Hi:
We are testing the following scenario. We have 2 W2k8 boxes, using an iSCSI shared storage volume. We want to set up a CA cluster using a HSM. So far, we have followed the instructions described in article http://technet2.microsoft.com/windowsserver2008/en/library/7b78577c-fbd5-4b28-8f44-d15c26dfcc111033.mspx?mfr=true
We have set up the first node of the CA cluster, and of course, this CA used the HSM to generate and store its private key. However, we have problems setting up the second node. The second node has a connection with the same HSM, but when we run the command certutil –repairstore My "{Serialnumber}", it fails with the following error:
Private key is NOT exportable
ERROR: Certificate public key does not match private key.
The Serialnumber corresponds to the CA certificate that was exported from the first CA node. The HSM has only one partition that includes only the keys of the first node. Right now, we do not know why the certutil -repairstore command is failing, and will appreciate it is someone could give us some guidance.
FYI, the HSM is a Safenet Luna SA LRK020109.
Regards,
Luis.