Using Fortanix Data Security Manager with Microsoft PKI

1.0 Introduction

This article describes the steps to integrate Microsoft Active Directory Certificate Services (AD CS) with Fortanix-Data-Security-Manager (DSM) using the Fortanix CNG Key Storage Provider (KSP).

In a Microsoft PKI setup, the Certification Authority (CA) generates and stores its private keys locally on the server. But many organizations now prefer using external key management systems to keep their CA keys secure. Fortanix DSM provides a secure, cloud-based way to store and manage these private keys. It offers features such as access control, approval policies, detailed logging, and hardware-backed security to protect keys outside the server.

It includes steps for both new deployments and key migration, including:

• Setting up a new CA with its private key generated and stored in Fortanix DSM.

• Moving an existing CA to a new server while keeping the same certificate and private key.

• Migrating a root CA’s private key from local storage to Fortanix DSM without changing the server.

It also contains the information related to:

• Installing and configuring Fortanix DSM for key storage.

• Setting up Microsoft AD CS with Fortanix CNG KSP.

• Using Fortanix DSM-managed keys for issuing certificates.

• Migrating existing CA keys to Fortanix DSM.

• Verifying key usage through Fortanix logs and Windows certificate tools.

2.0 Prerequisites

Ensure the following:

• Install the Fortanix CNG KSP. For more information, refer to the CNG Developers Guide.

• Use certutil to verify the correct installation of the Fortanix CNG KSP.

3.0 Product Versions Tested

The following product versions were tested:

• Fortanix DSM version 5.0.

4.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

4.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

4.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

For more information on how to set up an account in Fortanix DSM, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.

4.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. In the DSM left navigation panel, click the Groups menu item, and then click the + button to create a new group.

   

2. On the Adding new group page, do the following:

   1. Title: Enter a name for your group.

   2. Description (optional): Enter a short description of the group.

3. Click SAVE to create the new group.

The new group is added to the Fortanix DSM successfully.

4.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the + button to create a new app.

   

2. On the Adding new app page, do the following:

   1. App name: Enter the name for your application.

   2. ADD DESCRIPTION (optional): Enter a short description of the application.

   3. Authentication method: Select the default API Key as the authentication method from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication.

   4. Assigning the new app to groups: Select the group created in Section 4.3: Creating a Group from the list.

3. Click SAVE to add the new application.

The new application is added to the Fortanix DSM successfully.

4.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 4.4: Creating an Application to go to the detailed view of the app.

2. On the INFO tab, click VIEW API KEY DETAILS.

3. From the API Key Details dialog box, copy the API Key of the app to use it later.

5.0 Configure Microsoft Active Directory Certificate Services

This section describes the process of configuring Microsoft AD CS with Fortanix DSM. It includes installing the AD CS role, selecting the appropriate private key option, and integrating with the Fortanix CNG KSP. Fortanix DSM supports all key association options: generating a new private key, using an existing certificate and private key, or importing an existing private key.

5.1 Installing AD CS Role

Perform the following steps to install Microsoft AD CS role:

1. Open Server Manager and select Active Directory Certificate Services as one of the services to install.

   

2. Select Certification Authority as one of the role services to install for AD CS.

   

5.2 Configuring CA Role

Perform the following steps to configure a CA role:

1. The CA installed in the previous step must have a private key to sign and issue certificates to clients. There are 3 ways to associate a private key with the CA:

   • By creating a new private key

   • By selecting an existing certificate and using its associated private key

   • By selecting an existing private key

2. The Fortanix CNG KSP supports all the above options.

   

5.3 Creating a New Private Key

Perform the following steps to create a new private key:

1. Select the Create a new private key option and click Next.

   

2. If you select the option to create a new private key, you will next be asked to select the cryptographic provider. Select RSA#Fortanix SDKMS Provider as the cryptographic provider if you want to use an RSA key for the CA.

   

5.4 Verifying Key Creation in Fortanix DSM

After confirming your selections, verify that a new key has been generated in the Fortanix DSM user interface (UI). The CA is now ready to issue certificates.

NOTE

If you have a Quorum approval policy enabled on your group, then add the app in the OR section of the Quorum approval policy for it to authenticate; otherwise, you will see the error on the AD CS side.

6.0 Migrate CA to a New Server Using Existing Certificate and Private Key

This section explains how to move a CA from one server (Machine #1) to another (Machine #2) using the existing CA certificate and its private key. You will back up the CA database and certificate on the first machine, copy them to the second machine, and then restore the CA. This process keeps the CA identity the same and avoids issuing a new root certificate. You will also use the Fortanix CNG provider on the new server to manage the private key securely.

6.1 Backing up CA Configuration and Certificate from Source Server (Machine #1)

This section describes the steps to back up the CA configuration from the source server. It includes exporting the CA certificate and private key and saving the CA database. These components are required to restore the CA on a new server while preserving the same certificate and private key.

6.1.1 Extracting CA Configuration

Run the certutil command to extract the configuration information: 

6.1.2 Backing up CA Database

After you have the configuration information, run the following command to back up the database:

certutil -config <CA_config_string> -backupdb <BackupDirectory>

For example:

6.1.3 Exporting CA Certificate

Perform the following steps to export the certificate from Machine #1:

1. Run mmc .

2. In the console, go to File → Add/Remove Snap-in.

3. Select the Certificates tab and click Add.

4. The certificate snap-in window opens. Select Computer Account and click Next.

5. Keep the default selection and click Finish, then click OK.

6. Go to the directory Trusted Root Certification Authorities → Certificates.

7. Right-click the CA certificate, click All Tasks → Export, then click Next.

8. Select Base-64 encoded X.509 (.CER) and click Next.

9. Specify the path and file name to save the certificate and click Next.

10. Click Finish.

11. Click OK to close the export success message.

    

6.1.4 Transferring Backup Files to Target Server (Machine #2)

The two folders must be saved in your location: one containing the CA backup (CABackup) and another with the exported certificate (Export). Copy both folders to the new machine (Machine #2).

6.2 Restoring and Reconfiguring CA on Target Server (Machine #2)

This section describes the steps to restore the backed-up CA certificate and configuration on a new (target) server. It includes installing the Fortanix CNG provider, importing the certificate, mapping it to the private key stored in Fortanix DSM, and configuring Microsoft AD CS to use the restored certificate. Once completed, the CA on the target server resumes operation using the original private key.

6.2.1 Preparing the Target Server

Perform the following steps to prepare the target server:

1. On a clean Windows Server machine where no configuration has been done for ADCS, install the Fortanix CNG in Machine #2 and configure it as per the readme file.

   

2. Copy the Backup1 and Export folders to the Desktop location.

6.2.2 Importing the CA Certificate

Perform the followings steps to import a CA certificate:

1. Install the X.509 certificate into the local user Trusted root CA store on machine #2.

   1. Right-click the certificate and click Install.

   2. Click Next.

   3. Select Place all certificates in the following store and click Browse.

   4. Select Trusted Root Certification Authorities and click OK.

   5. Click Next.

   6. Click Finish.

   7. Click OK to close the import success message.

2. The SDKMS-CA certificate appears under Trusted Root Certification Authorities, indicating a successful import.

3. Run the following command to install the certificate into my store:

   certutil -addstore my <certificate name> 

   For example:

   certutil -addstore my CA_Certificate.cer

   Where, Certificate.cer is the exported certificate in Base-64 encoded X.509 (.CER).

   

4. After you run the above command, the exported CA appears in the Personal Trust store.

   

6.2.3 Mapping the Certificate to Fortanix DSM Private Key

Perform the following steps to map the certificate to Fortanix DSM private key:

1. Run the following command to repair the certificate store:

   certutil -f -repairstore -csp "Fortanix KMS CNG Provider" my "<cert serial number>"

   Where, Fortanix KMS CNG Provider is the CA Provider and the certificate serial number.

2. Run the following command to view the certificate serial number:

   certutil -store my

   For example:

   

6.2.4 Installing and Configuring AD CS

Perform the following steps to install and configure AD CS:

1. Click Start → Server Manager to open the Server Manager on Machine #2.

2. Install and configure the CA.

3. Install and configure the AD CS with the following settings:

   1. In the Set Up Private Key window, select Use existing private key and then select a certificate and use its associated private key.

   2. In the Existing Certificate window, the imported certificate is shown. Select the certificate and select Allow administrator interaction when the private key is accessed by the CA.

   3. Click Next.

   4. In the Certificate Database window, click Next.

   5. In the Confirmation window, click Configure.

   6. When the CA installation is complete, click Close in the installation results window.

4. Machine #2 now shows the configured CA.

   

   

6.2.5 Restoring CA Database and Verifying Fortanix DSM Usage

Run the following command to restore the backup of the database certificate:

certutil -restoredb <BackupDirectory>

After configuring the CA certificate, verify activity in the Fortanix DSM certificate logs.

7.0 Migrate Local Root CA Private Key to Fortanix DSM

This section describes the steps to migrate a local root CA private key to Fortanix DSM. The process includes identifying the root CA certificate, backing up the CA along with its private key, extracting the key and certificate, importing the private key into Fortanix DSM, and reconfiguring the CA to use the Fortanix DSM-managed key.

7.1 Backing Up the Root CA Certificate and Configuration

Perform the following steps to back up and configure the root CA certificate:

1. Identify the root CA certificate in the Microsoft Management Console (MMC).

   It is usually located under Personal or Trusted Root Certification Authorities in either the current user or local computer certificate stores.

   

   

2. Open Server Manager → Tools → Certificate Authority. Right-click the CA name and select All Tasks → Back up CA.

   

3. In the Certification Authority Backup Wizard, select the option to include the private key and CA certificate in the backup. Set a password to protect the exported file.

   

4. Run the following command to back up the CA database:

   certutil -config <CA_config_string> -backupdb <BackupDirectory>

7.2 Preparing for Migration

Perform the following steps to prepare the server for migration:

1. Uninstall the Microsoft AD CS role from Server Manager.

2. Download and configure the Fortanix CNG provider. For more information, refer to the CNG Developers Guide.

7.3 Extracting and Importing the Private Key to Fortanix DSM

Perform the following steps to extract and import the private key in to Fortanix DSM:

1. Run the following OpenSSL commands to extract the private key and certificate from the backed-up CA certificate:

   openssl.exe pkcs12 -in <BACKED_UP_CA_CERT> -nocerts -nodes -out private_key.pem
   openssl.exe pkcs12 -in <BACKED_UP_CA_CERT> -nokeys -nodes -out <CERTIFICATE_NAME>.crt

   

2. Go to the Fortanix DSM group as created in Section 4.3: Creating a Group, click + SECURITY OBJECT to add a new security object.

3. On the Add New Security Object form, do the following:

   1. Security Object name: Enter the name of your security object.

   2. Select the IMPORT radio button.

   3. In the Choose a type section, select the RSA key type.

   4. In the Place value here or import from file section, select the value format type as Base64 and click UPLOAD A FILE to upload the key file. Browse and select the private key from your system. Ensure to include only the section from -----BEGIN PRIVATE KEY----- to -----END PRIVATE KEY-----.

   5. In the Key operations permitted section, select the required operations to define the actions that can be performed with the cryptographic keys, such as encryption, decryption, signing, and verifying.

   6. Click IMPORT to create the new security object.

7.4 Re-importing the Certificate and Map to Fortanix DSM Key

Perform the following steps to reimport the certificate and map it to Fortanix DSM key:

1. In MMC, import the extracted certificate (without the private key). Right-click Certificates → Personal → Certificates, select All Tasks → Import, and select the .crt file.  

   

2. Repeat the import under Trusted Root Certification Authorities and any other store where the certificate was originally located.

   

3. Run the following command to list the certificates and note the serial number of the root CA certificate:

   certutil -store my

   

4. Run the following command to map the certificate to the imported private key in Fortanix DSM:

   certutil -repairstore my <SerialNumber>

   Replace <SerialNumber> with the actual serial number. When prompted, select the key previously imported to Fortanix DSM. For example, MCADCS-Pvt-Key.

   

7.5 Reinstalling and Reconfiguring CA

Perform the following steps to reinstall and reconfigure the CA:

1. Open Server Manager and select Add Roles and Features. Add the ADCS role and proceed with the installation.

2. After installation, launch the configuration wizard. Under Role Services, select Certification Authority.

3. Set the Setup Type to Standalone CA and the CA Type to Root CA.

4. Select the option to use an existing private key and select the previously imported certificate when it appears.

   

   

7.6 Restoring and Verifying CA Database

After completing the setup, run the following command to restore the original CA database:

certutil -restoredb <BackupDirectory>

To verify the configuration, sign a test CSR and confirm that the certificate is signed using the Fortanix DSM-managed private key.