Windows doesn't create assign "Key Container" when adding cert tied to Cavium (AWS CloudHSMv2)

Question

I've got two windows systems tied to the AWS CloudHSM v2 (the cavium HSM). On one, I generated the CSR, and accepts/added the cert purchased with that CSR. I can sign and the private key is pulled properly from the HSM via the Key Container.

The other signing is my production signing system and it is working properly with the existing cert but when I try to add the new cert, no Key Container is setup. I'm used to needing to run the repair process but in this case I have no ID to provide the file.

1. Authenticate "\Program Files\Amazon\CloudHSM\tools\set_cloudhsm_credentials.exe" --user REDACTED --password "..."
2. Add the cert certutil -addstore my my-new-cert.crt
3. Dump the store details certutil -store my > cert_store_details.txt

    Serial Number: REDACTED
    Issuer: CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O=DigiCert, Inc., C=US
     NotBefore: 1/25/2022 12:00 AM
     NotAfter: 1/25/2023 11:59 PM
    Subject: CN=REDACTED, C=US, SERIALNUMBER=REDACTED, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization
    Non-root Certificate
    Cert Hash(sha1): REDACTED
    No key provider information
    Cannot find the certificate and private key for decryption.

Normally, I'd create a repair.txt like so with Key Container id between the = and & on the Container however, I don't got one of those so I'm out of luck

        [Properties]
        11 = "" ; Add friendly name property
        2 = "{text}" ; Add Key Provider Information property
        _continue_="Container=&"
        _continue_="Provider=Cavium Key Storage Provider&"
        _continue_="Flags=0&"
        _continue_="KeySpec=2"    

If I just run a repair certutil -repairstore my "REDACTED" then I get asked for a smart card. Oh and this machine is a Windows Core 2016 (so there's NO UI or limited UI).

Answer 1

Ok, here's the answer from AWS support - hopefully, they will add it to their docs

1. Determine CloudHSM file handles for private and public key (you can do this by dumping the modulus from the cert and using the hsm tools to hunt for the key. However, I reported on handles prior to generating my CSR and after so I could add them to my secure documentation - so I didn't need to do that

2. Create a KSP container

C:\Program Files\Amazon\CloudHSM>import_key.exe -from HSM 
  -privateKeyHandle <private key handle> -publicKeyHandle <public key handle>

This should output something similar to: "Represented 1 keypairs in Cavium Key Storage Provider."

If you receive an error message "n3fips_password is not set" make sure to set the login credentials for the HSM on your system as detailed in [4] below.

3. Run the following command to verify the new key container is in your key storage provider:

C:\Program Files\Amazon\CloudHSM>certutil -key -csp "Cavium Key Storage provider"

"Cavius Key Storage Provider" may not be the name given to your key container. This name is retrieved from the output generated from the first step.

If the container was successfully created, the output should be similar to the following:

Cavium Key Storage provider:
  <key container name>
  RSA


CertUtil: -key command completed successfully.

4. Create a repair.txt so we can update the cert store to use the container

[Properties]
11 = "" ; Add friendly name property
2 = "{text}" ; Add Key Provider Information property
_continue_="Container=<key container name>&"
_continue_="Provider=Cavium Key Storage Provider&"
_continue_="Flags=0&"
_continue_="KeySpec=2"

5. Make sure that the CloudHSM Client daemon is still running, and use the certutil verb -repairstore to update the certificate serial number. This command would look something similar to the following:

certutil -repairstore my <certificate serial number> repair.txt

6. After repairing the certificate store, please run the following command to verify that the certificate has been properly associated with the new key container successfully:

certutil -store my

You'll expect something like this

================ Certificate 0 ================
Serial Number: <certificate serial number>
Issuer: CN=MYRootCA
 NotBefore: 2/5/2020 1:38 PM
 NotAfter: 2/5/2021 1:48 PM
Subject: CN=www.mydomain.com, OU=Certificate Management, O=Information Technology, L=Houston, S=Texas, C=US
Non-root Certificate
Cert Hash(sha1): 5a...24
  Key Container = CNGRSAPriv-...d
  Provider = Cavium Key Storage Provider
Private key is NOT exportable
Encryption test passed
CertUtil: -store command completed successfully.

If Key Container = CNGRSAPriv-...d shows the proper container, then you know the cert KSP relationship is good

If you see Private key is NOT exportable and Encryption test passed you know that you are using the corrent file handles.

If you use signtool, you will need to add /sm to force it to use machine store and not user store as the process above generates the container tied to the machine store. There's no option around that.