---
title: Link and store CloudHSM keys
description: You can link private keys stored in Amazon Web Services (AWS) CloudHSM with their certificates in PingFederate's Java keystore.
component: pingfederate
version: 13.0
page_id: pingfederate:getting_started_with_pingfederate:pf_link_store_cloudhsm_keys
canonical_url: https://docs.pingidentity.com/pingfederate/13.0/getting_started_with_pingfederate/pf_link_store_cloudhsm_keys.html
section_ids:
  steps: Steps
  result: Result
---

# Link and store CloudHSM keys

You can link private keys stored in Amazon Web Services (AWS) *(tooltip: \<div class="paragraph">
\<p>An Amazon subsidiary providing cloud computing platforms.\</p>
\</div>)* CloudHSM with their certificates in PingFederate's Java keystore.

This allows you to use existing private key and certificate pairs associated with your CloudHSM instance in PingFederate.

You can use this feature to store:

* Signing key pairs

* Server key pairs

* Client key pairs

## Steps

1. Go to **Security > Certificate & Key Management > Signing & Decryption Keys & Certificates**.

2. Click **Link**. This opens the **Link Certificate** tab.

   |   |                                                                               |
   | - | ----------------------------------------------------------------------------- |
   |   | The **Link** button only displays when you run PingFederate in CloudHSM mode. |

3. In the **Private Key ID** field, paste the private key ID.

   To get this value, use the [CloudHSM CLI](https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_cli-getting-started-use.html) and run the `key list` command. The **Private Key ID** is the `label` value for the key you want to use.

4. Click **Choose File** to upload the certificate file.

5. Click **Next**.

6. On the **Summary** tab, click **Save**.

## Result

The new key and certificate pair displays in the **Signing & Decryption Keys & Certificates** list.