Migrate keys for CNG
Entrust provides functionality for migrating existing keys from other providers into the Security World Key Storage Provider. To identify installed providers, run the command:
cnglist --list-providers
To identify the keys that are available from a particular provider, run the command:
cnglist --list-keys --provider="ProviderName"
In this command, ProviderName is the name of the provider. The following command provides an example of identifying keys from the Security World Key Storage Provider:
cnglist --list-keys --provider="nCipher Security World Key Storage Provider"
MyApp Personal Data Key: RSA
CertReq-5eb45f6d-6798-472f-b668-288bc5d961da: ECDSA_P256 machine
WebServer Signing Key: DSA machine
ADCS-Root-Key: ECDSA_P521 machine
To list the keys available from the Security World Key Storage Provider, run the command cnglist --list-keys (without specifying the --provider option).
|
Importing a Microsoft CAPI key into the Security World Key Storage Provider
To import a Microsoft CAPI key into the Security World Key Storage Provider, first run the CAPI utility csputils
to identify the existing CAPI containers and their key contents.
CAPI containers can contain either a signing key or a key exchange key, or both. The following example shows how to import both a signing key and a key exchange key from a Microsoft CAPI container:
cngimport -m --csp="Microsoft Strong Cryptographic Provider"
-k "EXAMPLE_CAPICONTAINER"
"EXAMPLE_IMPORTED_SIGNATURE_CAPICONTAINER"
"EXAMPLE_IMPORTED_KEYEXCHANGE_CAPICONTAINER"
To check the success of the import, list the keys present in the Security World Key Storage Provider:
cnglist --list-keys
EXAMPLE_IMPORTED_SIGNATURE_CAPICONTAINER: RSA
EXAMPLE_IMPORTED_KEYEXCHANGE_CAPICONTAINER: DH
The following example command shows how to import a single signing key:
cngimport -m -s --csp="Microsoft Strong Cryptographic Provider"
--key="EXAMPLE_CAPICONTAINER"
"EXAMPLE_IMPORTED_SIGNATURE_ONLY_CAPICONTAINER"
Run the cnglist
command with the --list-keys
option to check the success of the key import:
cnglist --list-keys
EXAMPLE_IMPORTED_SIGNATURE_ONLY_CAPICONTAINER: RSA
The cngimport option -m/--migrate cannot be used to migrate nShield CAPI container keys to CNG.
For information about importing nShield CAPI container keys into CNG, see Importing a Microsoft CNG key into the Security World Key Storage Provider.
|
Importing a Microsoft CNG key into the Security World Key Storage Provider
To import a Microsoft CNG key into the Security World Key Storage Provider, run the cngimport
command as shown in the following example:
cngimport -m
-k "EXAMPLE_RSA_1024"
"IMPORTED_RSA_1024"
Run the cnglist
command with the --list-keys
option to check the success of the key import:
cnglist --list-keys
IMPORTED_RSA_1024: RSA
The original key is not deleted from the provider from which it was imported:
cnglist --list-keys --provider="Microsoft Software Key Storage Provider"
EXAMPLE_RSA_1024
Certain applications, such as Certificate Services, create keys using the Microsoft Software Key Storage Provider which cannot be exported. Attempting to import such a key into the nShield provider results in the following message: |
cngimport -m -k WIN-KQ1Z6JMCUTB-CA WIN-ncipher-CA
Unable to continue.
This key can not be exported from Microsoft Software Key Storage Provider.
Importing a Security World key into the Security World Key Storage Provider
To import a Security World key into the Security World Key Storage Provider, run the cngimport
utility as shown in the following example:
cngimport --import --key=nfkmsimple1 --appname=simple nfkmsimple1
Found key 'nfkmsimple1'
Importing NFKM key.. done
Run cnglist
with the --list-keys
option to confirm that the key has been successfully imported:
cnglist --list-keys
nfkmsimple1: RSA
To import an nShield CAPI container into the Security World Key Storage Provider, run the csputils
command to identify the container name:
csputils -l
File ID Container name Container owner DLL name S X
========= =================== =================== ========= = =
31e994f07 CONTAINER2 SYWELL\Administrato ncsp * *
3a2b082a8 CAPICONTAINER SYWELL\Administrato ncsp * *
2 containers and 4 keys found.
Run the csputils command with the -l and -m options to migrate an nShield CAPI machine container.
|
Identify the Security World key names of the keys in the container by running the csputils
command as follows:
csputils -d -n CAPICONTAINER
Detailed report for container ID #3a2b082a8f2ee1a5acb756d5e95b09817072807a
Filename: key_mscapi_container-3a2b082a8f2ee1a5acb756d5e95b09817072807a
Container name: CAPICONTAINER
User name: SYWELL\Administrator
User SID: s-1-5-21-352906761-2625708315-3490211485-500
CSP DLL name: ncsp.dll
Filename for signature key is key_mscapi_ce51a0ee0ea164b993d1edcbf639f2be62c53222
Key was generated by the CSP
Key hash: ce51a0ee0ea164b993d1edcbf639f2be62c53222
Key is recoverable.
Key is cardset protected.
Cardset name: nopin
Sharing parameters: 1 of 1 shares required.
Cardset hash: d45b30e7b60cb226f5ade5b54f536bc1cc465fa4
Cardset is non-persistent.
Filename for key exchange key is key_mscapi_dbd84e8155e144c59cf8797d16e7f8bd19ac446a
Key was generated by the CSP
Key hash: dbd84e8155e144c59cf8797d16e7f8bd19ac446a
Key is recoverable.
Key is cardset protected.
Cardset name: nopin
Sharing parameters: 1 of 1 shares required.
Cardset hash: d45b30e7b60cb226f5ade5b54f536bc1cc465fa4
Cardset is non-persistent.
1 container and 2 keys found.
The key name to pass to the cngimport
command --key
option is the part of the key name that follows key_mscapi_
in the output line that starts Filename for signature key is key_mscapi_
.
For example, the signature key file name for CAPICONTAINER
in the example shown above is key_mscapi_ce51a0ee0ea164b993d1edcbf639f2be62c53222
, so ce51a0ee0ea164b993d1edcbf639f2be62c53222
is the key name that should be passed to cngimport
:
cngimport --import --key="ce51a0ee0ea164b993d1edcbf639f2be62c53222" --
appname="mscapi" Signature_Key_Imported_From_nCipher_CAPI
Found unnamed key
Importing NFKM key.. done
Run cnglist
with the --list-keys
option to confirm that the key has been successfully imported:
cnglist --list-keys
Signature_Key_Imported_From_nCipher_CAPI: RSA
cngsoak: ECDH_P256
Follow the same procedure for importing the key exchange key from the nShield CAPI container.