Learn how to use the import_key utility to associate a key with a certificate.
To use Dedicated KMS tools with third-party tools such as Microsoft SignTool, you must import the key's metadata to the Dedicated KMS key store and associate it with the certificate. This topic explains how to migrate a key using the import_key.exe utility.
The following instructions explain how to move a key into the Dedicated KMS Cavium KSP from another KSP (in the example scenario, the key is being moved from Microsoft's KSP to DKMS).
Before beginning this task, ensure the OCI Dedicated KMS service is running on your local machine.
-
Get the details of your certificate using the following command:
certutil -store <CertificateStoreName>
Make a note of the following string values:
- Serial Number
- Unique container name
- Provider
For example:
C:\Windows\system32>certutil -store my
my "example"
================ Certificate 1 ================
Serial Number: 1234a12a1a123a123a1a1a1a123456ca
Issuer: CN=cesa-DKMS-WINDOWS-VM-CA
NotBefore: 7/3/2029 11:31 PM
NotAfter: 7/3/2034 11:41 PM
Subject: CN=cesa-DKMS-WINDOWS-VM-CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): a123a1234a12ab1a12a12abc123456a12a1ab123
Key Container = cesa-DKMS-WINDOWS-VM-CA
Unique container name: xyz1234a1ab1234aa1a123a1234a12a1a_1a1a123a-ab12-1a12-1abc-1a123abc1xyz
Provider = Microsoft Software Key Storage Provider
Signature test passed
CertUtil: -store command completed successfully.
-
Use the
import_key.exe -from MSKSP -RSA <Unique_container_name> command to associate the key with the certificate. Use the Unique container name value from the output of the command in the previous step.
For example:
C:\Program Files\Oracle\DedicatedKms>import_key.exe -from MSKSP -RSA xyz123a1ab1234aa1a123a1234a12a1a_1a1a123a-ab12-1a12-1abc-1a123abc1xyz
Successfully imported the key to Cavium Key Storage Provider.
C:\Program Files\Oracle\DedicatedKms>certutil -csp "Cavium Key Storage Provider" -key
Cavium Key Storage Provider:
xyz1234a1ab1234aa1a123a1234a12a1a_1a1a123a-ab12-1a12-1abc-1a123abc1xyz
RSA
-
Update the certificate store. The command uses the Serial Number value from the first step.
For example:
C:\Program Files\Oracle\DedicatedKms>certutil -f -csp "Cavium Key Storage Provider" -repairstore my "1234a12a1a123a123a1a1a1a123456ca"
my "example"
-
Verify the provider name by running the
certutil -store command. The command uses the Serial Number value. The Provider value is now "Cavium Key Storage Provider".
For example:
C:\Program Files\Oracle\DedicatedKms>certutil -f -csp "Cavium Key Storage Provider" -repairstore my "1234a12a1a123a123a1a1a1a123456ca"
my "example"
================ Certificate 1 ================
Serial Number: 1234a12a1a123a123a1a1a1a123456ca
Issuer: CN=cesa-DKMS-WINDOWS-VM-CA
NotBefore: 7/3/2024 11:31 PM
NotAfter: 7/3/2029 11:41 PM
Subject: CN=cesa-DKMS-WINDOWS-VM-CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): a123a1234a12ab1a12a12abc123456a12a1ab123
Key Container = xyz1234a1ab1234aa1a123a1234a12a1a_1a1a123a-ab12-1a12-1abc-1a123abc1xyz
Provider = Cavium Key Storage Provider
Private key is NOT exportable
Encryption test passed
CertUtil: -store command completed successfully.