Test and Cleanup Procedures | Utimaco Integration Guides

After the migration has been completed you should verify that everything works correctly.

Run the following command on the CA to verify that CA service is up and ready to receive requests.

›_ PowerShell
`PS C:\> certutil –ping Connecting to HSM-CA.utimaco.local\UTIMACO-HSM-CA ... Server "UTIMACO-HSM-CA" ICertRequest2 interface is alive (16ms) CertUtil: -ping command completed successfully.`

Run the command certutil –store my <Your CA Common Name>on the CA to verify that the CA is configured with the correct key and provider.

›_ PowerShell
PS C:\> certutil -store my UTIMACO-HSM-CA my "Personal" ================ Certificate 0 ================ Serial Number: 1ee7e741878151a947b6a1771ec46152 Issuer: CN=UTIMACO-HSM-CA, DC=utimaco, DC=local NotBefore: 10.12.2015 15:59 NotAfter: 10.12.2020 16:09 Subject: CN=UTIMACO-HSM-CA, DC=utimaco, DC=local Certificate Template Name (Certificate Type): CA CA Version: V0.0 Signature matches Public Key Root Certificate: Subject matches Issuer Template: CA, Root Certification Authority Cert Hash(sha1): ce cd da 29 05 31 04 82 d0 e0 c7 8c 9f 30 6a fa f0 89 ... Key Container = UTIMACO-HSM-CA Unique container name: D0A70AB53D75E80677291C6100C2A996 Provider = Utimaco CryptoServer Key Storage Provider Signature test passed CertUtil: -store command completed successfully.

›_ PowerShell

PS C:\> certutil -store my UTIMACO-HSM-CA
my "Personal"
================ Certificate 0 ================
Serial Number: 1ee7e741878151a947b6a1771ec46152
Issuer: CN=UTIMACO-HSM-CA, DC=utimaco, DC=local
NotBefore: 10.12.2015 15:59
NotAfter: 10.12.2020 16:09
Subject: CN=UTIMACO-HSM-CA, DC=utimaco, DC=local
Certificate Template Name (Certificate Type): CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): ce cd da 29 05 31 04 82 d0 e0 c7 8c 9f 30 6a fa f0 89
...
Key Container = UTIMACO-HSM-CA
Unique container name: D0A70AB53D75E80677291C6100C2A996
Provider = Utimaco CryptoServer Key Storage Provider
Signature test passed
CertUtil: -store command completed successfully.

Request and issue a certificate for a user or computer and inspect the resulting certificate details to verify that the certificate shows the correct signature algorithm and signature hash algorithm.
Verify that the certificate revocation list can be published and has the correct signature algorithm and signature hash algorithm. Publish the certificate revocation list (CRL) and check the correct signature algorithm by running the following commands on the CA. Please replace <Your CA Common Name> with your CA Common Name.

›_ PowerShell
`PS C:\> certutil –crl CertUtil: -CRL command completed successfully. PS C:\> certutil C:\Windows\System32\CertSrv\CertEnroll\ <Your CA Common Name>.crl \| findstr /spi algorithm Signature Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.13 sha512RSA Algorithm Parameters: Signature Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.13 sha512RSA Algorithm Parameters:`

›_ PowerShell

PS C:\> certutil –crl
CertUtil: -CRL command completed successfully.
PS C:\> certutil C:\Windows\System32\CertSrv\CertEnroll\
<Your CA Common Name>.crl | findstr /spi algorithm
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.13 sha512RSA
Algorithm Parameters:
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.13 sha512RSA
Algorithm Parameters:

If everything works correctly, the migration is completed. Clean up all created exported files and backups used during this migration.

Before you go into production mode, be sure that you remove the backup of the PKCS#12 file from every unsecure data storage.