Integrate an existing IIS deployment with the nShield HSM

This section describes how to integrate an existing IIS server installation with an nShield HSM. It is assumed the existing IIS server has a software-protected certificate and private key, and that you have a new valid Origin Server certificate.

Export the software-protected certificate

Export the original certificate from the personal folder in the local computer’s certificate store. Then delete the certificate from the store.

  1. Type MMC in the Windows search text box and select OK.

  2. On the Console window, select File > Add/Remove Snap-in.

  3. Select Certificates from Available Standalone Snap-ins. Then select Add.

    mmc export 1

  4. On the Certificates snap-in window, select Computer account. Then select Next.

  5. On the Select Computer window, select Local computer. Then select Finish and OK.

  6. Navigate to Certificates (Local Computer) > Personal > Certificates.

  7. Right-select the certificate file and select All Tasks > Export.

    mmc export 2

  8. On the Welcome to the Certificate Export Wizard window, select Next.

  9. On the Export Private Key window, select No, do not export the private key. Then select Next.

    mmc export 3

  10. On the Export File Format window, select Base-64 encoded X.509 (.Cer) and select Next.

    mmc export 4

  11. On the File to Export window, select an absolute path and filename to save the exported certificate. Then select Next twice.

    mmc export 5

  12. On the Completing the Certificate Export Wizard window, select Finish and OK.

    mmc export 6

  13. After exporting the certificate, delete the certificate from the Personal certificate store.

Import new certificate into the certificate store

Import a new valid Origin Server certificate and assign it a private key protected by the nShield HSM.

  1. Type MMC in the Windows search text box and select OK.

  2. On the Console window, select File > Add/Remove Snap-in.

  3. Select Certificates from Available Standalone Snap-ins. Then select Add.

  4. On the Certificates snap-in window, select Computer account. Then select Next.

  5. On the Select Computer window, select Local computer. Then select Finish and OK.

  6. Navigate to Certificates (Local Computer) > Personal > Certificates.

  7. Right-select the certificate folder and select All Tasks > Import.

  8. On the Welcome to the Certificate Import Wizard window, select Next.

  9. Navigate to the location of the certificate from the Origin Server and select it. Then select Next.

  10. On the Certificate Store window, select Place all certificates in the following store. Enter Personal in the text box. Then select Next

    mmc import 1

  11. On the Completing the Certificate Import Wizard window, select Finish. Select Next and OK.

    mmc import 2

  12. On the Personal store locate the certificate, right-select and select Open.

  13. On the Certificate window, select the Details tab.

  14. Locate the serial number of the certificate.

    serial number

  15. Run the following command from a Windows terminal:

    >certutil -f -csp "nCipher Security World Key Storage Provider" -repairstore my <serial number of certificate>

>certutil -f -csp "nCipher Security World Key Storage Provider" -repairstore my 39000000171fd041e27d84cc65000000000017
my "Personal"
================ Certificate 0 ================
Serial Number: 39000000171fd041e27d84cc65000000000017
Issuer: CN=interop-INTEROP-SUB-CA-CA, DC=interop, DC=local
 NotBefore: 7/31/2025 10:46 AM
 NotAfter: 7/31/2027 10:46 AM
Subject: CN=interop.local, OU=WebServer, O=InteropLocal, L=Sunrise, S=Florida, C=US
Certificate Template Name (Certificate Type): WebServer
Non-root Certificate
Template: WebServer, Web Server
Cert Hash(sha1): bc504bb69b98ec801d8907b47d0a82b80f6dcd92
  Key Container = tq-041ac23e-1c60-4d26-bb4f-edf39d5af607
  Provider = nCipher Security World Key Storage Provider
Private key is NOT exportable
ERROR: Could not verify certificate public key against private key
nCipher Security World Key Storage Provider: KeySpec=0
AES256+RSAES_OAEP(RSA:CNG) test passed
CertUtil: -repairstore command completed successfully.

Bind the certificate to the IIS server

  1. Open the IIS Manager from Start > Internet Information Services (IIS) Manager.

  2. Under Sites on the left-hand side of the IIS Manager window, select the applicable web site.

  3. On the right-hand side of the IIS Manager window, select Bindings.

  4. On the Site Bindings screen, select Add.

  5. Select the protocol https.

  6. Select the certificate from the drop-down list.

  7. To complete the certificate binding for SSL connection, select OK and Close.