Appendix: Migrating a key from software storage to the Vectera Plus
The following appendix shows the necessary steps to migrate a certificate's private key, which is currently stored in software, to a Vectera Plus HSM.
There are two methods that can be used to export a private key from a Windows Certificate Store. 1) Using the MMC Certificates Snap-In, or 2) Using PowerShell commands). Both involve exporting the private key as a PKCS #12 file.
Regardless of which method is used to export the PKCS #12 file from Windows, FXCLI will be the method used to import the private key, contained within the PKCS #12 file, into the Vectera Plus HSM.
Before attempting the PKCS #12 export, ensure that the private key of the certificate that is being exported is marked as exportable.
In the MMC Certificates snap-in, right-click the certificate that you wish to export and select All Tasks > Export to start the Certificate Export Wizard.
In the first dialog, simply click Next to continue.
Select the Yes, export the private key radio button and click Next.
Select the Personal Information Exchange - PKCS #12 (.PFX) radio button (selected by default), and make sure that the Delete the private key if the export is successful option is checked. Then, click Next.
Click the Password checkbox, then type-in a password. This will protect the private key in the PKCS #12 file. Click Next.
Click Browse, give the export file a name, select the location where you wish to save it, then click Next.
The file extension given to the file must either be .p12 or .pfx.
Review the summary of the selected options, then click Finish.
A notification window should pop up stating that the export was successful.
Open Windows PowerShell as an administrator.
Run the following command to determine the Thumbprint of the certificate/private key that you want to export:
The "My" directory in the file path represents the Personal certificate store.
Run the the following command to save a password string into the $mypwd variable. This will be used as the password for the PKCS #12 file.
Export the PKCS #12 file using the following command:
Be sure to substitute "Thumbprint" with the actual thumbprint value of the certificate that you want to export in the -Path flag.
PowerShell does not provide an option in the Export-PfxCertificate command for deleting the private key after successful export of the PKCS #12 file. In order to delete the private key, you must use the Remove-Item PowerShell command. This command deletes the certificate as well, though, so the certificate will need to be re-imported afterward.
First, run the following two commands to export the certificate so that it can later be re-imported:
Then run the following command to delete the certificate and its private key:
Import the certificate back into the Personal Certificate Store using the following command:
Be sure to define the actual location of the certificate in the -FilePath flag.
Run the FXCLI application.
Configure TLS certificates for communication between FXCLI and the HSM using the tls set of commands.
Run tls help to access syntax documentation.
Connect to the HSM using the following command:
Log in to the HSM with the default "Admin1" and "Admin2" identities by running the following command twice (each time it will prompt for username and password):
Import the PKCS #12 file using the following command:
Modify the file path to match the actual location of the PKCS #12 file that you exported from Windows.
The command will prompt for the password of the PKCS #12 file. Type the password then press Enter.
The above command will import only the private key contained within the PKCS #12 file into the HSM. It will not import the certificate.
Confirm which key slot the private key was added to:
Assign a PKCS11 label to the key (certutil needs this external data field to be set so that it can find the key)
The PKCS11 label value should match the value that was set in the --label field while importing the PKCS #12 file.
The serial number of the certificate need to be noted down for use in the certutil command that follows. To do so, double-click on the certificate in the MMC Certificates snap-in, navigate to the Details tab, and note down the listed serial number value.
Open Windows PowerShell or Command Prompt as an administrator.
Run the following command to associate the certificate with its corresponding private key stored on the HSM:
Be sure to substitute "serial_number" with the actual serial number value of the certificate.
If the command is successful you will see the following message:
For further confirmation that the certificate is now associated with its corresponding private key on the HSM, double-click the certificate in the MMC Certificates snap-in and you should now see a message stating that "You have a private key that corresponds to this certificate".