Hello,
I try to migrate the HSM the Microsoft CA uses.
I am running a Microsoft CA on a Windows Server 2008 (32bit) with an Eracom Protect Server External.
I managed to export the certificate+privkey and import it to the new HSM, a Safenet LunaSA.
(I know, this is evil and the keys are compromised...)
I ran a
certutil -csp "Luna Cryptographic Services for Microsoft Windows" -repairstore <serial>
Now I can see in
certutil -store MYthat the certificate is correct associated with the LunaSA CSP. Everything looks fine so far.
My goal is now, to have the CA find the certificate on the new HSM, LunaSA.
I think there should be two possibilities:
1. Reinstall the CA and choose an existing certificate and private key, when initializing the CA
2. Do some voodoo and edit the registry, altough "There is no direct supported way to change the CSP for the CA." ;-)
Anyway: When I reinstall the CA and choose to select an existing Certificate with PrivKey, the MS CA installer does not see the private key nor the certifcate.
So I am wondering how the CA installer tries to locate existing CA certificates on the machine on why it does not find mine.
Any hint for a deeper understanding is highly appreciated.
Thanks a lot and kind regards
Cornelius