Migrating Private Key from Microsoft AD CS Certificate Authority to Fortanix Data Security Manager

1.0 Introduction

This article describes how to migrate a private key from an existing Microsoft Active Directory Certificate Services (AD CS) Certificate Authority (CA) to Fortanix-Data-Security-Manager (DSM).

2.0 Prerequisites

Ensure the following:

• Microsoft Domain Name System (DNS) server role must be enabled and configured for the server.

• Microsoft ADCS server role must be enabled, and the CA must be configured.

3.0 Back-Up Existing CA Certificates

Check the certificates that are issued by the existing Windows CA server.

The following figure shows there are five certificates that the CA server has issued so far.

Perform the followings steps to back up the existing CA certificate:

1. On the Windows Server where Microsoft AD CS role is installed:

   1. Go to Start.

   2. Find and run certsrv.msc.

   3. Press Enter to open the Certification Authority window.

      

2. Right-click the CA and in the menu select All Tasks → Back up CA…

   

3. In the Certification Authority Backup Wizard, click Next to choose a location to save the certificate and database.

   

4. Select both the Private key and CA certificate and Certificate database and certificate database log check boxes.

   

5. Click Next to set the password for the private key.

6. Click Next again and then click Finish.

Now the certificate and database backup will be available in the backup location.

4.0 Export the Certificate and Remove it from Trusted Root CA

This section describes the steps to export the CA certificate and remove the AD CS role from the server.

4.1 View the Certificates

Perform the following steps to view the certificates of the local computer:

1. Go to Start.

2. Find and run mmc. Press Enter.

   

3. In the Console window that opens, click the File menu, and select Add/Remove Snap-in.

   

4. From the Available snap-ins section, select Certificates and click Add to configure the certificate.

   

5. In the Certificates snap-in window, select Computer account and click Next.

   

6. In the Select Computer window, select Local computer that the snap-in will manage. Click Finish.

   

7. Click OK to close the window.

   

Now you will see all the certificates of the local computer.

4.2 Export the Certificate

Perform the following steps to export the certificate:

1. Under the Console Root folder in the left panel, click the folder Trusted Root Certification Authorities and click the Certificates folder on the right.

   

2. From the available certificates, right-click the fortanix-server-CA certificate, and in the menu go to All Tasks and click Export to export the certificate to a local folder. Remove it from the Trusted Root Certification Authorities folder.

   

3. Under the Console Root folder in the left panel, select the Personal folder, and delete any available certificates.

4.3 Remove AD CS Role from the Server

Perform the following steps to export the certificate:

1. Go to Server Manager dashboard.

2. In the top-right menu, click Manage and select Remove Roles and Features.

   

3. In the Remove Roles and Features Wizard screen, select Server Roles in the left panel, and clear the checkbox for Active Directory Certificate Services to remove the AD CS role.

4. Click Next in the following screens to remove the role and feature.

   

5. Reboot the server.

5.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

5.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

5.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

For more information on how to set up an account in Fortanix DSM, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.

5.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. In the DSM left navigation panel, click the Groups menu item, and then click the + button to create a new group.

   

2. On the Adding new group page, do the following:

   1. Title: Enter a name for your group.

   2. Description (optional): Enter a short description of the group.

3. Click SAVE to create the new group.

The new group is added to the Fortanix DSM successfully.

5.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the + button to create a new app.

   

2. On the Adding new app page, do the following:

   1. App name: Enter the name for your application.

   2. ADD DESCRIPTION (optional): Enter a short description of the application.

   3. Authentication method: Select the default API Key as the authentication method from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication.

   4. Assigning the new app to groups: Select the group created in Section 5.3: Creating a Group from the list.

3. Click SAVE to add the new application.

The new application is added to the Fortanix DSM successfully.

5.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 5.4: Creating an Application to go to the detailed view of the app.

2. On the INFO tab, click VIEW API KEY DETAILS.

3. From the API Key Details dialog box, copy the API Key of the app to be used it later.

6.0 Configure Certificate Authority

6.1 Import Key in Fortanix DSM

Perform the following steps to generate a RSA key in the Fortanix DSM:

1. Using the command prompt, open the folder where the private key was saved.

2. Using OpenSSL command extract the CA key with .p12 extension to .key and then rsa with .pem.

   

3. In the DSM left navigation panel, click the Security Objects menu item, and then click the + button to create a new security object.

   

4. On the Add new Security Object page, do the following:

   1. Security Object Name: Enter the name of your security object.

   2. Group: Select the group as created in Section 5.3: Creating a Group.

   3. Select the IMPORT radio button.

   4. In the Choose a type section, select the RSA key type.

   5. In the Place value here or import from file section, select the value format type as Hex, Base64, or Raw and click UPLOAD A FILE to upload the key file, CAprivatekey.pem.

   6. In the Key operations permitted section, select the required operations to define the actions that can be performed with the cryptographic keys, such as encryption, decryption, signing, and verifying.

5. Click IMPORT to create the new security object.

6. Install Microsoft CNG Key Storage Provider by following the article here and run the following commands:

   

   You will see activity logs similar to Figure 21.

   

6.2 Install X.509 Certificate in Local User Trusted Root CA Store

Perform the following steps to install the X.509 certificate that was exported in Section 4.2: Export the Certificate in the local user Trusted Root CA store:

1. Right-click the certificate and click Install.

2. Click Next.

   

3. Select Place all certificates in the following store and click Browse.

4. Select Trusted Root Certification Authorities and click Ok.

   

5. Click Next.

6. Click Finish.

7. Click Ok to close the import success message.

8. You will now see the certificate, that is, fortanix-server-CA has been successfully imported in the Trusted Root CA.

6.3 Install CA Certificate in the Personal Store

Perform the following steps to install the certificate into your store:

1. Run the following command from the command prompt terminal:

   certutil -addstore my <certificate name>

   Where fortanix-server.CA is the exported certificate in Base-64 encoded X.509 (.CER)

2. Once you run the command above, you can find the exported CA in the Personal Trust Store:

   

3. Run the following commands to find the cert serial number:

   certutil -store my

   

4. Run the following command to repair the certificate store:

   certutil -f -repairstore -csp "Fortanix KMS CNG Provider" my "<cert serial number>"

   The repair operation will not be allowed because the private key is restricted from being exported from Fortanix DSM, protecting the key integrity.

   

6.4 Add AD CS Role to the Server

Perform the following steps to add the AD CS role to the server:

1. In the Private Key window, select Use existing private key and then select Select a certificate and use its associated private key.

   

2. In the Existing Certificate window, the imported certificate is shown. Select the certificate and select Allow administrator interaction when the private key is accessed by the CA.

   

3. In the Certificate Database window, click Next.

4. In the Confirmation window, click Configure.

   

5. When the CA installation is complete, click Close in the installation results window. You can find the CA configured.

   

6. Once the CA certificate is successfully configured, you can then check the Fortanix DSM Certificate logs.

   

7. To test the operation, request a certificate from a client machine.

   

8. We are using Certificate Enrollment Web service to request a certificate from a client machine, fill in all the details in the form and click Submit.

   

9. Once the certificate is issued, click Install this certificate.

   

10. Now go back to the CA server to see if the Certificate is issued. We need to use the mmc console again.

    

7.0 Restore Issued Certificates

Perform the following steps to restore the certificates:

1. Go to the Certificate Authority (CA) service and right-click the CA.

2. In the menu that opens, click All Tasks → Restore CA.

   

3. In the Certification Authority Restore Wizard, click OK to stop the Active Directory Certificate Services.

   

4. Click Next.

   

5. In the Items to Restore section, select Certificate database and certificate database log. Enter C:\ directory as the restore location. Click Next.

   

6. Click Finish to close the wizard and begin the restoration process.

   

7. The CA restoration is completed. Click Yes to start Active Directory Certificate Services.

   

8. The SubCA certificate is restored.

   

   Any previously issued certificates will be listed.