When generating a CSR on Windows Server using the AWS CloudHSM service, I obtain the following error:

certreq.exe -new my-request.inf my-request.csr 

Certificate Request Processor: Provider type not defined. 0x80090017 (-2146893801 NTE_PROV_TYPE_NOT_DEF)

What's wrong ?

Credential issue

This error message generally indicates that your credentials to connect to the CloudHSM cluster as a CU user are not correct:

• ensure you are logging in using a CU user (Crypto User) and not a CO (Crypto Officer) user (more on AWS CloudHSM user management)
• ensure your credentials are correct (typo, issue with copy/paste, extra character).

Additionally, if encountering the following error, this generally means that you haven't set the CloudHSM credentials (see below)

n3fips_password env variable not set>
Cfm2Shutdown: Application is not initialized

Tl;dr: set up credentials to use the CloudHSM cluster with Windows SDK tools:

& "C:\Program Files\Amazon\CloudHSM\tools\set_cloudhsm_credentials.exe" --username test_cu_user --password xxx

# Securely input the username and password: 
${hsm_creds_user} = Read-Host -AsSecureString "hsm_creds_user"
${hsm_creds_password} = Read-Host -AsSecureString "hsm_creds_password"

# Convert from SecureString to String
$hsm_cu_user = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($hsm_creds_user))
$hsm_cu_pwd = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($hsm_creds_password))

# 
& "C:\Program Files\Amazon\CloudHSM\tools\set_cloudhsm_credentials.exe" --username ${hsm_cu_user} --password ${hsm_cu_pwd}

You can now use certreq or signtool.

Source:

• Use Microsoft SignTool with AWS CloudHSM to Sign Files
• Install and Configure the AWS CloudHSM Client (Windows)