Share via

Importing Local Keys and HSM Configuration for a Root CA

49885604 215 Reputation points
2025-03-24T15:20:14.03+00:00

Requesting clarifications and guidance on the process of importing local keys or keys from an HSM into a new Root CA during configuration.

I have successfully imported a key from an existing Root CA certificate, but I have two specific questions:

  1. What is the correct method to import a local key from .key or .ppk files using Windows Server 2022? I've encountered issues with key providers not recognizing my key. What source should be considered in the operating system? The search result is empty;
  2. If using an HSM, does it need to have a folder or disk mapped to the operating system of the Root CA server to retrieve the key during configuration?

Thank you for any assistance provided.

SubCA_PrivateKey_Existing

Windows for business Windows Client for IT Pros Directory services Active Directory
0 comments
Accepted answer
  1. Geoff McKenzie 865 Reputation points
    2025-03-25T00:27:22.4433333+00:00

    Hi 49885604,

    You are stretching my memory here but I'll give it a crack and recommend you check verify my thoughts (ideally in a test environment or LAB). I will skip the whole 'why are you reusing keys?' question as I assume you have reasons. Basically, from memory, you need to have a certificate and private key available and associated in windows for the CA to use.

    1. for .key file - (I am assuming this is still the case with windows) - you need to convert the cert and key files to PFX, then import to windows. The import will ensure the private key and certificate are installed in the machine certificate store and correctly associated. I'll provide some references on how you may be able to convert from PEM to PFX (verify and use at your own risk) below.
    2. For HSM - Generally you cannot 'import' the private key to windows as the HSM is supposed to protect it. I guess that really depends on the HSM and how the Key was originally protected. The point of an HSM is usually to prevent exposure of the private key outside of the HSM - therefore you cannot usually export a private key from an HSM. Caveate - in a usable form.
      What you want to do here is install the certificate associated with the HSM protected key into the windows machine certificate store. Assuming the HSM software is installed on the CA and the CA is configured and talking to the HSM, you should then be able to associate the certificate in the machine certificate store with the HSM Key Storage Provider (KSP) which then enables the crypto functions that need the private key to be redirected to the HSM. This association may be able to be done with the HSM software and/or you may need to use certutil -repairstore to perform the association.

    I hope the above gets you started in the right direction. It has been a while so please take with several grains of salt.

    References for PEM/Key to PFX... (verify and test and try at your own risk)

    https://security.stackexchange.com/questions/25996/how-to-import-a-private-key-in-windows

    https://stackoverflow.com/questions/63416126/windows-how-to-import-when-certificate-and-private-key-are-in-separate-files

    https://itsimple.info/?p=2686

    Regards,

    Geoff

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.