Assume the following scenario:
- A Certification Authority will migrated to another server or restored from backup.
- A hardware security module (HSM) is used to protect the private key of the certification authority certificate.
- The certification authority certificate should now be installed on the target system. be restored and linked to the private key.
- The operation fails with the following error message:
Cannot find the certificate and private key for decryption. CertUtil: -repairstore command FAILED: 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND) CertUtil: Cannot find object or property.
certutil ^ -csp "Utimaco CryptoServer Key Storage Provider" ^ -repairstore my 4E82984CF51ACB39D1FE1C86BB11F54BE67B85D2
Cause
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
The error is in the environment of the hardware security module or its Key Storage Provider (no connection to the private key).
If the private keys are not stored on the HSM itself (e.g. Thales/nCipher and Utimaco Hardware Security Module), it must be ensured that the key is also available on the new system.
For Utimaco Hardware Security modules, for example, the key files must be stored in the following folder (if the default setting remains unchanged):
%ProgramData%\Utimaco\CNG\keys
Most HSM manufacturers also offer a corresponding tool to be able to check access to the private keys, for example Utimaco's cngtool.
English 
Deutsch