Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Copyright in this document is the property of Thales e-Security Limited. It is not to be reproduced,
modified, adapted, published, translated in any material form (including storage in any medium
by electronic means whether or not transiently or incidentally) in whole or in part nor disclosed to
any third party without the prior written permission of Thales e-Security Limited neither shall it be
used otherwise than for the purpose for which it is supplied.
Words and logos marked with ® or ™ are trademarks of Thales e-Security Limited or its affiliates
in the EU and other countries.
Thales e-Security Limited makes no warranty of any kind with regard to this information,
including, but not limited to, the implied warranties of merchantability and fitness for a particular
purpose. Thales e-Security Limited shall not be liable for errors contained herein or for incidental
or consequential damages concerned with the furnishing, performance or use of this material.
Contents
Contents 3
Chapter 1: Introduction 5
Product configurations 5
Requirements 6
This guide 6
More information 6
Chapter 2: Procedures 7
Backing up, migrating and restoring CA using an existing certificate and its associated
private key 17
Backing up, migrating and restoring the CA using an existing private key 19
Chapter 3: Troubleshooting 27
Addresses 28
Chapter 1: Introduction
Microsoft Active Directory Certificate Services (AD CS) provides the functionality for creating and
installing a Certificate Authority (CA). The CA acts as a trusted third-party that certifies the
identity of clients to anyone who receives a digitally signed message. The CA may issue, revoke,
and manage digital certificates.
The Online Responder is a Microsoft Windows Service that implements the Online Certificate
Status Protocol (OCSP) by decoding revocation status requests for specific certificates. The
service provides up-to-date validation of certificates, and sends back a signed response
containing the requested certificate status information. OCSP is used to provide real-time
information about a certificate's status.
The CA and OCSP use the Thales nShield Hardware Security Module (HSM) to protect their private
keys.
Note: Throughout this guide, the term HSM refers to nShield® Solo™ modules (formerly
known as nShield PCI and PCIe), nShield Connect™ (and legacy netHSMs), and nShield
Edge™ products.
They also use the HSM for important operations such as key generation, certificate signing, and
CRL signing. The Thales HSM can can be configured to protect the private keys and meet Federal
Information Processing Standards (FIPS) 140-2 level 2 or level 3.
Product configurations
We have successfully tested Thales' HSM integration with AD CS in the following configurations:
Thales
Security nShield nShield
Operating AD CS OCSP nShield Solo
World Connect Edge
system version version support
Software support support
version
Microsoft
Windows
Server 2012
(Standard 6.2 1.0 11.61 Yes Yes Yes
and
Datacenter
editions)
Note: CA failover clustering is only supported with network attached HSMs (nShield Connect).
Requirements
Before installing the software, we recommend that you familiarize yourself with the Microsoft AD
CS and OCSP documentation and setup processes, and that you have the Thales nShield
documentation available. We also recommend that you have an agreed organizational Certificate
Practices Statement and a Security Policy/Procedure in place covering administration of the PKI
and HSM.
In particular, these documents should specify the following aspects of HSM administration:
l The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and
the policy for managing these cards
l Whether the application keys are protected by the module or an OCS
l The number and quorum of Operator Cards in the OCS, and the policy for managing these
cards
l Whether the security world should be compliant with FIPS 140-2 level 3
l Key attributes such as the key size and time-out
l Whether there is any need for auditing key usage
l Whether to use the Thales Cryptographic Service Providers for Microsoft Cryptographic API:
Next Generation (CNG) or CryptoAPI (CAPI)
l Whether to initialize the nShield Security World as Recoverable; this is highly
recommended.
Note: We recommend that you use CNG for full access to available features and better
integration with Windows Server 2012.
This guide
This guide describes how to configure AD CS and OCSP with the Thales' nShield Hardware
Security Module (HSM), and set up a root CA. We have tested the instructions, which provide a
straightforward integration process. There may be other untested ways to achieve
interoperability. This guide might not cover every step of the hardware and software setup
process.
This guide assumes that you are familiar with the Thales HSM documentation and the setup
process for AD CS and OCSP. For more information about installing the AD CS and OCSP, refer to
the Microsoft documentation.
More information
l For more information about OS support, contact your Microsoft sales representative or
Thales Support.
l For more information about contacting Thales, see Addresses at the end of this guide.
l Additional documentation produced to support your Thales product is in the document
directory of the CD-ROM or DVD-ROM for that product.
l For more information about HSM administration, refer to the User Guide for the HSM.
Chapter 2: Procedures
Integration procedures include:
If you already have an HSM installed and a security world configured, proceed to Installing and
configuring AD CS on page 8.
1. Install the latest version of the Security World Software as described in the User Guide for
the HSM.
Note: We recommend that you always uninstall any existing Security World Software
before installing the new Security World Software.
2. Initialize a security world as described in the User Guide for the HSM.
Note: You can also use the CSP Install Wizard or the CNG Configuration Wizard to create a
Security World for nShield Solo and nShield Edge HSMs. For nShield Connect, we
recommend that you use the front panel user interface to create the Security World.
3. Register the Cryptographic Service Providers that you intend to use.
Note: For CAPI on 64-bit Windows, both 32-bit and 64-bit CSP Install Wizards are available.
If you intend to use the CAPI CSPs from both 32-bit and 64-bit applications, or if you
are unsure, run both wizards. The CNG Configuration Wizard registers the CNG
Providers for use by both 32-bit and 64-bit applications where relevant. For detailed
information on registering the CAPI CSPs or CNG Providers, refer to the User Guide
for the HSM.
4. If you are installing OCSP on a different server to the CA, install the Security World Software
on both servers (as described in the User Guide for the HSMs) and share the Security Worlds
by copying the %KMDATA% file from the CA server to the OCSP server. See the User Guide
for more information.
Click Next.
18. On the CA Name window, give the appropriate CA name and click Next.
19. On the Validity Period window, enter the number of years for the certificate to be valid and
click Next
20. On the CA Database window, leave the default locations for the database and database log
files. Click Next.
21. On the Confirmation window, click Configure.
22. If you select nCipher cryptographic service provider on the Cryptography for CA
window, the nCipher key storage provider-create a key wizard prompts you to create a
new key. Click Next and On. Select a way to protect the new key. Click Next. Follow the
subsequent instructions and close the wizard.
The Progress window opens during the configuration processing, then the Results window
opens. Click Close. If the Installation progress window is still open, click Close on that
window also.
23. Verify that the CA service has started successfully by running the following command on the
command line. Use Windows key + R to open the Run dialog, and type cmd to open the
command prompt. Run the command:
If CA is not started automatically then you need to enable Interactive Services Detection services.
To improve security, Windows Server 2012 does not allow Interactive Services Detection services
to display a window on your desktop. If your CA private key is protected by an OCS, Certificate
Services may need to display dialogs prompting you to insert Operator Cards or enter pass
phrases. In this case, the Interactive services dialog detection window opens and you must select
View the message.
>ncsvcdep.exe -a certsvc
2. Restart the machine after joining the domain by running the command:
>shutdown /r /t 0
Add-windowsfeature ADCS-Cert-Authority
Example:
Note: Use Module Only Protection or 1/N OCS without passphrase as a key protection method
for Windows Server Core.
To install and configure Microsoft Active Directory Certificate Services using PowerShell:
Add-windowsfeature ADCS-Cert-Authority
Install-AdcsCertificationAuthority –AllowAdministratorInteraction –
caCommonName "<CA-Name>" –caType
EnterpriseRootCA –CryptoProviderName "<Key Storage Provider Name>"
–KeyLength <2048> –HashAlgorithm <SHA256>
Example:
Install-AdcsCertificationAuthority –AllowAdministratorInteraction –
caCommonName "Fips-128-Module-CA-1"
–caType EnterpriseRootCA –CryptoProviderName "RSA#nCipher Security
World Key Storage Provider"
–KeyLength 2048 –HashAlgorithm SHA256
Install-AdcsCertificationAuthority –AllowAdministratorInteraction –
caType EnterpriseRootCA –CryptoProviderName
ECDSA_P256#HSM_KSP_NAME –KeyContainerName NAME_OF_KEY –hashAlgorith
m SHA256
Example:
Install-AdcsCertificationAuthority –AllowAdministratorInteraction –
catype EnterpriseRootCA –CryptoProviderName
"RSA#nCipher Security World Key Storage Provider" –KeyContainerName
"Fips-128-Module-CA-1" –hashAlgorithm SHA256
Install-AdcsCertificationAuthority –AllowAdministratorInteraction –
caType EnterpriseRootCA –certificateID
[cert hash | cert serial number]
Example:
Install-AdcsCertificationAuthority –AllowAdministratorInteraction –
caType EnterpriseRootCA –certificateID
"49177ae638cc948241947879ae66d315"
1. On the domain controller, click Start > Administrative Tools > Group Policy
Management.
2. Go to Forest, select your Domain and expand it.
3. Double-click Group Policy Objects in the forest and domain containing the Default Domain
Policy Group Policy object (GPO) that you want to edit.
4. Right-click the Default Domain Policy GPO, and then click Edit.
5. In the Group Policy Management Editor, click Computer Configuration > Policies >
Windows Settings > Security Settings > Public Key Policies.
6. Double-click Certificate Services Client - Auto-Enrollment.
7. In Configuration Model, click Enabled to enable auto-enrollment. Select the following
check boxes:
8. Click Apply and OK to accept your changes and close the Editor.
1. Install and configure the Thales HSM hardware and software as described in the section
Installing the software and creating or sharing the security world on page 7.
2. Install Microsoft Active Directory Certificate Services and a CA as described in the section
Installing and configuring AD CS on page 8, with the following settings:
n In the Private Key window, click Create a new private key and click Next.
page 8.
1. Install and configure the Thales HSM hardware and software as described in the section
Installing the software and creating or sharing the security world on page 7.
2. Install Microsoft Active Directory Certificate Services and a CA as described in the section
Installing and configuring AD CS on page 8.
3. In the Private Key window, select Use existing private key and then Select an existing
private key on this computer. Click Next.
4. In the Select Existing Key window, click Change.
5. In the Change Cryptographic Provider window, select the CSP that contains the created
key. Delete the contents of the field CA common name, and click Search. The search finds
the existing private key. Select the key, then select Allow administrator interaction
when the private key is accessed by the CA. Click Next.
6. In the Cryptography for CA window, select the appropriate hash algorithm and click Next.
7. In the CA Name window, click Next.
8. In the Validity Period window, specify the validity period and click Next.
9. In the CA Database window, specify the certificate database locations and certificate
database log locations and click Next.
10. In the Confirmation window, click Configure.
11. Wait for the configuration to complete. After successful completion, close the AD CS
configuration window.
12. Verify that the CA service has successfully started by running the command:
>certutil -verifykeys
The enrollment wizard shows if the certificate enrollment was successful or failed. Use the
Details button to check the main information.
Note: If you do not follow the procedures described in this section, key use counting is not
installed. You cannot add key use counting to a key retrospectively.
The key use counter audits usage of the CA signing key. It maintains a count of how many times
the key has been used. The key use counter should only be used with a root CA that has a low
volume of signings where the count can be logged immediately before servicing a signature
request and after the signature request has been serviced. This ensures that any illicit use of the
CA is revealed through discrepancies in the counter log.
Note: Note the following information about the key use counter:
l The counter is in the NVRAM of the HSM. To access the key count value in NVRAM, users
must present the ACS to the HSM.
l The counter is a 64-bit integer counter associated with a single private key.
l The counter is started at zero.
l If the maximum count is reached, the counter restarts at zero.
l The counter can exist only on one HSM. If more than one HSM is attached to the server, you
must choose which HSM stores the counter.
l If the module firmware is upgraded, the counter value is lost.
l The key counter can only be set at HSM initialization, it cannot be activated after
deployment.
[Version]
Signature="$Windows NT$"
[certsrv_server]
EnableKeyCounting=True
Note: You must create the capolicy.inf file before Certificate Services is installed.
2. Install the CA using the HSM KSP.
3. Enable auditing for the CA service by running the command:
5. Click the Auditing tab and check the box for Start and Stop Active Directory Certificate
Services.
6. Select Start > Administrative Tools > Local Security Policy.
7. Go to Local Policy, expand it and select Audit Policy.
8. In the right pane, double-click Audit Object Access and select Success and Failure.
9. Click Apply and then OK, then close the window.
10. Update the local security policies by opening a command prompt and running the command:
>gpupdate.exe /force
11. Restart the CA service to pick up the changes, by running the commands:
17. Verify that the event viewer contains a new CA startup event (event ID 4881).
18. Verify that the PrivateKeyUsageCount property value has not changed.
This procedure describes backing up the CA / HSM data on an existing server and then restoring
the CA / HSM data onto a new server. Thales have successfully tested this procedure in the
following configurations:
l Windows Server 2008 SP2 Enterprise 64-bit (CNG) to Windows Server 2012 Datacenter
(CNG)
l Windows Server 2008 SP2 Enterprise 64-bit (CNG) to Windows Server 2012 Standard (CNG)
l Windows Server 2008 R2 SP1 Enterprise 64-bit (CNG) to Windows Server 2012 Datacenter
(CNG)
l Windows Server 2008 R2 SP1 Enterprise 64-bit (CNG) to Windows Server 2012 Standard
(CNG)
Note: For this procedure your CA must be protected with module-only protection or 1/N OCS
without passphrase as key protection method.
To back up the CA and HSM data on the existing server (machine #1), and then migrate the CA
and HSM onto a new server (machine #2):
On machine #1:
On machine #2:
1. Copy the backed-up security world data on the following path on machine #2:
C:\ProgramData\nCipher\KeyManagement Data\local.
2. Load the security world onto the HSM on machine #2, by running the command:
>new-world -l
For more information about loading a security world, refer to the User Guide for the HSM.
3. Run the CNG Configuration Wizard.
Note: If selecting operator card set protection, do not check Always use the wizard
when creating or importing keys.
4. Copy and install the X.509 certificate into the local user Trusted Root CA Store on machine
#2:
a. Right-click the certificate, and click Install.
b. Click Next.
c. Select Place all certificates in the following store, and click Browse.
d. Select Trusted Root Certification Authorities, and click OK.
e. Click Next.
f. Click Finish.
g. Click OK to close the import success message.
5. Install the certificate into my store, by running the following command from the console:
>certutil -shutdown
15. Verify that the CA service has started successfully by running the command:
On machine #1:
2. Back up the security world data and the private key, which are found in
C:\ProgramData\nCipher\Key Management Data\local. For more information about
backing up a security world, refer to the User Guide for the HSM.
3. Uninstall the CA from machine #1.
On machine #2:
1. Copy the backed-up security world data and the private key to
C:\ProgramData\nCipher\Key Management Data\local on machine #2.
2. Load the security world onto the HSM on machine #2, by running the command:
>new-world -l
For more information about loading a security world, refer to the User Guide for the HSM.
3. Run the CNG Configuration Wizard and select Use existing security world.
4. Install Microsoft Active Directory Certificate Services with the following settings:
a. In the Private Key window, select Use existing private key and use existing
private key on this computer. Click Next.
b. In the Select Existing Key window, click Change. The Change Cryptographic
Provider window opens.
c. Select the CSP that contains the created key. Delete the contents of the field CA
common name, and click Search. The search results should find the existing private
key
d. Select the key that you generated on machine #1, click Allow administrator
interaction when the private key is accessed by the CA, and click Next.
e. On the Cryptography for CA window, click Next.
f. In the CA name window, click Next.
g. In the Validity Period window, specify the validity period and click Next.
h. In the Certificate Database window, specify the certificate database location and click
Next.
i. On the Confirmation window, click Configure.
j. In the Installation Results window, click Close.
5. Copy the backed-up CA database data onto machine #2.
6. Run the command:
>certutil -shutdown
9. Verify that the CA service has started successfully by running the command:
l DNS name
Note: To use CAPI CSP, make a copy of an OCSP response signing template. From the
Cryptographic tab, under the provider category, select Legacy Cryptographic
Service Provider. Then, select Request must use one of the following
providers and check nCipher Enhanced Cryptographic Provider.
> certutil -pulse
l The CA certificate
l The signing certificate for the online responder
l The locations that clients can send their requests to
[Version]
Signature = "$Windows NT$"
[NewRequest]
KeyUsage = 0xf0
MachineKeySet = True
RequestType = PKCS10
[EnhancedKeyUsageExtension]
OID = 1.3.6.1.5.5.7.3.1
[Extensions]
1.3.6.1.5.5.7.48.1.5 = Empty
In the rsa.inf file replace the subject with your CA common name.
2. Go to your local directory and find the file rsa.inf.
3. Check that rsa.inf contains the following messages:
4. From the command prompt navigate to your local C drive and add:
7. Click OK to select the CA certificate and save it as rsa.cer in your local directory.
8. Navigate to the directory where you saved the certificate and look for rsa.cer.
2. Open the text file rsa.txt. The last few lines should be as follows:
3. This shows that the OCSP Server is working correctly and there were no errors.
Chapter 3: Troubleshooting
The following table provides troubleshooting guidelines.
Addresses
Americas
900 South Pine Island Road, Suite 710, Plantation, Florida 33324, USA
sales@thalesesec.com
emea.sales@thales-esecurity.com
Asia Pacific
Units 4101, 41/F. 248 Queen’s Road East, Wanchai, Hong Kong, PRC
asia.sales@thales-esecurity.com
Internet addresses