# Known issues for the Key Storage Provider (KSP) for AWS CloudHSM
<a name="ki-ksp-sdk"></a>

These are the known issues for Key Storage Provider (KSP) for AWS CloudHSM.

**Topics**
+ [Issue: Verification of a certificate store fails](#ki-ksp-1)
+ [Issue: Container name inconsistency in the certificate store while using SDK3 compatibility mode for Client SDK 5](#ki-ksp-2)

## Issue: Verification of a certificate store fails
<a name="ki-ksp-1"></a>

 When using Client SDK versions 5.14 and 5.15, calling `certutil -store my CERTIFICATE_SERIAL_NUMBER` throws the following error: 

```
ERROR: Could not verify certificate public key against private key
```
+  **Impact: ** You cannot use `certutil` to validate a certificate store created with Client SDK 5. 
+  **Workaround: ** Validate the key pair associated with the certificate by signing a file using the private key and verifying the signature using the public key. This can be done using Microsoft SignTool by following the steps provided [here](signtool-sdk5.md). 
+  **Resolution Status: ** We're working to add support for verifying certificates using `certutil`. The fix will be announced on the version history page once available. 

## Issue: Container name inconsistency in the certificate store while using SDK3 compatibility mode for Client SDK 5
<a name="ki-ksp-2"></a>

 When using the `certutil -store my CERTIFICATE_SERIAL_NUMBER` command to view certificates whose key-reference files were generated using [generate-file](cloudhsm_cli-key-generate-file.md#key-generate-ksp-key-reference) command in AWS CLI 5.16.0, the following error occurs: 

```
ERROR: Container name inconsistent: CONTAINER_NAME
```

This error occurs because there is a mismatch between the container name stored in the certificate and the key reference file name generated by the CloudHSM CLI.
+  **Impact: ** Despite this error, the certificates and their associated keys remain fully functional. All applications using these certificates will continue to work normally. 
+ **Workaround: ** To resolve this error, rename the key reference filename to Simple or Unique container name. Refer to the following sample output of the command `certutil -store my` 

  ```
  Subject: CN=www.website.com, OU=Organizational-Unit, O=Organization, L=City, S=State, C=US 
  Non-root Certificate
  Cert Hash(sha1): 1add52
  Key Container = 7e3c-b2f5
  Simple container name: tq-3daacd89
  Unique container name: tq-3daacd89
  ERROR: Container name inconsistent: 7e3c-b2f5
  ```

   By default, the key reference files will be stored in `C:\Users\Default\AppData\Roaming\Microsoft\Crypto\CaviumKSP\GlobalPartition` 

  1. Rename the key reference file to the simple container name.

  1. Repair the certificate store with the new key container name. Refer to steps 12 to 14 in [ KSP Migration](ksp-migrate-to-sdk-5.md) for more details.
+  **Resolution status: ** This issue has been fixed in Client SDK version 5.16.1. To resolve this problem, upgrade your Client SDK to version 5.16.1 or later.