Using Fortanix Data Security Manager with Microsoft IIS Integration Guide

1.0 Introduction

1.1 Purpose

This guide explains how to configure Microsoft Internet Information Services (IIS) to use Fortanix Data Security Manager (DSM) to provide full key life-cycle management to reduce the cryptographic load on the host server CPU.

1.2 Intended Audience

This guide is intended to be used by technical stakeholders of Fortanix DSM who will be responsible for planning, performing, or maintaining the DSM cluster.

2.0 Prerequisites

  • Fortanix KMS client version 4.8 or later (Download)
  • Fortanix APP API key
  • Admin Access to Microsoft IIS server

3.0 Integration Steps

3.1 KMS CONFIGURATION

For steps to configure the KMS client, click here.

3.2 Installing Microsoft IIS

If the IIS server is not installed already, follow the steps below:

  1. Select Start > Windows Administrative Tools > Server Manager to open the Server Manager Dashboard.
  2. In the Server Manager toolbar, select Quick Start > Configure this local server > Add roles and features.
  3. In the Add Roles and Features wizard, proceed to the Installation Type tab, then continue through the wizard to install Web Server (IIS).
  4. Select the Default (or desired) components from within the wizard and complete the Microsoft IIS installation.

3.3 Creating Certificate Request

You can generate a Microsoft IIS certificate request using an encryption key stored on Fortanix DSM.

  1. Create request.inf with the following information.
    NOTE
    Remove the <> brackets while editing.
    [Version]
    Signature= "$Windows NT$"
    [NewRequest]
    Subject = "C=
    "C=<country_code>,CN=<common_name>,O=<company_name>,OU=<object>,L=<locality_name>,S=<state_name>" HashAlgorithm = SHA256 KeyAlgorithm = RSA KeyLength = 2048 ProviderName = "Fortanix KMS CNG Provider" KeyUsage = "CERT_NON_REPUDIATION_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_KEY_ENCIPHERMENT_KEY_USAGE" MachineKeySet = True KeyContainer = "IIS-testing-key" [EnhancedKeyUsageExtension] OID = 1.3.6.1.5.5.7.3.1
    NOTE
    For different Key Usage options see Microsoft’s KB article:

    https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certreq_1

    Completed Example:
    [Version]
    Signature= "$Windows NT$"
    [NewRequest]
    Subject = "C=US,CN=www.IISDemo.com,O=Fortanix,OU=certobject,L=BS,S=CA"
    HashAlgorithm = SHA256
    KeyAlgorithm = RSA
    KeyLength = 2048
    ProviderName = "Fortanix KMS CNG Provider"
    KeyUsage = "CERT_NON_REPUDIATION_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_KEY_ENCIPHERMENT_KEY_USAGE"
    MachineKeySet = True
    KeyContainer = "IIS-testing-key"
    [EnhancedKeyUsageExtension]
    OID = 1.3.6.1.5.5.7.3.1
  2. Request the certificate using the following command:
    certreq.exe -new request.inf IIStesting.csr

    Figure_0.png

    The key is created on Fortanix DSM.

    Figure_1.png

    Figure 1: Key Created on Fortanix DSM

  3. Sign the certificate using the Certificate Authority of your choice. (For example: Submit a new Request in ADCS, and issue the pending certificate).
  4. Obtain the signed Certificate (For example: Copy ADCS signed certificate to a file) and execute the command certreq -accept IIStesting.crt (You can also double click the cert and click install to local personal certificate store to install the certificate.)

    Figure_2.png

  5. Bind the certificate.

    Figure_3.png

    Figure 2: Bind the Certificate

  6. Test the configuration.

    Figure_4.png

    Figure 3: Test Configuration

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful