Reconfigure the CA | Utimaco Integration Guides

The next steps reconfigure the CA while maintaining the existing certificate. In this case it is necessary to link the existing certificate with the new CNG key storage provider. Before reconfiguring the CA it is recommended to delete the existing private key in the old storage provider. To do so, carry out the following steps.

Open a PowerShell with administrator rights.
Get the details of your CA certificates, by using the Microsoft command line tool certutil –store my <Your CA common name> and make a note of the value for Cert Hash.

›_ PowerShell
PS C:\>certutil -store my UTIMACO-HSM-CA my "Personal" ================ Certificate 0 ================ Serial Number: 43ef6081aa8b6bac45ef49ccb278684c Issuer: CN=UTIMACO-HSM-CA, DC=utimaco, DC=local NotBefore: 10.12.2015 10:09 NotAfter: 10.12.2020 10:19 Subject: CN=UTIMACO-HSM-CA, DC=utimaco, DC=local CA Version: V0.0 Signature matches Public Key Root Certificate: Subject matches Issuer Cert Hash(sha1): 6b 17 b8 1e ea db 70 d6 c2 a0 51 36 de ed 14 f5 4c 9b ... Key Container = UTIMACO-HSM-CA Unique container name: 084d751dc1f9bd60ae27b5b68c2b7a67_43b39732-c78b... Provider = Microsoft Base Cryptographic Provider v1.0 Signature test passed CertUtil: -store command completed successfully.

›_ PowerShell

PS C:\>certutil -store my UTIMACO-HSM-CA
my "Personal"
================ Certificate 0 ================
Serial Number: 43ef6081aa8b6bac45ef49ccb278684c
Issuer: CN=UTIMACO-HSM-CA, DC=utimaco, DC=local
NotBefore: 10.12.2015 10:09
NotAfter: 10.12.2020 10:19
Subject: CN=UTIMACO-HSM-CA, DC=utimaco, DC=local
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): 6b 17 b8 1e ea db 70 d6 c2 a0 51 36 de ed 14 f5 4c 9b
...
Key Container = UTIMACO-HSM-CA
Unique container name:
084d751dc1f9bd60ae27b5b68c2b7a67_43b39732-c78b...
Provider = Microsoft Base Cryptographic Provider v1.0
Signature test passed
CertUtil: -store command completed successfully.

Delete the existing CA certificate and private key.
1. Change the path to the local certificate store.

›_ PowerShell
`PS C:\> cd cert:\localmachine\my`

b. Using the value for Cert Hash that you noted down in step 2, run the following command to delete the certificate and private key from the local machine.

›_ PowerShell
`PS Cert:\localmachine\my> Del –deletekey 6b17b81eeadb70d6c2a05136de...`

c. Repeat the previous step for all CA certificates that were identified when you ran the certutil command.

Migrate the CA certificate to the Utimaco CNG provider by running the following command:

›_ PowerShell
`PS C:\> certutil –csp "Utimaco Cryptoserver Key Storage Provider" -importpfx <Your CA cert/key PFX file>`

Link the existing CA certificate with the private key in the new key storage by using the Microsoft command line tool certutil –f -repairstore -csp "Utimaco Cryptoserver Key Storage Provider" my <Cert Hash>.

›_ PowerShell
PS C:\> certutil –f -repairstore -csp "Utimaco Cryptoserver Key \ Storage Provider" my 6b17b81eeadb70d6c2a05136de... my "Personal" ================ Certificate 0 ================ Serial Number: 43ef6081aa8b6bac45ef49ccb278684c Issuer: CN=UTIMACO-HSM-CA, DC=utimaco, DC=local NotBefore: 10.12.2015 10:09 NotAfter: 10.12.2020 10:19 Subject: CN=UTIMACO-HSM-CA, DC=utimaco, DC=local CA Version: V0.0 Signature matches Public Key Root Certificate: Subject matches Issuer Cert Hash(sha1): 6b 17 b8 1e ea db 70 d6 c2 a0 51 36 de ed 14 f5 4c 9b ... Key Container = UTIMACO-HSM-CA Unique container name: 20091850E4CF622C2FB19079CC36CF82 Provider = Utimaco CryptoServer Key Storage Provider Private key is NOT exportable Encryption test passed Signature test passed CertUtil: -repairstore command completed successfully.

›_ PowerShell

PS C:\> certutil –f -repairstore -csp "Utimaco Cryptoserver Key \
Storage Provider" my 6b17b81eeadb70d6c2a05136de...
my "Personal"
================ Certificate 0 ================
Serial Number: 43ef6081aa8b6bac45ef49ccb278684c
Issuer: CN=UTIMACO-HSM-CA, DC=utimaco, DC=local
NotBefore: 10.12.2015 10:09
NotAfter: 10.12.2020 10:19
Subject: CN=UTIMACO-HSM-CA, DC=utimaco, DC=local
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): 6b 17 b8 1e ea db 70 d6 c2 a0 51 36 de ed 14 f5 4c 9b
...
Key Container = UTIMACO-HSM-CA
Unique container name: 20091850E4CF622C2FB19079CC36CF82
Provider = Utimaco CryptoServer Key Storage Provider
Private key is NOT exportable
Encryption test passed
Signature test passed
CertUtil: -repairstore command completed successfully.

Import registry settings for the CSP.
1. Create a registry file named Csp.reg that has the following values, and replace <Your CA Common Name> with your CA common name:

Csp.cfg
`[HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<Your CA Common Name>\CSP] "ProviderType"=dword:00000000 "Provider"="Utimaco Cryptoserver Key Storage Provider" "CNGPublicKeyAlgorithm"="RSA" "CNGHashAlgorithm"="SHA1"`

Csp.cfg

[HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<Your
CA Common Name>\CSP]
"ProviderType"=dword:00000000
"Provider"="Utimaco Cryptoserver Key Storage Provider"
"CNGPublicKeyAlgorithm"="RSA"
"CNGHashAlgorithm"="SHA1"

b. Before you save the file, confirm that you are using SHA1 by running one of the following commands:

i. In case the old CA used a CSP provider:

›_ PowerShell
`PS C:\> certutil –v –getreg ca\csp\HashAlgorithm HashAlgorithm REG_DWORD = 8004 (32772) CALG_SHA1 Algorithm Class: 0x8000(4) ALG_CLASS_HASH Algorithm Type: 0x0(0) ALG_TYPE_ANY Algorithm Sub-id: 0x4(4) ALG_SID_SHA1 CertUtil: -getreg command completed successfully.`

›_ PowerShell

PS C:\> certutil –v –getreg ca\csp\HashAlgorithm
HashAlgorithm REG_DWORD = 8004 (32772)
CALG_SHA1
Algorithm Class: 0x8000(4) ALG_CLASS_HASH
Algorithm Type: 0x0(0) ALG_TYPE_ANY
Algorithm Sub-id: 0x4(4) ALG_SID_SHA1
CertUtil: -getreg command completed successfully.

If you do not see SHA1 in your output, modify the CNGHashAlgorithm key value in the file to have the appropriate name.

ii. In case the old CA used a CNG provider:

›_ PowerShell
`PS C:\> certutil -v -getreg ca\csp\CNGHashAlgorithm CNGHashAlgorithm REG_SZ = SHA256 CertUtil: -getreg command completed successfully.`

If you do not see SHA1 in your output, modify the CNGHashAlgorithm key value in the file to have the appropriate name.

c. Save the file and then run it.

›_ PowerShell
`PS C:\backupCA> .\Csp.reg`

Import registry settings for the CSP encryption settings.
1. Create a registry file named EncryptionCsp.regthat has the following values, and replace <Your CA Common Name> with your CA common name:


`[HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<Your CA Common Name>\EncryptionCSP] "ProviderType"=dword:00000000 "Provider"="Utimaco Cryptoserver Key Storage Provider" "CNGPublicKeyAlgorithm"="RSA" "CNGEncryptionAlgorithm"="3DES" "MachineKeyset"=dword:00000001 "SymmetricKeySize"=dword:000000a8`

[HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<Your
CA Common Name>\EncryptionCSP]
"ProviderType"=dword:00000000
"Provider"="Utimaco Cryptoserver Key Storage Provider"
"CNGPublicKeyAlgorithm"="RSA"
"CNGEncryptionAlgorithm"="3DES"
"MachineKeyset"=dword:00000001
"SymmetricKeySize"=dword:000000a8

b. Before you save the file, confirm that you are using 3DESby running one of the following commands:

i. In case the old CA used a CSP provider:

›_ PowerShell
`PS C:\> certutil –v –getreg ca\encryptioncsp\EncryptionAlgorithm EncryptionAlgorithm REG_DWORD = 6603 (26115) CALG_3DES Algorithm Class: 0x6000(3) ALG_CLASS_DATA_ENCRYPT Algorithm Type: 0x600(3) ALG_TYPE_BLOCK Algorithm Sub-id: 0x3(3) ALG_SID_3DES CertUtil: -getreg command completed successfully.`

›_ PowerShell

PS C:\> certutil –v –getreg ca\encryptioncsp\EncryptionAlgorithm
EncryptionAlgorithm REG_DWORD = 6603 (26115)
CALG_3DES
Algorithm Class: 0x6000(3) ALG_CLASS_DATA_ENCRYPT
Algorithm Type: 0x600(3) ALG_TYPE_BLOCK
Algorithm Sub-id: 0x3(3) ALG_SID_3DES
CertUtil: -getreg command completed successfully.

If you do not see 3DES in your output, modify the CNGEncryptionAlgorithm key value in the file to have the appropriate name.

ii. In case the old CA used a CNG provider:

›_ PowerShell
`PS C:\> certutil –v –getreg ca\encryptioncsp\CNGEncryptionAlgorithm CNGEncryptionAlgorithm REG_SZ = 3DES CertUtil: -getreg command completed successfully.`

If you do not see 3DES in your output, modify the CNGEncryptionAlgorithm key value in the file to have the appropriate name.

c. Save the file and then run it.

›_ PowerShell
`PS C:\backupCA> ./EncryptionCsp.reg`

Optional but strongly recommended: Change the CA hash algorithm to SHA-2 family, for example SHA256.

›_ PowerShell
`PS C:\> certutil -setreg ca\csp\CNGHashAlgorithm SHA256 New Value: CNGHashAlgorithm REG_SZ = SHA256 CertUtil: -setreg command completed successfully.`

Start the CA service again.

›_ PowerShell
`PS C:\> Start-Service CertSvc`