3

I am trying to find a way to load HSM key stored in Utimaco HSM CSP from JAVA

So far I got leads from search that it would be possible with SunMscApi provider, but I cant find any example where I would specify Utimaco CryptoServer CSP as provider ?crypto context? and container name TEST_CSP_HSM. The only examples I found were to load certificate from Windows-My keystore, but its not there.

Utimaco CSP tool

$ cngtool ListKeys

------------------------------------------------------------

Provider          : Utimaco CryptoServer Key Storage Provider
Device            : 3001@127.0.0.1
Group             : CNG
Mode              : Internal Key Storage

------------------------------------------------------------

Index  AlgId        Size   Group            Name                             Spec
---------------------------------------------------------------------------------
1      RSA          2048   CNG              TEST_CSP_HSM                     2
mshwf
  • 7,009
  • 12
  • 59
  • 133
Ulterior
  • 2,786
  • 3
  • 30
  • 58

1 Answers1

1

The MSCAPI provider enables application access to Window-Store with two option: "Windows-MY" and "Windows-ROOT", see: https://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunMSCAPI

For the Windows-MY it only access to Current-User, can not access to Local-Machine. Therefore, solution for this problem is we try to add certificate of HSM Utimaco into Current-User of Window-Store.

To check where is the certificate of HSM Utimaco: Run -> mmc -> File -> Add/Remove SnapIn -> Select "Certificate" -> Add -> Select "My user account" to view the Current-User (Select "Computer account" to view the Local-Machine) enter image description here

To add the certificate of HSM Utimaco into Current-User:

certutil -user -addstore My path-to-cert.cer
certutil -f -csp "Utimaco CryptoServer CSP" -repairstore My "{thumbprint-of-cert}"
Truong Nguyen
  • 349
  • 2
  • 8