This article describes how to set up a Microsoft PKI service, namely
Active Directory Certificate Services with SDKMS.
Before starting, follow the steps in the CNG Developers Guide to install the Fortanix SDKMS CNG Key Storage Provider.
certutil to verify the correct installation of the Fortanix CNG KSP.
Configuring Microsoft Active Directory Certificate Services
Open Server Manager and select
Active Directory Certificate Services (AD CS) as one of the services to install.
Certification Authority (CA) as one of role services to install for AD CS.
The CA installed in the previous step must have a private key to sign and issue certificates to clients. There are 3 ways to associate a private key with the CA:
- By creating a new private key
- By selecting an existing certificate and using its associated private key
- By selecting an existing private key
The Fortanix SDKMS KSP supports all the above three options.
If you select the option to create a new private key, you will next be asked to select the cryptographic provider. Select
RSA#Fortanix SDKMS Provider as the cryptographic provider if you want to use a RSA key for the CA.
After confirming your selections, verify that a new key has been generated in the SDKMS web UI. The CA is now ready to issue certificates.