Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 4

Summary: Thomas Rayner, Microsoft Cloud & Datacenter Management MVP, shows how to import a certificate into a KSP and bring it into the certificate store.

Hello! I’m Thomas Rayner, a proud Cloud & Datacenter Management Microsoft MVP, filling in for The Scripting Guy this week. You can find me on Twitter (@MrThomasRayner) or on my blog, Working Sysadmin: Figuring stuff out at work.

I recently had the chance to work with Microsoft PFE, Mike MacGillivray, on an upgrade of some Windows certification authorities, and I want to share some information about it with you. This script has only been tested on Windows Server 2012 and later.

  Note   This is a five-part series that includes the following posts:

Bring it back, please

Yesterday we deleted some important items. Today we’re bringing them back in a happier, more future-proof way. There are only three steps today, but they’re pretty important. The first step is to restore the certification authority (CA) certificate and keys into KSP:

cmd.exe /c “certutil -p $Password -csp `”Microsoft Software Key Storage Provider`” -importpfx `”$(“$Drivename\$Foldername\$CAName.p12″)`””

Add-LogEntry $Logpath ‘Imported CA cert and keys into KSP’

This is a certutil command to restore the PFX we backed up in Part 2 into a Microsoft Software Key Storage Provider. I’m using the –p parameter to pass the password we used to perform the backup.

Now that I’ve restored into KSP, I can export the key from there so I can import the key itself:

cmd.exe /c “certutil -exportpfx -p $Password My $(“$CAName”) `”$(“$Drivename\$Foldername\NewCAKeys.p12″)`””

Add-LogEntry $Logpath ‘Exported keys so they can be installed on the CA’

Using certutil again, I’m exporting a PFX that is protected by the same password to NewCAKeys.p12 in my working directory. I can use certutil again to restore the key into the CA.

cmd.exe /c “certutil -p $Password -restorekey `”$(“$Drivename\$Foldername\NewCAKeys.p12″)`””

Add-LogEntry $Logpath ‘Restored keys into CA’

I’m going to wrap this in a Try/Catch block and add more logging:

Image of code

Almost done! Now that I’ve got you operating a KSP instead of a CSP, tomorrow, I’m going to show you how to move from SHA-1 to SHA-256.

If you are in a big hurry and want the full script, you can find it on my blog: Upgrade Windows Certification Authority from CSP to KSP and from SHA-1 to SHA-256. I’d sincerely recommend reading all of the posts in this series first, though, so you understand what it is you’re running.


I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. Also check out my Microsoft Operations Management Suite Blog. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy

Comments (0)

Skip to main content