Breadcrumbs

Reintroduce the Certificate

The certificate must be deleted and imported to connect it with the key that is stored in the HSM. PowerShell was used for this task.

  1. Get the certificate thumbprint.

›_ PowerShell

 
PS> Get-ChildItem -Path cert:\LocalMachine\My
PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\My
Thumbprint Subject
---------- -------
BE82E0FEC4B7F9DA33FF5CC2A0CC4D987F04A11B CN=DemoRootCa, DC=Uti2, DC=si
Then we extract the container name
PS> certutil -store my BE82E0FEC4B7F9DA33FF5CC2A0CC4D987F04A11B | findstr
"Subject: sha1 Unique Provider"
Subject: CN=DemoRootCa, DC=Uti2, DC=si
Cert Hash(sha1): be82e0fec4b7f9da33ff5cc2a0cc4d987f04a11b
Unique container name: 2fc25277ec718baa2886124e04bc16e7_36ed1a95-76e3-
4398-a4c7-c31d5fce304f
Provider = Microsoft Software Key Storage Provider

  1. Make sure that the file is located on the local disk (one of the two possibilities, depending on the installation).

›_ PowerShell

 
PS> Get-Item C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\<container> PS> Get-Item C:\ProgramData\Microsoft\Crypto\Keys\<container>

  1. Delete the certificate.

›_ PowerShell

 
PS>Remove-Item -Path cert:\LocalMachine\My\<thumbprint> -DeleteKey

  1. Check if the certificate was deleted (one of the two possibilities, depending on the installation).

›_ PowerShell

 
PS> Get-Item C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\<container> PS> Get-Item C:\ProgramData\Microsoft\Crypto\Keys\<container>

  1. Import the certificate.

›_ PowerShell

 
PS> certutil -addstore -f "My" "<CaName>.cer" Signature matches Public Key
Certificate "DemoRootCa" added to store.
CertUtil: -addstore command completed successfully.

  1. To create a link between the certificate and the private key, first find the certificate serial number.

›_ PowerShell

 
PS> certutil "<CaName>.cer" | findstr Serial Serial Number: 3a9f8a8c61129593400f6738896afcc0

  1. And use the certutil command to repair the link.

›_ PowerShell

 
PS> certutil –f –repairstore –csp "Utimaco CryptoServer Key Storage Provider" my <serial>
CertUtil: -repairstore command completed successfully

If you are using smartcard authentication, the prompt will appear on the PIN Pad device to insert the smartcard and enter the PIN. Then, press the OK button on the PIN Pad.