Migrating Private Key from Microsoft AD CS Certificate Authority to Fortanix Data Security Manager


This article describes how to migrate a private key from an existing Microsoft Active Directory Certificate Services (AD CS) Certificate Authority (CA) to Fortanix Data Security Manager (DSM).


This document assumes that the following features are already enabled and in use:

  • Microsoft Domain Name System (DNS) server role must be enabled and configured for the server.
  • Microsoft ADCS server role must be enabled, and the CA must be configured.

Back-Up Existing  CA Certificates

Check the certificates that are issued by the existing Windows CA server. The following figure shows there are five certificates that the CA server has issued so far. MSKPI0.png Figure 1: Windows CA server certificates

Back up the existing CA certificate using the following steps:

  1. On the Windows Server where Microsoft AD CS role is installed:
    1. Go to Start.
    2. Find and run certsrv.msc.
    3. Press Enter to open the Certification Authority window. MSKPI1.pngFigure 2: Certificate authority
  2. Right-click the CA and in the menu select All Tasks -> Back up CA… MSKPI2.pngFigure 3: Back up CA
  3. In the Certification Authority Backup Wizard, click Next to choose a location to save the certificate and database. MSKPI3.pngFigure 4: CA backup wizard
  4. Select the check boxes “Private key and CA certificate” and “Certificate database and certificate database log”. MSKPI4.png Figure 5: CA backup wizard
  5. Click Next to set the password for the private key. Click Next again and then click Finish. Now the certificate and database backup will be available in the backup location.

Export the Certificate and Remove it from Trusted Root CA

In this section, you will learn how to export the CA certificate and remove the AD CS role from the server.

View the Certificates of the Local Computer

  1. Go to Start.
  2. Find and run mmc. Press Enter. MSKPI5.pngFigure 6: Run MMC
  3. In the Console window that opens, click the File menu, and select Add/Remove Snap-in. MSKPI6.pngFigure 7: Add snap-in
  4. From the Available snap-ins section, select Certificates and click Add to configure the certificate. MSKPI7.pngFigure 8: Configure certificate
  5. In the Certificates snap-in window, select Computer account and click Next. MSKPI8.pngFigure 9: Manage certificate for computer account
  6. In the Select Computer window, select Local computer that the snap-in will manage. Click Finish. MSKPI9.pngFigure 10: Select computer
  7. Click Ok to close the window. MSKPI10.pngFigure 11: Certificate snap-in configured
  8. Now you will see all the certificates of the local computer. MSKPI11.png Figure 12: Certificates of local computer

Export the Certificate

  1. Under the Console Root folder in the left panel, click the folder Trusted Root Certification Authorities and click the Certificates folder on the right. MSKPI26.pngFigure 13: Trusted root CA certificates
  2. From the available certificates, right-click the fortanix-server-CA certificate, and in the menu go to All Tasks and click Export to export the certificate to a local folder. Remove it from the Trusted Root Certification Authorities folder. MSKPI12.png Figure 14: Export certificate
  3. Under the Console Root folder in the left panel, select the Personal folder, and delete any available certificates.

Remove AD CS Role from the Server

  1. To remove the AD CS role:
    1. Go to Server Manager Dashboard.
    2. In the top-right menu, click Manage and select Remove Roles and Features. MSKPI13.pngFigure 15: Remove roles and features
    3. In the Remove Roles and Features Wizard screen, select Server Roles in the left panel, and clear the checkbox for Active Directory Certificate Services to remove the AD CS role.
    4. Click Next in the following screens to remove the role and feature. MSKPI14.png Figure 16: Remove AD CS
    5. Reboot the server.

Configure Certificate Authority

Import Key in Fortanix DSM

  1. Using the command prompt, open the folder where the private key was saved.
  2. Using OpenSSL command extract the CA key with .p12 extension to .key and then rsa with .pem. MSKPI15.png
  3. Log in to Fortanix DSM and create a group.
  4. Create an app with interface type CNG and make a note of the API key required for the next step.
  5. Create a security object and import the RSA key that was generated in step 2 above and click IMPORT. MSKPI16.pngFigure 17: Import CA
  6. Install Microsoft CNG Key Storage Provider by following the article here and run the following commands.


    You will see activity logs similar to Figure 18. MSKPI25.png Figure 18: App authentication activity logs

Install X.509 Certificate in Local User Trusted Root CA Store

To install the X.509 certificate that was exported in Section 4.2 in the local user Trusted Root CA Store:

  1. Right-click the certificate and click Install.
  2. Click Next. MSKPI16_1.pngFigure 19: Install certificate
  3. Select Place all certificates in the following store and click Browse.
  4. Select Trusted Root Certification Authorities and click Ok. MSKPI30.png Figure 20: Select certificate store
  5. Click Next.
  6. Click Finish.
  7. Click Ok to close the import success message.
  8. You will now see the certificate, that is, fortanix-server-CA has been successfully imported in the Trusted Root CA.

Install CA Certificate in the Personal Store

To install the certificate into your store:

  1. Run the following command from the command prompt terminal:
    certutil -addstore my <certificate name>

    Where fortanix-server.CA is the exported certificate in Base-64 encoded X.509 (.CER)
  2. Once you run the command above you can find the exported CA in the Personal Trust Store as shown in Figure 21. MSKPI18.png Figure 21: CA installed in personal trust store
  3. You can find the cert serial number from the following command.
    certutil -store my
  4. Now repair the certificate store by running the following command from the console.
    certutil -f -repairstore -csp "Fortanix KMS CNG Provider" my "<cert serial number>"
  5. The repair operation will not be allowed because the private key is restricted to be exported from Fortanix DSM, protecting the key integrity. MSKPI20.png

Add AD CS Role to the Server

  1. Add the AD CS role to the server. MSKPI21.png Figure 22: Add AD CS role
  2. Configure AD CS with the following settings:
    1. In the Private Key window, select Use existing private key and then select Select a certificate and use its associated private key. MSKPI22.pngFigure 23: Configure AD CS
  3. In the Existing Certificate window, the imported certificate is shown. Select the certificate and select Allow administrator interaction when the private key is accessed by the CA. MSKPI23.pngFigure 24: Configure AD CS
  4. In the Certificate Database window click Next.
  5. In the Confirmation window click Configure. MSKPI24.pngFigure 25: AD CS configuration
  6. When the CA installation is complete, click Close in the installation results window.
  7. You can find the CA configured. MSKPI31.pngFigure 26: CA configured
  8. Once the CA certificate is successfully configured, you can then check the Fortanix DSM Certificate logs. MSKPI32.pngFigure 27: Certificate logs
  9. To test the operation, request a certificate from a client machine. MSKPI33.pngFigure 28: Request a certificate
  10. We are using Certificate Enrollment Web service to request a certificate from a client machine, fill in all the details in the form and click Submit. MSKPI34.pngFigure 29: Request a certificate
  11. Once the certificate is issued, click Install this certificate. MSKPI35.pngFigure 30: Certificate issued
  12. Now go back to the CA server to see if the Certificate is issued. We need to use the mmc console again. MSKPI36.pngFigure 31: Certificate installed

Restore Issued Certificates

To restore certificates:

  1. Go to the Certificate Authority (CA) service and right-click the CA.
  2. In the menu that opens, click All Tasks -> Restore CA. CA_Restoration.pngFigure 32: Restore CA
  3. In the Certification Authority Restore Wizard, click OK to stop the Active Directory Certificate Services. Stop_certificate_service.pngFigure 33: Stop active directory certificate services
  4. Click Next. Next.pngFigure 34: CA restore wizard
  5. In the Items to Restore section, select Certificate database and certificate database log. Enter C:\ directory as the restore location. Click Next. Itemstorestore.pngFigure 35: Items to restore
  6. Click Finish to close the wizard and being the restoration process. Finish.pngFigure 36: Begin restoration
  7. The CA restoration is completed. Click Yes to start Active Directory Certificate Services. RestoreComplete.pngFigure 37: Restoration complete
  8. The SubCA certificate is restored. SubCV_certificate.pngFigure 38: Certificate restored
    Any previously issued certificates will be listed.


Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful