Using Fortanix Data Security Manager with Microsoft PKI

  • Updated on Mar 12, 2025
  • Published on Jun 26, 2024
  • 6 minute(s) read

1.0 Introduction

This article describes how to set up a Microsoft PKI service, namely Active Directory Certificate Services with Fortanix-Data-Security-Manager (DSM).

Before starting, follow the steps in the CNG Developers Guide to install the Fortanix DSM CNG Key Storage Provider.

Use certutil to verify the correct installation of the Fortanix CNG KSP.

2.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

2.1 Signing Up

To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

2.2 Creating an Account

Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.

Figure 1: Logging In

2.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

  1. Click the Groups menu item in the DSM left navigation bar and click the + button on the Groups page to add a new group.

    Figure 2: Add Groups

  2. On the Adding new group page, enter the following details:

    • Title: Enter a title for your group.

    • Description (optional): Enter a short description for the group.

  3. Click the SAVE button to create the new group.

The new group has been added to the Fortanix DSM successfully.

2.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

  1. Click the Apps menu item in the DSM left navigation bar and click the + button on the Apps page to add a new app.

    Figure 3: Add Application

  2. On the Adding new app page, enter the following details:

    • App name: Enter the name of your application.

    • ADD DESCRIPTION (optional): Enter a short description for the application.

    • Authentication method: Select the default API Key as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.

    • Assigning the new app to groups: Select the group created in Section 2.3: Creating a Group from the list.

  3. Click the SAVE button to add the new application. 

The new application has been added to the Fortanix DSM successfully.

2.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

  1. Click the Apps menu item in the DSM left navigation bar and click the app created in Section 2.4: Creating an Application to go to the detailed view of the app.

  2. On the INFO tab, click the VIEW API KEY DETAILS button.

  3. From the API Key Details dialog box, copy the API Key of the app to use it later.

3.0 Configuring Microsoft Active Directory Certificate Services

  1. Open Server Manager and select Active Directory Certificate Services (AD CS) as one of the services to install.  

    adcs_select.png

    Figure 4: Set Active Directory as Service

  2. Select Certification Authority (CA) as one of the role services to install for AD CS.  

    ca_select.png

    Figure 5: Select role services

  3. The CA installed in the previous step must have a private key to sign and issue certificates to clients. There are 3 ways to associate a private key with the CA:

    • By creating a new private key

    • By selecting an existing certificate and using its associated private key

    • By selecting an existing private key

  4. The Fortanix DSM KSP supports all the above three options.  

    private_key.png

    Figure 6: All three types of private key support

3.1 Creating a New Private Key

To create a new private key:

  1. Select the Create a new private key option and click Next.  

    1.png

    Figure 7: Create a new private key

  2. If you select the option to create a new private key, you will next be asked to select the cryptographic provider. Select RSA#Fortanix SDKMS Provider as the cryptographic provider if you want to use an RSA key for the CA.  

    provider.png

    Figure 8: Select cryptographic provider

  3. After confirming your selections, verify that a new key has been generated in the Fortanix DSM web UI. The CA is now ready to issue certificates.  

    8.0.png

    Figure 9: Verify new key

    NOTE

    If you have a Quorum approval policy enabled on your group, then add the app in the OR section of the Quorum approval policy for it to authenticate; otherwise, you will see the error on the AD CS side.

3.2 Backing up, migrating, and restoring CA using an existing certificate and its associated private key

This section describes how to back up the CA and HSM data on the existing server (machine #1), and then migrate the CA and HSM onto a new server (machine #2).

Steps to Perform on Machine#1

  1. Run the certutil command on the command prompt to extract the config info.  

    9.png

    Figure 10: Extract config info

  2. After you have the Config info, back up the database with the below command.

    certutil -config <CA_config_string> -backupdb <BackupDirectory>

    For example:

    10.0.png

    Figure 11: Backup the database

  3. Export the certificate from machine#1.

    1. Run mmc.

    2. In the console, go to File Add/Remove Snap-in.

    3. Select the Certificates tab and click Add.

    4. The certificate snap-in window opens. Select Computer Account and click Next.

    5. Keep the default selection and click Finish, then click OK.

    6. Go to the directory Trusted Root Certification Authorities  Certificates.

    7. Right-click the CA certificate, click All Tasks Export, then click Next.

    8. Select Base-64 encoded X.509 (.CER) and click Next.

    9. Specify the path and file name to save the certificate and click Next.

    10. Click Finish.

    11. Click OK to close the export success message.  

      11.png

      Figure 12: Export the certificate from machine 1

  4. Now you will be having two folders in your saved location, that is, the backup of the CA (CABackup) and the Export of the certificate (Export). Copy these two folders on a new machine, that is, machine #2.  

    12.png

    Figure 13: Copy the folders on a new machine

3.2.1 Steps to Perform on Machine#2

  1. Considering this is a clean Windows Server machine where no configuration has been done for ADCS, install the Fortanix CNG in machine#2 and configure it as per the readme file.  

    13.png

    Figure 14: Install Fortanix CNG on Machine 2

  2. Copy the Backup1 and Export folder to the Desktop location.

  3. Install the X.509 certificate into the local user Trusted Root CA Store on machine #2.

    1. Right-click the certificate and click Install.

    2. Click Next.

    3. Select Place all certificates in the following store and click Browse.

    4. Select Trusted Root Certification Authorities and click OK.

    5. Click Next.

    6. Click Finish.

    7. Click OK to close the import success message.

  4. You will see the certificate, that is, SDKMS-CA has been successfully imported into the Trusted Root CA.

  5. Install the certificate into my store, by running the following command from the command prompt terminal:

    certutil -addstore my <certificate name>

    Example:

    certutil -addstore my CA_Certificate.cer

    Where Certificate.cer is the exported certificate in Base-64 encoded X.509 (.CER)  

    14.png

    Figure 15: Install the certificate

  6. After you run the above command, you can find the exported CA in the Personal Trust Store as shown in the following screenshot.  

    15.png

    Figure 16: Exported CA in personal trust store

  7. Now repair the certificate store by running the following command from the console:

    certutil -f -repairstore -csp "Fortanix KMS CNG Provider" my "<cert serial number>"  

    Where Fortanix KMS CNG Provider is the CA Provider and cert serial number.

  8. You can find the cert serial number from the following command.

    certutil -store my

    For example:

    16.png

    Figure 17: Cert serial number

  9. Now click Start → Server Manager to open the Server Manager on Machine#2.

  10. Install and configure the CA.

  11. Install and configure the AD CS with the following settings:

    1. In the Set Up Private Key window, select Use existing private key and then select a certificate and use its associated private key.

    2. In the Existing Certificate window, the imported certificate is shown. Select the certificate and select Allow administrator interaction when the private key is accessed by the CA.

    3. Click Next.

    4. In the Certificate Database window click Next.

    5. In the Confirmation window click Configure.

    6. When the CA installation is complete, click Close in the installation results window.

  12. You can find the CA configured on Machine#2, as shown in the following screenshot.  

    17.0.png

    Figure 18: Cert serial number

    18.png

    Figure 19: Cert serial number

    Now you can restore the backup of the DB Certificate by running the following command.

    certutil -restoredb <BackupDirectory>

    Once the CA certificate is successfully configured, you can then check the Fortanix DSM Certificate logs.  

    19.png

    Figure 20: Check logs in Fortanix-DSM

Related articles