Using Fortanix Self-Defending KMS with Microsoft PKI – Fortanix

Overview

This article describes how to set up a Microsoft PKI service, namely Active Directory Certificate Services with Fortanix Self-Defending KMS.

Before starting, follow the steps in the CNG Developers Guide to install the Fortanix Self-Defending KMS CNG Key Storage Provider.

Use certutil to verify the correct installation of the Fortanix CNG KSP.

Configuring Microsoft Active Directory Certificate Services

Open Server Manager and select Active Directory Certificate Services (AD CS) as one of the services to install.

acs_select
Figure 1: Set Active Directory as Service

Select Certification Authority (CA) as one of role services to install for AD CS.

ca_select
Figure 2: Select role services

The CA installed in the previous step must have a private key to sign and issue certificates to clients. There are 3 ways to associate a private key with the CA:

By creating a new private key
By selecting an existing certificate and using its associated private key
By selecting an existing private key

The Fortanix Self-Defending KMS KSP supports all the above three options.

private_key
Figure 3: All three types of private key support

Creating a New Private Key

Figure 4: Create a new private key

If you select the option to create a new private key, you will next be asked to select the cryptographic provider. Select RSA#Fortanix SDKMS Provider as the cryptographic provider if you want to use an RSA key for the CA.

Figure 5: Select cryptographic provider

After confirming your selections, verify that a new key has been generated in the Fortanix Self-Defending KMS web UI. The CA is now ready to issue certificates.

8.0.png
Figure 6: Verify new key

Backing up, migrating, and restoring CA using an existing certificate and its associated private key

To back up the CA and HSM data on the existing server (machine #1), and then migrate the CA and
HSM onto a new server (machine #2)

Steps to Perform on Machine#1

Run the certutil command on the command prompt to extract the config info.
Figure 7: Extract config info
Once you have the Config info then backup the database with the below command.
```
certutil -config <CA_config_string> -backupdb <BackupDirectory>
```
For example:

Figure 8: Backup the database
Export the certificate from machine#1.
- Run mmc.
- In the console, go to File > Add/Remove Snap-in.
- Select the Certificates tab and click Add.
- The certificate snap-in window opens. Select Computer Account and click Next.
- Keep the default selection and click Finish, then click OK.
- Go to the directory Trusted Root Certificates > Certificates.
- Right-click the CA certificate, and click All Tasks > Export, then click Next.
- Select Base-64 encoded X.509 (.CER) and click Next.
- Specify the path and file name to save the certificate and click Next.
- Click Finish.
- Click OK to close the export success message.
  Figure 9: Export the certificate from machine 1
Now you will be having two folders in your saved location, that is, Backup of the CA and Export of the certificate. Copy these two folders on a new machine, which is machine #2.
Figure 10: Copy the folders on a new machine

Steps to Perform on Machine#2

Considering this is a clean Windows Server machine where no configuration has been done for ADCS, install the Fortanix CNG in machine#2 and configure it as per the readme file.
Figure 11: Install Fortanix CNG on Machine 2
Copy the Backup1 and Export folder to the Desktop location.
Install the X.509 certificate into the local user Trusted Root CA Store on machine #2.
- Right-click the certificate and click Install.
- Click Next.
- Select Place all certificates in the following store and click Browse.
- Select Trusted Root Certification Authorities and click OK.
- Click Next.
- Click Finish.
- Click OK to close the import success message.
You will see the certificate, that is, SDKMS-CA has been successfully imported in the Trusted Root CA.
Install the certificate into my store, by running the following command from the command prompt terminal:
```
certutil -addstore my <certificate name>
```
Example:
```
certutil -addstore my CA_Certificate.cer
```
Where Certificate.cer is the exported certificate in Base-64 encoded X.509 (.CER)
Figure 12: Install the certificate
Once you run the above command you can find the exported CA in the Personal Trust Store as shown in the below screenshot.
Figure 13: Exported CA in personal trust store
Now repair the certificate store by running the following command from the console:
```
certutil -f -repairstore -csp "Fortanix KMS CNG Provider" my "<cert serial number>" 
```
Where Fortanix KMS CNG Provider is the CA Provider and cert serial number.
You can find the cert serial number from the following command.
```
certutil -store my
```
For example:

Figure 14: Cert serial number
Now click Start>Server Manager to open the Server Manager on Machine#2.
Install and configure the CA.
Install and configure the AD CS with the following settings:
- In the Set Up Private Key window, select Use existing private key and then select a certificate and use its associated private key.
- In the Existing Certificate window, the imported certificate is shown. Select the certificate and select Allow administrator interaction when the private key is accessed by the CA.
- Click Next.
- In the Certificate Database window click Next.
- In the Confirmation window click Configure.
- When the CA installation is complete, click Close in the installation results window.
You can find the CA configured on machine#2, as shown in the below screenshot.
Figure 15: Cert serial number

Figure 16: Cert serial number
Now you can restore the backup of the DB Certificate by running the following command.
```
certutil -restoredb <BackupDirectory>
```
Once the CA certificate is successfully configured, you can then check the Fortanix Self-Defending KMS Certificate logs.
Figure 17: Check logs in Fortanix-Self Defending KMS