Overview
This article describes how to set up a Microsoft PKI service, namely Active Directory Certificate Services
with Fortanix Self-Defending KMS.
Before starting, follow the steps in the CNG Developers Guide to install the Fortanix Self-Defending KMS CNG Key Storage Provider.
Use certutil
to verify the correct installation of the Fortanix CNG KSP.
Configuring Microsoft Active Directory Certificate Services
Open Server Manager and select Active Directory Certificate Services (AD CS)
as one of the services to install.
Figure 1: Set Active Directory as Service
Select Certification Authority (CA)
as one of role services to install for AD CS.
Figure 2: Select role services
The CA installed in the previous step must have a private key to sign and issue certificates to clients. There are 3 ways to associate a private key with the CA:
- By creating a new private key
- By selecting an existing certificate and using its associated private key
- By selecting an existing private key
The Fortanix Self-Defending KMS KSP supports all the above three options.
Figure 3: All three types of private key support
Creating a New Private Key
Figure 4: Create a new private key
If you select the option to create a new private key, you will next be asked to select the cryptographic provider. Select RSA#Fortanix SDKMS Provider
as the cryptographic provider if you want to use an RSA key for the CA.
Figure 5: Select cryptographic provider
After confirming your selections, verify that a new key has been generated in the Fortanix Self-Defending KMS web UI. The CA is now ready to issue certificates.
Figure 6: Verify new key
Backing up, migrating, and restoring CA using an existing certificate and its associated private key
To back up the CA and HSM data on the existing server (machine #1), and then migrate the CA and
HSM onto a new server (machine #2)
Steps to Perform on Machine#1
- Run the certutil command on the command prompt to extract the config info.
Figure 7: Extract config info - Once you have the Config info then backup the database with the below command.
certutil -config <CA_config_string> -backupdb <BackupDirectory>
For example:
Figure 8: Backup the database - Export the certificate from machine#1.
- Run mmc.
- In the console, go to File > Add/Remove Snap-in.
- Select the Certificates tab and click Add.
- The certificate snap-in window opens. Select Computer Account and click Next.
- Keep the default selection and click Finish, then click OK.
- Go to the directory Trusted Root Certificates > Certificates.
- Right-click the CA certificate, and click All Tasks > Export, then click Next.
- Select Base-64 encoded X.509 (.CER) and click Next.
- Specify the path and file name to save the certificate and click Next.
- Click Finish.
- Click OK to close the export success message.
Figure 9: Export the certificate from machine 1
- Now you will be having two folders in your saved location, that is, Backup of the CA and Export of the certificate. Copy these two folders on a new machine, which is machine #2.
Figure 10: Copy the folders on a new machine
Steps to Perform on Machine#2
- Considering this is a clean Windows Server machine where no configuration has been done for ADCS, install the Fortanix CNG in machine#2 and configure it as per the readme file.
Figure 11: Install Fortanix CNG on Machine 2 - Copy the Backup1 and Export folder to the Desktop location.
- Install the X.509 certificate into the local user Trusted Root CA Store on machine #2.
- Right-click the certificate and click Install.
- Click Next.
- Select Place all certificates in the following store and click Browse.
- Select Trusted Root Certification Authorities and click OK.
- Click Next.
- Click Finish.
- Click OK to close the import success message.
- You will see the certificate, that is, SDKMS-CA has been successfully imported in the Trusted Root CA.
- Install the certificate into my store, by running the following command from the command prompt terminal:
certutil -addstore my <certificate name>
Example:
certutil -addstore my CA_Certificate.cer
Where Certificate.cer is the exported certificate in Base-64 encoded X.509 (.CER)
Figure 12: Install the certificate - Once you run the above command you can find the exported CA in the Personal Trust Store as shown in the below screenshot.
Figure 13: Exported CA in personal trust store - Now repair the certificate store by running the following command from the console:
certutil -f -repairstore -csp "Fortanix KMS CNG Provider" my "<cert serial number>"
Where Fortanix KMS CNG Provider is the CA Provider and cert serial number. - You can find the cert serial number from the following command.
certutil -store my
For example:
Figure 14: Cert serial number - Now click Start>Server Manager to open the Server Manager on Machine#2.
- Install and configure the CA.
- Install and configure the AD CS with the following settings:
- In the Set Up Private Key window, select Use existing private key and then select a certificate and use its associated private key.
- In the Existing Certificate window, the imported certificate is shown. Select the certificate and select Allow administrator interaction when the private key is accessed by the CA.
- Click Next.
- In the Certificate Database window click Next.
- In the Confirmation window click Configure.
- When the CA installation is complete, click Close in the installation results window.
- You can find the CA configured on machine#2, as shown in the below screenshot.
Figure 15: Cert serial number
Figure 16: Cert serial number
Now you can restore the backup of the DB Certificate by running the following command.
certutil -restoredb <BackupDirectory>
Once the CA certificate is successfully configured, you can then check the Fortanix Self-Defending KMS Certificate logs.
Figure 17: Check logs in Fortanix-Self Defending KMS