By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

how to register multiple cloudHSM windows clients with cloudHSM

0

installed cloudHSM windows clients and was able to create CSR on it. CSR was sent to digicert to sign. After received CRT from digicert, file can be signed using signtool.exe on this windows client successfully. we are trying to bring one more windows client to sign. we installed cloudHSM windows clients on it, and ran below commands without issues, .\configure.exe -a <HSM IP>

.\tools\set_cloudhsm_credentials.exe --username <CU user> --password <password>

Get-Service -Name AWSCloudHSMClient | Format-Table DisplayName,Status -AutoSize

but failed at "certreq -accept <CA cert>" with error "Certificate Request Processor: Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)"

I can understand it failed because CSR was not generated on this machine. but how to register it with cloudHSM CU to use the same private key to sign exe files?

please help. thanks!

  • D G
    a year ago

    @rePost-User-7672835 Let me know if you have any issues with this, or if it helps you then please accept my answer after you've tried it out - it would be much appreciated! Good luck :)

Topics
Security, Identity, & Compliance
Tags
Security, Identity, & Compliance
Language
English
rePost-User-7672835
asked a year ago305 views
1 Answer
1

https://docs.aws.amazon.com/cloudhsm/latest/userguide/cmu-install-and-configure-client-win.html just for other folks to see.

Certreq was unable to find the related request object. This is typically within the Certificate Enrollment Request (CER) node certificate store.

Run certutil -deump file.req to dump the request file and inspect the contents. Should be a public key. Then run certutil -dump cert.cer to dump the issued certificate. Compare the keys.

Do this for each object within the Certificate Enrollment Request(s) (CER) (focused on Local Machine context) to find request object with matching public key. I admit I had to go back and do some searching on this myself, but this should be what you are looking for. Best of luck!

profile picture
D G
answered a year ago
  • Cedric Van Rompay
    2 months ago

    What do you do when you found the matching Certificate Enrollment Request? Should it be enough to export it and then import it into the machine where the "certreq -accept" command failed? We have a similar situation and tried this but we still have the "Cannot find object or property" error

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content