Import the Private Key to the CryptoServer HSM | Utimaco Integration Guides

Before changing the ADCS role configuration to use the CryptoServer, it is necessary to import the private key into the HSM. Please perform the following steps.

Open a PowerShell with administrator rights.
Import the private key by using the Utimaco command line tool cngtool where <CA-Name>is the name of your certificate authority. You will be asked for a passphrase. The passphrase is for the decryption key of the PKCS#12 file you set earlier.

›_ PowerShell
`PS C:\stuff> cngtool Provider="Utimaco CryptoServer Key Storage Provider" Name=<CA-Name> spec=0 export=deny password=ask importkey="<Your CA cert/key PFX file>"`

Now you can check if the import was performed correctly.

›_ PowerShell
`PS C:\stuff> cngtool listkeys ------------------------------------------------------------ Provider : Utimaco CryptoServer Key Storage Provider Device : 192.168.0.1 Group : cng Mode : Internal Key Storage ------------------------------------------------------------ Index AlgId Size Group Name Spec ------------------------------------------------------------------- 1 RSA 4096 UTIMACO-HSM-CA UTIMACO-HSM-CA 0`

›_ PowerShell

PS C:\stuff> cngtool listkeys
------------------------------------------------------------
Provider           : Utimaco CryptoServer Key Storage Provider
Device             : 192.168.0.1
Group              : cng
Mode               : Internal Key Storage
------------------------------------------------------------
Index  AlgId       Size  Group             Name               Spec
-------------------------------------------------------------------
1      RSA         4096 UTIMACO-HSM-CA     UTIMACO-HSM-CA      0

If you use the internal key storage of the HSM, and you have a cluster of HSMs, you have to synchronize the CXIKEY.db manually.