This article describes how to set up a Microsoft PKI service, namely
Active Directory Certificate Services with Self-Defending KMS.
Before starting, follow the steps in the CNG Developers Guide to install the Fortanix Self-Defending KMS CNG Key Storage Provider.
certutil to verify the correct installation of the Fortanix CNG KSP.
Configuring Microsoft Active Directory Certificate Services
Open Server Manager and select
Active Directory Certificate Services (AD CS) as one of the services to install.
Figure 1: Set Active Directory as Service
Certification Authority (CA) as one of role services to install for AD CS.
Figure 2: Select role services
The CA installed in the previous step must have a private key to sign and issue certificates to clients. There are 3 ways to associate a private key with the CA:
- By creating a new private key
- By selecting an existing certificate and using its associated private key
- By selecting an existing private key
The Fortanix Self-Defending KMS KSP supports all the above three options.
Figure 3: All three types of private key support
Creating a New Private Key
Figure 4: Create a new private key
If you select the option to create a new private key, you will next be asked to select the cryptographic provider. Select
RSA#Fortanix SDKMS Provider as the cryptographic provider if you want to use an RSA key for the CA.
Figure 5: Select cryptographic provider
After confirming your selections, verify that a new key has been generated in the Fortanix Self-Defending KMS web UI. The CA is now ready to issue certificates.
Figure 6: Verify new key
Using Existing Private Key
Select Existing Certificate and its Associated Private Key
Figure 7: Verify new key
If you select to use the certificate and the private key associated with the previously issued certificate, then you will find all the certificates previously issued and have to re-configure the same.
Figure 8: Reconfigure previously issued certificate
Select Existing Private Key
Figure 9: Select existing private key
- Select the criteria of the key. In our case, it would Fortanix KMS CSP.
Figure 10: Select key criteria
- Then follow the process for AD CS Configuration.
- Cryptography: Fortanix KMS CSP
- Hash Algorithm: sha1
- CA Name
- The validity of the certificate
- Certificate Database Location and Log
- Click Configure.
- You will find the configuration details in AD CS Configuration
Figure 11: AD CS Configuration
- Once configured, you can then find the configuration success screen in the Results.
Figure 13: Configuration success