Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Importing Certificate signed using CloudHSM key on Linux into a Windows instance using the CloudHSM KSP

0

I have been successfully using jarsigner to sign Jars on linux using a key held in CloudHSM and an EV code signing certificate associated with the key in CloudHSM.

Now, we need to use that certificate to sign code on Windows, so we need to import the certificate onto a Windows EC2 instance that can also talk to our CloudHSM cluster, and associate it with the private key so that we can sign files using signtool.exe.

All the documentation I've found so far assumes that you create the keypair on the windows instance, then generate a CSR on the same instance and finally install the certificate.

How do you import the Certificate if it already exists?

I have been able to successfully install the CloudHSM client and KSP software on my instance, and can log in to to my CloudHSM and perform operations, so it appears that I'm successfully set up, but I can't figure out how to import the certificate without a corresponding certificate request.

Has anyone manged to do this?

Many thanks.

Topics
ComputeSecurity, Identity, & Compliance
Tags
WindowsAWS CloudHSM
Language
English
asked 10 months ago348 views
1 Answer
0

Yes, it is possible to import an existing certificate that was signed using a CloudHSM key on Linux into a Windows instance using the CloudHSM KSP. Here's how you can do it:

  1. First, you need to import the certificate into the Windows certificate store. You can do this using the Windows Certificate Import Wizard or by using the certutil command-line tool.

  2. Once the certificate is in the Windows certificate store, you need to associate it with the private key in the CloudHSM. This is where the CloudHSM Key Storage Provider (KSP) comes into play.

  3. Use the import_key.exe utility, which is included in CloudHSM version 3.0 and higher, to import the key's metadata into the local certificate store and associate it with the certificate.

  4. To use import_key.exe, you'll need to know the Unique Container Name and Serial Number of the certificate. You can find these using a utility like certutil.

  5. Run the import_key.exe utility to associate the AWS CloudHSM private key with the certificate. The command will look something like this:

    import_key.exe --cavium-pkcs11 --token-label <HSM user name> --token-pin <HSM user password> --key-label <key label> --cert-label <certificate label>

  6. After associating the key, update the certificate store using certutil to ensure the changes are reflected.

Once you've completed these steps, you should be able to use the imported certificate with signtool.exe for code signing on your Windows instance, just as you were using it with jarsigner on Linux.

Remember, the key itself remains securely stored in the CloudHSM, while the certificate and the association between the certificate and the key are managed by the Windows certificate store and the CloudHSM KSP.
Sources
Associate an AWS CloudHSM key with a certificate - AWS CloudHSM
Use Microsoft SignTool with Client SDK 5 to sign files - AWS CloudHSM

answered 10 months ago
  • MattP
    10 months ago

    The import_key.exe utility does not appear to be included in CloudHSM SDK 5, or the Key storage provider (KSP) for AWS CloudHSM Client SDK 5. Mention is made of it in the documentation for SDK 3, so perhaps it was removed. Certainly, there's no equivalent of the SDK 3 documentation page 'Associate an AWS CloudHSM key with a certificate' (https://docs.aws.amazon.com/cloudhsm/latest/userguide/ksp-library-associate-key-certificate.html) for SDK 5

  • Greg Pflaum
    9 months ago

    @MattP Have you found a solution for this with SDK 5? I'm facing the same problem. I've imported the certificate into Windows store, but it isn't associated with the private key in CloudHSM. This command fails with CRYPT_E_NOT_FOUND. The CloudHSM KSP log shows a successful login but cloudhsm_ksp::cloudhsm_ksp::error::enum_keys_error. certutil -user -f -csp "CloudHSM Key Storage Provider" -repairstore CA <hash> CA "Intermediate Certification Authorities"

  • MattP
    9 months ago

    @Greg Pflaum We haven't found a solution yet. We're in contact with AWS support and it's being looked at by them, but I've got no idea how long that will take, or if there's any way to solve it with the currently-released CloudHSM SDK...

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content