Using Fortanix Data Security Manager with Microsoft PKI


This article describes how to set up a Microsoft PKI service, namely Active Directory Certificate Services with Fortanix Data Security Manager (DSM).

Before starting, follow the steps in the CNG Developers Guide to install the Fortanix DSM CNG Key Storage Provider.

Use certutil to verify the correct installation of the Fortanix CNG KSP.

Configuring Microsoft Active Directory Certificate Services

  1. Open Server Manager and select Active Directory Certificate Services (AD CS) as one of the services to install. adcs_select.png
    Figure 1: Set Active Directory as Service
  2. Select Certification Authority (CA) as one of the role services to install for AD CS. ca_select.png
    Figure 2: Select role services
  3. The CA installed in the previous step must have a private key to sign and issue certificates to clients. There are 3 ways to associate a private key with the CA:
    • By creating a new private key
    • By selecting an existing certificate and using its associated private key
    • By selecting an existing private key
  4. The Fortanix DSM KSP supports all the above three options. private_key.png
    Figure 3: All three types of private key support

Creating a New Private Key

To create a new private key:

  1. Select the Create a new private key option and click Next. 1.png
    Figure 4: Create a new private key 
  2. If you select the option to create a new private key, you will next be asked to select the cryptographic provider. Select RSA#Fortanix SDKMS Provider as the cryptographic provider if you want to use an RSA key for the CA. provider.png
    Figure 5: Select cryptographic provider
  3. After confirming your selections, verify that a new key has been generated in the Fortanix DSM web UI. The CA is now ready to issue certificates. 8.0.png
    Figure 6: Verify new key
    If you have a Quorum approval policy enabled on your group, then add the app in the OR section of the Quorum approval policy for it to authenticate; otherwise, you will see the error on the AD CS side.

Backing up, migrating, and restoring CA using an existing certificate and its associated private key

This section describes how to back up the CA and HSM data on the existing server (machine #1), and then migrate the CA and HSM onto a new server (machine #2).

Steps to Perform on Machine#1

  1. Run the certutil command on the command prompt to extract the config info. 9.png
    Figure 7: Extract config info
  2. After you have the Config info, back up the database with the below command.
    certutil -config <CA_config_string> -backupdb <BackupDirectory>
    For example:
    Figure 8: Backup the database
  3. Export the certificate from machine#1.
    1. Run mmc.
    2. In the console, go to File > Add/Remove Snap-in.
    3. Select the Certificates tab and click Add.
    4. The certificate snap-in window opens. Select Computer Account and click Next.
    5. Keep the default selection and click Finish, then click OK.
    6. Go to the directory Trusted Root Certification Authorities > Certificates.
    7. Right-click the CA certificate, click All Tasks > Export, then click Next.
    8. Select Base-64 encoded X.509 (.CER) and click Next.
    9. Specify the path and file name to save the certificate and click Next.
    10. Click Finish.
    11. Click OK to close the export success message. 11.png
      Figure 9: Export the certificate from machine 1
  4. Now you will be having two folders in your saved location, that is, the backup of the CA (CABackup) and the Export of the certificate (Export). Copy these two folders on a new machine, that is, machine #2. 12.png
    Figure 10: Copy the folders on a new machine

Steps to Perform on Machine#2

  1. Considering this is a clean Windows Server machine where no configuration has been done for ADCS, install the Fortanix CNG in machine#2 and configure it as per the readme file. 13.png
    Figure 11: Install Fortanix CNG on Machine 2
  2. Copy the Backup1 and Export folder to the Desktop location.
  3. Install the X.509 certificate into the local user Trusted Root CA Store on machine #2.
    1. Right-click the certificate and click Install.
    2. Click Next.
    3. Select Place all certificates in the following store and click Browse.
    4. Select Trusted Root Certification Authorities and click OK.
    5. Click Next.
    6. Click Finish.
    7. Click OK to close the import success message.
  4. You will see the certificate, that is, SDKMS-CA has been successfully imported into the Trusted Root CA.
  5. Install the certificate into my store, by running the following command from the command prompt terminal:
    certutil -addstore my <certificate name>
    certutil -addstore my CA_Certificate.cer
    Where Certificate.cer is the exported certificate in Base-64 encoded X.509 (.CER) 14.png
    Figure 12: Install the certificate
  6. After you run the above command, you can find the exported CA in the Personal Trust Store as shown in the following screenshot. 15.png
    Figure 13: Exported CA in personal trust store
  7. Now repair the certificate store by running the following command from the console:
    certutil -f -repairstore -csp "Fortanix KMS CNG Provider" my "<cert serial number>" 
    Where Fortanix KMS CNG Provider is the CA Provider and cert serial number.
  8. You can find the cert serial number from the following command.
    certutil -store my
    For example:
    Figure 14: Cert serial number
  9. Now click Start>Server Manager to open the Server Manager on Machine#2.
  10. Install and configure the CA.
  11. Install and configure the AD CS with the following settings:
    1. In the Set Up Private Key window, select Use existing private key and then select a certificate and use its associated private key.
    2. In the Existing Certificate window, the imported certificate is shown. Select the certificate and select Allow administrator interaction when the private key is accessed by the CA.
    3. Click Next.
    4. In the Certificate Database window click Next.
    5. In the Confirmation window click Configure.
    6. When the CA installation is complete, click Close in the installation results window.
  12. You can find the CA configured on Machine#2, as shown in the following screenshot. 17.0.png
    Figure 15: Cert serial number 18.png
    Figure 16: Cert serial number
    Now you can restore the backup of the DB Certificate by running the following command.
    certutil -restoredb <BackupDirectory>
    Once the CA certificate is successfully configured, you can then check the Fortanix DSM Certificate logs. 19.png
    Figure 17: Check logs in Fortanix-DSM


Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful