See more

Using Self-Defending KMS with Microsoft PKI

  • Last updated:
  • access_time Reading time:

Overview

This article describes how to set up a Microsoft PKI service, namely Active Directory Certificate Services with Self-Defending KMS.

Before starting, follow the steps in the CNG Developers Guide to install the Fortanix Self-Defending KMS CNG Key Storage Provider.

Use certutil to verify the correct installation of the Fortanix CNG KSP.

Configuring Microsoft Active Directory Certificate Services

Open Server Manager and select Active Directory Certificate Services (AD CS) as one of the services to install.

acs_select
                                            Figure 1: Set Active Directory as Service

Select Certification Authority (CA) as one of role services to install for AD CS.

ca_select
                                                       Figure 2: Select role services

The CA installed in the previous step must have a private key to sign and issue certificates to clients. There are 3 ways to associate a private key with the CA:

  • By creating a new private key
  • By selecting an existing certificate and using its associated private key
  • By selecting an existing private key

The Fortanix Self-Defending KMS KSP supports all the above three options.

private_key
                                                            Figure 3: All three types of private key support

Creating a New Private Key

1.png
                                                            Figure 4: Create a new private key 

If you select the option to create a new private key, you will next be asked to select the cryptographic provider. Select RSA#Fortanix SDKMS Provider as the cryptographic provider if you want to use an RSA key for the CA.

provider
                                                              Figure 5: Select cryptographic provider

After confirming your selections, verify that a new key has been generated in the Fortanix Self-Defending KMS web UI. The CA is now ready to issue certificates.

sdkms_ui.png
                                                                        Figure 6: Verify new key

Using Existing Private Key

Select Existing Certificate and its Associated Private Key

2.1.png
                                                                        Figure 7: Verify new key

If you select to use the certificate and the private key associated with the previously issued certificate, then you will find all the certificates previously issued and have to re-configure the same.

4.png
                                                   Figure 8: Reconfigure previously issued certificate

Select Existing Private Key

3.1.png
                                                           Figure 9: Select existing private key

  1. Select the criteria of the key. In our case, it would Fortanix KMS CSP. 5.png
                                                                         Figure 10: Select key criteria
  2. Then follow the process for AD CS Configuration.
    • Cryptography: Fortanix KMS CSP
    • Hash Algorithm: sha1
    • CA Name
    • The validity of the certificate
    • Certificate Database Location and Log
    • Confirmation
  3. Click Configure.
  4. You will find the configuration details in AD CS Configuration 6.png
                                                                         Figure 11: AD CS Configuration
  5. Once configured, you can then find the configuration success screen in the Results. 7.png
                                                                      Figure 13: Configuration success