Import certificates into Windows Certificate Store and associate them with the private keys
The following section imports the CA and leaf certificates created on the in the previous section into the Windows Certificate Store. Then, you can use the certutil command-line utility to associate the certificates with their corresponding private keys stored on the HSM.
Open Microsoft Management Console by pressing Windows+R to open Run, and enter mmc in the empty text box. Select [ OK ].
At the top of the MMC window, select File > Add/Remove Snap-in.
In the Add or Remove Snap-ins window, select Certificates and select [ Add ].
Select the Computer account radio button and select [ Next ].
Select Local computer (selected by default) and select [ Finish ].
Back in the Add or Remove Snap-ins window, select [ OK ].
In the MMC main console, expand the Certificate snap-in.
Go to the Personal > Certificates pane.
Right-click within the Certificates panel and select All Tasks > Import to start the Certificate Import Wizard.
Select Local Machine as the Store Location. Select [ Next ] to continue.
Click Browse, find and select the leaf certificate file (i.e., IgDemo.pem) and select [ Next ].
Leave the default option selected to place all certificates in the Personal certificate store and select [ Next ].
Review the summary of the selected options and select [ Finish ].
A notification window should pop up stating that the import was successful.
Go to the Trusted Root Certificate Authorities > Certificates pane.
Right-click within the Certificates panel and select All Tasks > Import to start the Certificate Import Wizard.
Select Local Machine as the Store Location. Select [ Next ] to continue.
Select [ Browse ], find and select the CA certificate file (such as Ca.pem) and select [ Next ].
Leave the default option selected to place all certificates in the Trusted Root Certificate Authorities certificate store and select [ Next ].
Review the summary of the selected options and select [ Finish ].
Associate the certificates with their corresponding private keys stored on the HSM by using certutil
Note the serial numbers of both the CA certificate and the leaf certificate for use in the follwoing certutil commands. To do so, perform the following steps:
- Double-click on each certificate.
- Go to the Details tab.
- Note the listed serial number value.
Open Windows PowerShell or Command Prompt as an administrator.
Run the following command to associate the leaf certificate with its corresponding private key stored on the HSM, substituting serial_number with the actual certificate serial number value:
The My element represents the Personal certificate store.
Run the following command to associate the CA certificate with its corresponding private key stored on the HSM:
The Root element represents the Trusted Root Certification Authorities certificate store.
For further confirmation that both certificates are now associated with their corresponding private keys on the HSM, double-click each of the certificates in the MMC Certificates snap-in.
If it works, you should now see a message stating that You have a private key that corresponds to this certificate.