By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Error while creating a CSR using certreq.exe

0

I have a CloudHSM cluster that I will be using for signing. I followed the instruction given here to generate a CSR:

https://docs.aws.amazon.com/cloudhsm/latest/userguide/signtool-sdk5.html

I followed these instructions to setup my Windows Server 2022 EC2 instance https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html

I am getting this error while trying to generate CSR:

certreq.exe -new request.inf request.csr Certificate Request Processor: Invalid provider specified. 0x80090013 (-2146893805 NTE_BAD_PROVIDER)

I am using the template shared in the sign tool user guide. Also I have a cloud hsm session active in another powershell terminal. What else is needed to generate the CSR.

  • manoj
    24 days ago

    Afer installing KSP I am getting a slight different error: certreq.exe -new request.inf request.csr Certificate Request Processor: Provider type not defined. 0x80090017 (-2146893801 NTE_PROV_TYPE_NOT_DEF)

Topics
Security, Identity, & ComplianceCompute
Tags
AWS CloudHSMWindows
Language
English
manoj
asked 24 days ago67 views
1 Answer
2
Accepted Answer

The error you're encountering suggests that there might be an issue with the CloudHSM Key Storage Provider (KSP) configuration or recognition on your Windows Server. To resolve this and successfully generate a Certificate Signing Request (CSR) using certreq.exe with AWS CloudHSM, consider the following steps:

  1. Ensure that you've correctly installed the AWS CloudHSM client software on your Windows Server 2022 EC2 instance. This includes the CloudHSM Key Storage Provider.

  2. Verify that you've specified the correct provider name in your request.inf file. The ProviderName should be set to "CloudHSM Key Storage Provider" exactly as shown below:

    [NewRequest]
Subject = "CN=example.com,C=US,ST=Washington,L=Seattle,O=ExampleOrg,OU=WebServer"
KeyAlgorithm = RSA
KeyLength = 2048
ProviderName = "CloudHSM Key Storage Provider"
KeyUsage = 0xf0
MachineKeySet = True

  3. Make sure you have an active CloudHSM session running. You mentioned having one in another PowerShell terminal, but ensure it's properly connected and authenticated.

  4. Try running the certreq command with administrator privileges. Open a PowerShell window as an administrator and execute the command from there.

  5. Double-check that all the necessary CloudHSM services are running on your Windows Server.

  6. If the issue persists, you might want to try generating the CSR using an alternative method, such as using the Windows Server Internet Information Services (IIS) Manager or the certificates snap-in in the Microsoft Management Console.

If you're still encountering issues after trying these steps, you may need to review your CloudHSM setup and ensure all components are correctly installed and configured. Remember that the exact process can vary depending on your specific setup and the version of the AWS CloudHSM client you're using.
Sources
AWS CloudHSM SSL/TLS offload on Windows using IIS with KSP - AWS CloudHSM
Configure Windows Server as a certificate authority (CA) with Client SDK 5 - AWS CloudHSM

profile picture
re:Post Agent
answered 24 days ago
profile picture
EXPERT
Oleksii Bebych
reviewed 24 days ago
  • manoj
    24 days ago

    How do I install KSP on the ec2 instance?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content