchange pkcs #12 ( pfx) radio button (selected by default), and select the delete the private key if the export is successful option checkbox then, select \[ next ] select the password checkbox and enter a password this protects the private key in the pkcs #12 file select \[ next ] select \[ browse ] , enter a name for the export file, select the save location, and select \[ next ] use either a p12 or pfx extension for the file review the summary of the selected options and select \[ finish ] a notification window pops up stating that the export was successful open windows powershell as an administrator run the following command to determine the thumbprint of the certificate or private key you want to export ps c \\>ls cert \localmachine\my\ the my directory in the file path represents the personal certificate store run the following command to save a password string into the $mypwd variable this is the password for the pkcs #12 file ps c \\>$mypwd = convertto securestring string "safest" force asplaintext use the following command to export the pkcs #12 file, substituting thumbprint with the actual thumbprint value of the certificate that you want to export in the path flag ps c \\>get childitem path cert \localmachine\my\thumbprint | export pfxcertificate filepath "c \path\to\desired\save\location\file pfx" password $mypwd powershell does not provide an option in the export pfxcertificate command to delete the private key after successfully exporting the pkcs #12 file to delete the private key, you must use the remove item powershell command this command also deletes the certificate, so you must reimport the certificate afterward first, run the following commands to export the certificate so that you can reimport it ps c \\>$cert = get childitem path cert \localmachine\my\thumbprint ps c \\>export certificate cert $cert filepath "c \path\to\desired\save\location\file cer" then run the following command to delete the certificate and its private key ps c \\>remove item path cert \localmachine\my\thumbprint deletekey run the following command to import the certificate back into the personal certificate store, defining the actual location of the certificate in the filepath flag ps c \\>import certificate filepath "c \path\to\certificate\file cer" certstorelocation cert \localmachine\my import the pkcs #12 file into the vectera plus using fxcli run the fxcli application configure tls certificates for communication between fxcli and the hsm by using the tls commands run tls help to access syntax documentation run the following command to connect to the hsm fxcli connect tcp connect hsm ip 9009 log in to the hsm with the default admin1 and admin2 identities by running the following command twice, entering the username and password when prompted fxcli login user run the following command to import the pkcs #12 file, modifying the file path to match the actual location of the pkcs #12 file that you exported from windows fxcli pkcs12 import file /path/to/pkcs12/file pfx slot next label migrationdemokeypair win system dacl when prompted, enter the password of the pkcs #12 file the preceding command imports only the private key contained within the pkcs #12 file into the hsm it does not import the certificate confirm the key slot of the imported private key fxcli keytable list because certutil needs you to set an external label so it can find the key, run the following command to assign a pkcs11 label to the key the pkcs11 label value should match the value that you set in the label field while importing the pkcs #12 file fxcli keytable extdata slot 3 p11 attr label p11 value migrationdemokeypair reassociate the certificate stored in windows with the private key stored on the hsm double click the certificate in the mmc certificates snap in, go to the details tab, and note down the listed serial number value open windows powershell or command prompt as an administrator run the following command to associate the certificate with its corresponding private key stored on the hsm, substituting serial number placeholder with the actual serial number value of the certificate certutil repairstore csp "futurex cng" my "serial number" if the command succeeds, the following message displays certutil repairstore command completed successfully to confirm that the certificate is now associated with its corresponding private key on the hsm, double click the certificate in the mmc certificates snap in you should see the following message you have a private key that corresponds to this certificate