Migrate keys for CNG

Entrust provides functionality for migrating existing keys from other providers into the Security World Key Storage Provider. To identify installed providers, run the command:

cnglist --list-providers

To identify the keys that are available from a particular provider, run the command:

cnglist --list-keys --provider="ProviderName"

In this command, ProviderName is the name of the provider. The following command provides an example of identifying keys from the Security World Key Storage Provider:

cnglist --list-keys --provider="nCipher Security World Key Storage Provider"
MyApp Personal Data Key: RSA
CertReq-5eb45f6d-6798-472f-b668-288bc5d961da: ECDSA_P256 machine
WebServer Signing Key: DSA machine
ADCS-Root-Key: ECDSA_P521 machine

To list the keys available from the Security World Key Storage Provider, run the command cnglist --list-keys (without specifying the --provider option).

Importing a Microsoft CAPI key into the Security World Key Storage Provider

To import a Microsoft CAPI key into the Security World Key Storage Provider, first run the CAPI utility csputils to identify the existing CAPI containers and their key contents.

CAPI containers can contain either a signing key or a key exchange key, or both. The following example shows how to import both a signing key and a key exchange key from a Microsoft CAPI container:

cngimport -m --csp="Microsoft Strong Cryptographic Provider"
 -k "EXAMPLE_CAPICONTAINER"
    "EXAMPLE_IMPORTED_SIGNATURE_CAPICONTAINER"
    "EXAMPLE_IMPORTED_KEYEXCHANGE_CAPICONTAINER"

To check the success of the import, list the keys present in the Security World Key Storage Provider:

cnglist --list-keys
EXAMPLE_IMPORTED_SIGNATURE_CAPICONTAINER: RSA
EXAMPLE_IMPORTED_KEYEXCHANGE_CAPICONTAINER: DH

The following example command shows how to import a single signing key:

cngimport -m -s --csp="Microsoft Strong Cryptographic Provider"
 --key="EXAMPLE_CAPICONTAINER"
       "EXAMPLE_IMPORTED_SIGNATURE_ONLY_CAPICONTAINER"

Run the cnglist command with the --list-keys option to check the success of the key import:

cnglist --list-keys
EXAMPLE_IMPORTED_SIGNATURE_ONLY_CAPICONTAINER: RSA

The cngimport option -m/--migrate cannot be used to migrate nShield CAPI container keys to CNG. For information about importing nShield CAPI container keys into CNG, see Importing a Microsoft CNG key into the Security World Key Storage Provider.

Importing a Microsoft CNG key into the Security World Key Storage Provider

To import a Microsoft CNG key into the Security World Key Storage Provider, run the cngimport command as shown in the following example:

cngimport -m
 -k "EXAMPLE_RSA_1024"
    "IMPORTED_RSA_1024"

Run the cnglist command with the --list-keys option to check the success of the key import:

cnglist --list-keys
 IMPORTED_RSA_1024: RSA

The original key is not deleted from the provider from which it was imported:

cnglist --list-keys --provider="Microsoft Software Key Storage Provider"
 EXAMPLE_RSA_1024

Certain applications, such as Certificate Services, create keys using the Microsoft Software Key Storage Provider which cannot be exported. Attempting to import such a key into the nShield provider results in the following message:

cngimport -m -k WIN-KQ1Z6JMCUTB-CA WIN-ncipher-CA
Unable to continue.
This key can not be exported from Microsoft Software Key Storage Provider.

Importing a Security World key into the Security World Key Storage Provider

To import a Security World key into the Security World Key Storage Provider, run the cngimport utility as shown in the following example:

cngimport --import --key=nfkmsimple1 --appname=simple nfkmsimple1
Found key 'nfkmsimple1'
Importing NFKM key.. done

Run cnglist with the --list-keys option to confirm that the key has been successfully imported:

cnglist --list-keys
nfkmsimple1: RSA

To import an nShield CAPI container into the Security World Key Storage Provider, run the csputils command to identify the container name:

csputils -l
File ID    Container name       Container owner      DLL name   S X
=========  ===================  ===================  =========  = =
31e994f07  CONTAINER2           SYWELL\Administrato  ncsp       * *
3a2b082a8  CAPICONTAINER        SYWELL\Administrato  ncsp       * *
2 containers and 4 keys found.

Run the csputils command with the -l and -m options to migrate an nShield CAPI machine container.

Identify the Security World key names of the keys in the container by running the csputils command as follows:

csputils -d -n CAPICONTAINER
Detailed report for container ID #3a2b082a8f2ee1a5acb756d5e95b09817072807a
Filename:       key_mscapi_container-3a2b082a8f2ee1a5acb756d5e95b09817072807a
Container name: CAPICONTAINER
User name:      SYWELL\Administrator
User SID:       s-1-5-21-352906761-2625708315-3490211485-500
CSP DLL name:   ncsp.dll
Filename for signature key is key_mscapi_ce51a0ee0ea164b993d1edcbf639f2be62c53222
  Key was generated by the CSP
  Key hash:    ce51a0ee0ea164b993d1edcbf639f2be62c53222
  Key is recoverable.
Key is cardset protected.
Cardset name:             nopin
     Sharing parameters:       1 of 1 shares required.
Cardset hash:             d45b30e7b60cb226f5ade5b54f536bc1cc465fa4
     Cardset is non-persistent.
Filename for key exchange key is key_mscapi_dbd84e8155e144c59cf8797d16e7f8bd19ac446a
  Key was generated by the CSP
  Key hash:    dbd84e8155e144c59cf8797d16e7f8bd19ac446a
  Key is recoverable.
Key is cardset protected.
Cardset name:             nopin
     Sharing parameters:       1 of 1 shares required.
Cardset hash:             d45b30e7b60cb226f5ade5b54f536bc1cc465fa4
     Cardset is non-persistent.
1 container and 2 keys found.

The key name to pass to the cngimport command --key option is the part of the key name that follows key_mscapi_ in the output line that starts Filename for signature key is key_mscapi_.

For example, the signature key file name for CAPICONTAINER in the example shown above is key_mscapi_ce51a0ee0ea164b993d1edcbf639f2be62c53222, so ce51a0ee0ea164b993d1edcbf639f2be62c53222 is the key name that should be passed to cngimport:

cngimport --import --key="ce51a0ee0ea164b993d1edcbf639f2be62c53222" --
appname="mscapi" Signature_Key_Imported_From_nCipher_CAPI
Found unnamed key
Importing NFKM key.. done

Run cnglist with the --list-keys option to confirm that the key has been successfully imported:

cnglist --list-keys
Signature_Key_Imported_From_nCipher_CAPI: RSA
cngsoak: ECDH_P256

Follow the same procedure for importing the key exchange key from the nShield CAPI container.