I've got two windows systems tied to the AWS CloudHSM v2 (the cavium HSM). On one host, I generated the CSR, and accepts/added the cert purchased with that CSR. I can sign and the private key is pulled properly from the HSM via the Key Container.
The other signing is my production signing system and it is working properly with the existing cert but when I try to add the new cert, no Key Container is setup. I'm used to needing to run the repair process but in this case I have no ID to provide the file.
Authenticate "\Program Files\Amazon\CloudHSM\tools\set_cloudhsm_credentials.exe" --user REDACTED --password "..."
Add the cert certutil -addstore my my-new-cert.crt
Dump the store details certutil -store my > cert_store_details.txt
Serial Number: REDACTED
Issuer: CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O=DigiCert, Inc., C=US
NotBefore: 1/25/2022 12:00 AM
NotAfter: 1/25/2023 11:59 PM
Subject: CN=REDACTED, C=US, SERIALNUMBER=REDACTED, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization
Non-root Certificate
Cert Hash(sha1): REDACTED
No key provider information
Cannot find the certificate and private key for decryption.
Normally, I'd create a repair.txt like so with Key Container id between the = and & on the Container however, I don't got one of those so I'm out of luck
[Properties]
11 = "" ; Add friendly name property
2 = "{text}" ; Add Key Provider Information property
_continue_="Container=&"
_continue_="Provider=Cavium Key Storage Provider&"
_continue_="Flags=0&"
_continue_="KeySpec=2"
If I just run a repair certutil -repairstore my "REDACTED" then I get asked for a smart card. Oh and this machine is a Windows Core 2016 (so there's NO UI or limited UI).