This article describes how to set up a Microsoft PKI service, namely
Active Directory Certificate Services with Fortanix Data Security Manager (DSM).
Before starting, follow the steps in the CNG Developers Guide to install the Fortanix DSM CNG Key Storage Provider.
certutil to verify the correct installation of the Fortanix CNG KSP.
Configuring Microsoft Active Directory Certificate Services
- Open Server Manager and select Active Directory Certificate Services (AD CS) as one of the services to install.
Figure 1: Set Active Directory as Service
- Select Certification Authority (CA) as one of the role services to install for AD CS.
Figure 2: Select role services
- The CA installed in the previous step must have a private key to sign and issue certificates to clients. There are 3 ways to associate a private key with the CA:
- By creating a new private key
- By selecting an existing certificate and using its associated private key
- By selecting an existing private key
- The Fortanix DSM KSP supports all the above three options.
Figure 3: All three types of private key support
Creating a New Private Key
To create a new private key:
- Select the Create a new private key option and click Next.
Figure 4: Create a new private key
- If you select the option to create a new private key, you will next be asked to select the cryptographic provider. Select RSA#Fortanix SDKMS Provider as the cryptographic provider if you want to use an RSA key for the CA.
Figure 5: Select cryptographic provider
- After confirming your selections, verify that a new key has been generated in the Fortanix DSM web UI. The CA is now ready to issue certificates.
Figure 6: Verify new key
Backing up, migrating, and restoring CA using an existing certificate and its associated private key
This section describes how to back up the CA and HSM data on the existing server (machine #1), and then migrate the CA and HSM onto a new server (machine #2).
Steps to Perform on Machine#1
- Run the
certutilcommand on the command prompt to extract the config info.
Figure 7: Extract config info
- After you have the Config info, back up the database with the below command.
certutil -config <CA_config_string> -backupdb <BackupDirectory>
Figure 8: Backup the database
- Export the certificate from machine#1.
- In the console, go to File > Add/Remove Snap-in.
- Select the Certificates tab and click Add.
- The certificate snap-in window opens. Select Computer Account and click Next.
- Keep the default selection and click Finish, then click OK.
- Go to the directory
Trusted Root Certification Authorities>
- Right-click the CA certificate, click All Tasks > Export, then click Next.
- Select Base-64 encoded X.509 (.CER) and click Next.
- Specify the path and file name to save the certificate and click Next.
- Click Finish.
- Click OK to close the export success message.
Figure 9: Export the certificate from machine 1
- Now you will be having two folders in your saved location, that is, the backup of the CA (
CABackup) and the Export of the certificate (
Export). Copy these two folders on a new machine, that is, machine #2.
Figure 10: Copy the folders on a new machine
Steps to Perform on Machine#2
- Considering this is a clean Windows Server machine where no configuration has been done for ADCS, install the Fortanix CNG in machine#2 and configure it as per the readme file.
Figure 11: Install Fortanix CNG on Machine 2
- Copy the
Exportfolder to the Desktop location.
- Install the X.509 certificate into the local user Trusted Root CA Store on machine #2.
- Right-click the certificate and click Install.
- Click Next.
- Select Place all certificates in the following store and click Browse.
- Select Trusted Root Certification Authorities and click OK.
- Click Next.
- Click Finish.
- Click OK to close the import success message.
- You will see the certificate, that is, SDKMS-CA has been successfully imported into the Trusted Root CA.
- Install the certificate into my store, by running the following command from the command prompt terminal:
certutil -addstore my <certificate name>
certutil -addstore my CA_Certificate.cer
Certificate.ceris the exported certificate in Base-64 encoded X.509 (.CER)
Figure 12: Install the certificate
- After you run the above command, you can find the exported CA in the Personal Trust Store as shown in the following screenshot.
Figure 13: Exported CA in personal trust store
- Now repair the certificate store by running the following command from the console:
Where Fortanix KMS CNG Provider is the CA Provider and cert serial number.
certutil -f -repairstore -csp "Fortanix KMS CNG Provider" my "<cert serial number>"
- You can find the cert serial number from the following command.
certutil -store my
Figure 14: Cert serial number
- Now click Start>Server Manager to open the Server Manager on Machine#2.
- Install and configure the CA.
- Install and configure the AD CS with the following settings:
- In the Set Up Private Key window, select Use existing private key and then select a certificate and use its associated private key.
- In the Existing Certificate window, the imported certificate is shown. Select the certificate and select Allow administrator interaction when the private key is accessed by the CA.
- Click Next.
- In the Certificate Database window click Next.
- In the Confirmation window click Configure.
- When the CA installation is complete, click Close in the installation results window.
- You can find the CA configured on Machine#2, as shown in the following screenshot.
Figure 15: Cert serial number
Figure 16: Cert serial number
Now you can restore the backup of the DB Certificate by running the following command.
Once the CA certificate is successfully configured, you can then check the Fortanix DSM Certificate logs.
certutil -restoredb <BackupDirectory>
Figure 17: Check logs in Fortanix-DSM