Microsoft ADCS
This guide outlines the smooth integration of Microsoft Active Directory Certification Services (ADCS) with Luna HSM or Luna Cloud HSM, presenting a detailed step-by-step process. ADCS plays a pivotal role in managing public key certificates within software security systems, reinforcing digital security by associating entity identity with private keys. Trust in a Public Key Infrastructure (PKI) is solidified through a Certificate Authority (CA). The integration of ADCS with Luna HSM further enhances security, specifically safeguarding the crucial root encryption key necessary for upholding trust in the PKI.
The key benefits of this integration are:
-
Secure generation, storage, and protection of the identity signing private keys using either FIPS 140-2 or FIPS 140-3 Level 3 validated hardware.
-
Full life cycle management of the keys to ensure their integrity and reliability throughout their usage.
-
Maintenance of a comprehensive HSM audit trail for transparency and accountability in key operations. It's important to note that Luna Cloud HSM service does not have access to this secure audit trail.
-
Significant performance enhancements by offloading cryptographic operations from application servers.
Supported Platforms
This integration has been tested and verified on the following platforms:
| HSM Type | Platform Tested |
|---|---|
| Luna HSM | Windows Server 2022 Windows 2019 Server Windows 2016 Server Windows Server 2012R2 |
| Luna Cloud HSM | Windows Server 2022 Windows 2019 Server Windows 2016 Server Windows Server 2012R2 |
Prerequisites
As the first step to accomplish this integration, you need to set up either On-Premise Luna HSM or Luna Cloud HSM.
Set up On-Premise Luna HSM
Follow these steps to set up your on-premise Luna HSM:
Ensure that the HSM is set up, initialized, provisioned, and ready for deployment. For more information, refer to Luna HSM documentation.
Create a partition that will be later on used by Microsoft ADCS.
Create and exchange certificate between the Luna Network HSM and client system. Register client and assign partition to create an NTLS connection.
Initialize Crypto Officer and Crypto User roles for the registered partition.
Run the following command to verify that the partition has been successfully registered and configured:
C:\Program Files\SafeNet\LunaClient>lunacm.exe
Upon successful execution, you should observe an output similar to the example provided below:
lunacm.exe (64-bit) v10.2.0-111. Copyright (c) 2020 SafeNet. All rights reserved. Available HSMs: Slot Id -> 0 Label -> ms-adcs Serial Number -> 1238696044953 Model -> LunaSA 7.3.0 Firmware Version -> 7.3.0 Configuration -> Luna User Partition With SO (PW) Signing With Cloning Mode Slot Description -> Net Token Slot
Refer to Luna HSM documentation for detailed steps on creating NTLS connection, initializing the partitions, and assigning various user roles.
Set up Luna HSM in High Availability Mode
Refer to Luna HSM documentation for High Availability (HA) steps and details regarding configuring and setting up two or more HSM boxes on host systems. You must enable the HAOnly setting in HA for failover to work so that if the primary goes down due to any reason, all calls get automatically routed to the secondary until the primary recovers and starts up.
This integration been tested using Luna Client in both HA and FIPS-compliant modes.
Set up Luna Cloud HSM
The following steps are applicable for setting up the Luna Cloud HSM on a Windows environment:
Transfer the downloaded .zip file to your client workstation using pscp, scp, or other secure means
Extract the .zip file into a directory on your client workstation.
Extract or untar the appropriate client package for your operating system. Do not extract to a new subdirectory; place the files in the client install directory.
cvclient-min.zip
Run the setenv script to generate a new configuration file with the necessary information for the Luna Cloud HSM service. Right-click setenv.cmd and select Run as Administrator.
To add the configuration to an already installed UC client, use the –addcloudhsm option when running the setenv script.
Run the LunaCM utility and verify that the Cloud HSM service is listed.
If your organization requires non-FIPS algorithms for your operations, ensure that the Allow non-FIPS approved algorithms check box is checked. For more information, refer to Supported Mechanisms.
Integrating Luna HSM with Microsoft ADCS on Windows server
Integrating Luna HSM with Microsoft ADCS on Windows server involves the following steps:
Before beginning the integration, it is recommended to get acquainted with Microsoft Active Directory Certificate Services. Refer to the [Microsoft ADCS documentation](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831740(v=ws.11) for detailed information.
Configure SafeNet Key Storage Provider
Ensure that the SafeNet Key Storage Provider (KSP) is configured to enable user accounts and the system to access the Luna HSM or Luna Cloud HSM. For Luna HSM, install the KSP package during the Luna Client software installation. For Luna Cloud HSM, find the KSP package within the service client package located in the /KSP directory.
Navigate to the
Run the KspConfig.exe (KSP configuration wizard).
Double-click Register Or View Security Library.
Browse the library cryptoki.dll from the Luna HSM Client installation directory or Luna Cloud HSM client package and click Register. Upon successful registration, a message will appear: Success registering the security library!
Double-click Register HSM Slots on the left side of the pane.
Enter the Slot (Partition) password.
Click Register Slot to register the slot for Domain\User. On successful registration, a message The slot was successfully and securely registered will be displayed.
Register the same slot for NT AUTHORITY\SYSTEM.
Both slots are registered, even if only one entry appears for the service in the Registered Slots section of the KSP interface.
Install Microsoft ADCS on Windows server using SafeNet KSP
For a successful installation of Microsoft ADCS on Windows Server utilizing SafeNet KSP, follow the steps outlined below. It is imperative to configure Microsoft ADCS to utilize the Luna HSM or Luna Cloud HSM during the configuration of the Microsoft Certificate Authority (CA) user role.
Log in with an account that has Enterprise Admin/Domain Admin privileges.
Confirm that SafeNet Key Storage Provider (KSP) is configured, as explained in the previous section.
Open Server Manager by navigating to Configure this Local Server and selecting Add Roles and Features.
In the Add Roles wizard that appears, click Next to proceed.
Select the Role-based or feature-based installation radio button and click Next.
Choose the server from the Server Pool menu after selecting the Select a server from the server pool radio button.
Click Next after selecting the Active Directory Certificate Services checkbox. A window will prompt to add features required for Active Directory Certificate Services.
Click the Add Features button, and then click Next.
Click Next within the Active Directory Certificate Services page.
Choose the Certification Authority checkbox from the Role services list, and then click Next.
Click Install to start the installation process.
After installation completion, click Configure Active Directory Certificate Services on the destination server. This action triggers the ADCS Configuration wizard.
On the Credentials page of the ADCS Configuration wizard, click Next to proceed.
Choose the Certification Authority checkbox, and then click Next.
Select the Enterprise CA radio button, and then click Next.
Choose the Root CA radio button and then click Next.
Configure the private key for the CA to generate and issue certificates to clients. If opting for a new private key, choose the Create a new private key radio button and proceed with the Next button. In case of using an existing private key, you may skip the next few steps and proceed directly to step 21 that involves utilizing an existing private key.
Open the Select a cryptographic provider drop-down menu. Choose an algorithm using SafeNet Key Storage Provider. Open the Key length drop-down menu and select a key-length.
Choose the Hash Algorithm for signing certificates issued by this Certificate Authority and specify the key length settings for your installation.
Enable the Allow administrator interaction when the private key is accessed by the CA checkbox, and then click Next.
Select the Use existing private key checkbox. Set up the Private Key for the CA to generate and issue certificates to clients. Choose Use existing private key and select an existing private key on this computer. Click Next to continue.
Click Change. Choose the SafeNet Key Storage Provider algorithm used to generate the private keys. Clear the CA Common name and click Search.
Choose the Existing Key and click Next.
Proceed to configure a common name to identify this Certificate Authority. Click Next.
Proceed to set the Certificate Validity Period. Click Next.
Configure the Certificate database location, where it records all certificate requests, issued certificates, and revoked or expired certificates. Click Next.
Click Configure to set up the selected roles, role services, or features.
Click Close to exit the ADCS Configuration wizard after reviewing the installation results. A private key for the CA will be generated and stored on the HSM.
Open a command prompt and run the following command to verify that the service is running:
sc query certsvc
Open another command prompt and run the following command to verify the CA key:
certutil –verifykeys
The result should show that the CA keys have been successfully verified.
If Luna HSM is in FIPS mode and using firmware version 7.7.2 or above, you may encounter the following error when verifying the certificate using the certutil -verifystore command: ERROR: Could not verify certificate public key against private key.
Enroll certificates
If you aim to enhance the security of the certificate's keys within Luna HSM, follow the steps below to create a certificate template using the SafeNet Key Storage Provider:
Certificates enrolled using SafeNet KSP will not work for encryption/decryption operations due to FIPS restrictions in firmware version 7.7.2 or above. In such cases, consider using Non-FIPS Luna HSM or Microsoft Key Storage Provider for enrolled certificates.
Open a command prompt and run certtmpl.msc.
Right-click on the desired certificate template and select Duplicate Template.
In the Properties of New Template window that appears, navigate to the Compatibility tab and choose Windows Server 2008 or above for both Certification Authority and Certificate recipient. Click OK to apply the changes.
Navigate to the General tab and enter the template name.
Navigate to the Cryptography tab and make the following changes:
-
Choose Key Storage Provider for Provider Category.
-
Select Requests must use one of the following providers radio button.
-
In the Providers field, select SafeNet Key Storage Provider.
-
Choose an algorithm for Algorithm Name.
-
Select Request Hash.
Navigate to the Subject Name tab and configure the settings:
-
Uncheck Include e-mail name in subject name and E-mail name checkboxes.
-
Click Apply to save the template settings, and then click OK to confirm the changes.
Open the command prompt and run certsrv.msc.
Double-click on the name of your CA.
Right-click on the Certificate Templates node.
Select New and then choose Certificate Template to Issue.
Choose the template you recently created and click OK to complete the process.
Request a certificate based on the template, as follows:
-
Open the command prompt and run the
certmgr.msccommand. -
Right-click on the Personal node.
-
Select All Tasks and then choose Request New Certificate…
-
Progress through the Certificate Request Wizard by clicking Next.
-
Continue with the wizard by clicking Next again.
-
Initiate the certificate enrollment process by clicking Enroll.
-
Verify that the certificate is enrolled successfully using the UI enrollment wizard.
Archive CA key
Follow these steps to archive the CA key:
Obtain KRA certificate from the CA snap-in
Retrieve the issued certificate
Configure CA to support key archival
Create a template with key archival enabled
If you aim to secure the key on Luna HSM for decrypting Archived Keys, configure the SafeNet Key Storage Provider to generate keys for the Key Recovery Agent certificate.
Certificates enrolled using the SafeNet Key Storage Provider won't function for encryption/decryption operations due to FIPS restrictions in f/w 7.7.2 or above. Consider using Non-FIPS Luna HSM or Microsoft Key Storage Provider for enrolled certificates.
If you are utilizing the SafeNet Key Storage Provider for key archival, it's important to generate the key enrollment agent certificate on a separate virtual machine. This separation enhances security and ensures that the certificate generation process is isolated from other operations. Additionally, register the SafeNet Key Storage Provider with a non-FIPS partition or HSM to ensure a secure and flexible environment for managing and storing keys.
Choose KRA template
Begin by installing the Enterprise Certificate Server through the SafeNet Key Storage Provider, and utilizing an ECC key for enhanced security.
Verify the proper installation of the CA to guarantee a seamless foundation for subsequent key archiving steps.
Expand the CA's capabilities by adding a Key Recovery Agent (KRA) template for issuing. This template facilitates secure recovery processes for cryptographic keys.
Open the command prompt and initiate the Certificate Services console by running the certsrv.msc command.
Within the Certificate Templates node, right-click and navigate to New, and then choose Certificate Template to Issue.
Choose the Key Recovery Agent template from the available options and confirm your selection by clicking OK. This template will be instrumental in managing and recovering cryptographic keys as needed.
Request KRA certificate
Follow these steps to request a KRA certificate:
Launch the command prompt and execute the certmgr.msc command.
Within the Personal node, right-click and navigate to All Tasks, and then choose Request new certificate...
Proceed through the Certificate Request Wizard by clicking Next.
Select Active Directory Enrollment Policy and continue by clicking Next.
Identify the Key Recovery Agent template by selecting the corresponding checkbox and initiate the enrollment by clicking Enroll.
Confirm that the enrollment is pending and finalize the process by clicking Finish.
Obtain KRA certificate from the CA snap-in
To obtain the KRA certificate from the CA snap-in, follow these steps:
Launch the command prompt and execute the command certsrv.msc.
In the Certificates snap-in, navigate to the Pending Requests node. Right-click on the most recent request associated with the KRA template. Choose All Tasks and then select Issue.
Go to the Issued Certificates section. Confirm that the new certificate has been successfully issued.
Retrieve the issued certificate
To retrieve the issued certificate from the CA, follow these steps:
Open the command prompt and execute the command certmgr.msc.
Right-click on Certificates –> Current User.
Choose All Tasks and then click Automatically enroll and retrieve certificates....
Click Next.
From the list, select the KRA certificate that was recently issued, and proceed to enroll it.
Configure CA to support key archival
To configure the CA to support key archival, follow these steps:
Open the command prompt and execute the command certsrv.msc.
Right-click on the CA Name and choose Properties.
Navigate to the Recovery Agent tab.
Choose the Archive the key radio button.
Click the Add button.
From the available certificates, select the KRA certificate that was recently issued. Click OK.
Click OK to confirm your selections.
If prompted, acknowledge that the CA service needs to be restarted and click Yes.
Create a template with key archival enabled
To create a template with key archival enabled, follow these steps:
Open the command prompt and execute the command certtmpl.msc.
Right-click on the user template and choose Duplicate Template.
Under Compatibility Settings, select Windows Server 2008 or above for both certification authority and certificate recipient. Click OK.
On the Resulting Changes menu, click OK.
Navigate to the General tab and enter a name for the template (for example, UserKeyArchival).
Navigate to the Request Handling tab and enable the Archive subject’s encryption private key checkbox.
Select the Subject Name tab.
Uncheck the Include e-mail name in subject name checkbox.
Uncheck the E-mail name checkbox.
Click Apply and then OK.
Add a new template in the CA configuration
To add a new template in the CA configuration, follow these steps:
Open the command prompt and execute the command certsrv.msc.
Right-click on the Certificate Templates node.
Choose New and the select Certificate Template to Issue.
Select the new template for key archival and click OK.
Issue a user template with key archival enabled
To issue a user template with key archival enabled, follow these steps:
Open the command prompt and execute the command certmgr.msc.
Right-click on the Personal node.
Select All Tasks and then choose Request New Certificate.
Click Next.
Click Next.
Select the checkbox for the new template with key archival and click Enroll.
Verify the enrollment's success in the Enrollment Wizard UI.
Click Finish.
Perform key recovery
To initiate key recovery and retrieve archived keys, follow these steps:
Verify archive status:
a. Log on to the system as the Domain Administrator.
b. Open the Certification Authority console by navigating to Administrative Tools, selecting Certification Authority, and then clicking Issued Certificates.
c. From the View menu, access Add/Remove Columns, select Archived Key from Available Columns, and click Add.
d. Confirm the presence of Yes value in the Archived Key column for the last issued certificate to UserKeyArchival.
Ensure the certificate template has been modified to enable the archive bit and mark private key as exportable attributes for successful key recovery.
e. Double-click the Archive User certificate.
f. Click the Details tab, write down the hexadecimal serial number (referred to as serialnumber), and click OK.
g. Close the Certification Authority.
Recover the private key:
a. Open a command prompt by clicking Start, selecting Run, typing cmd, and pressing ENTER.
b. Ensure you are in the c:\ directory by typing cd \ and pressing ENTER.
c. Execute the following command:
Certutil -getkey serialnumber outputblob
Here, replace serialnumber with the actual serial number of the certificate you are trying to retrieve, and replace outputblob with the desired output file name.
Verify the existence of the outputblob file by typing dir outputblob in the command prompt.
Recover the original private/public key pair:
a. Open a new command prompt window.
b. Execute the following command:
Certutil -recoverkey outputblob user.pfx
c. When prompted, enter the new password and confirm it.
d. Type exit and press ENTER.
e. Close all windows and log off as the current user.
Import the recovered private key/certificate:
a. Open a command prompt and type certmgr.msc.
b. Right-click on Certificates (Current User) and select Find Certificates.
c. Under Contains, type CA Name and click Find Now.
d. In Find Certificates, select all, delete, and confirm.
e. Close Find Certificates.
Import the certificate:
a. In the Certification Authority console, right-click Personal, choose All Tasks, and click Import.
b. In the Certificate Import Wizard, click Next.
c. Under Files to Import, enter c:\user.pfx in the File name box and click Next.
d. Enter the password and click Next.
e. On Certificate Store, select Automatically select the certificate store and click Next.
f. On Completing the Certificate Import Wizard, click Finish.
Verify the serial number:
a. In the Certification Authority console, double-click Personal and click Certificates.
b. Double-click the certificate, go to the Details tab, and verify that the serial number matches the original.
Migrate CA Keys from Microsoft software KSP to SafeNet KSP
Follow these steps to migrate a CA signing key from Microsoft software storage to the Luna HSM on Windows server using the Ms2luna utility for both CSP and KSP:
Configure SafeNet KSP
To configure the SafeNet KSP for accessing the Luna HSM or Luna Cloud HSM Service, follow these steps:
Locate the installation directory of the SafeNet Key Storage Provider.
Run the KspConfig.exe (KSP configuration wizard).
Double-click on Register Or View Security Library on the left side of the pane.
Browse the library cryptoki.dll from Luna Network HSM Client installation directory and click Register. Upon successful registration, a message Success registering the security library will be displayed.
Register HSM Slots:
a. Double-click on "Register HSM Slots" on the left side of the pane.
b. Enter the Slot (Partition) password.
c. Click Register Slot to register the slot for Domain\User. Upon successful registration, a confirmation message will be displayed.
Ensure you register the same slot for NT AUTHORITY\SYSTEM.
Both slots have been successfully registered. However, the KSP interface may display only a single entry for the service in the Registered Slots section. This is a common behavior and does not indicate an issue with the registration process.
Back up CA
To back up the CA, follow these steps:
Click the Start button.
Click Run, type certsrv.msc, and then click OK.
In the left pane, select the CA node.
On the Action menu, click All Tasks, and then select Backup CA.
Click Next on the Welcome page of the CA backup wizard.
Select the Private key and CA certificate check box.
Provide a directory name where the system will temporarily store the CA certificate and optionally the key. Click Next.
Provide a password to protect the CA key and click Next.
Click Finish to complete the CA backup process.
Migrate Microsoft CA onto Luna HSM using ms2Luna
To enhance the operational and logical security of the CA and mitigate the risk associated with software-stored keys, it is imperative to migrate the CA onto an HSM, specifically Luna HSM, using the ms2Luna tool. This process ensures the utilization of a more secure environment for key storage and verification of the CA. To migrate the CA:
Copy the CA certificate thumbprint.
Open a command prompt and run ms2Luna.exe from the "
Ensure that you have registered a slot using KSP before proceeding with the migration of Microsoft CA to Luna HSM.
Enter the thumbprint of the CA certificate when prompted and press Enter.
Verify that the CA provider changes to SafeNet Key Storage Provider.
Restart the CA services. After restarting, CA services will utilize the keys from Luna HSM for signing new certificate requests and verifying already signed certificates.
Now, you can restore the CA certificate database that was backed up before migration. In case CA services are not restarting even after CA keys are migrated to Luna HSM using ms2Luna, consider uninstalling the CA services. Follow the instructions to install Microsoft Active Directory Certificate Services on Windows Server using SafeNet Key Storage Provider with migrated keys.
Install Microsoft ADCS using SafeNet KSP
To install the Microsoft Active Directory Certificate Services software:
Log in as an Enterprise Admin/Domain Admin with Administrative privileges.
Open Server Manager under Configure this Local Server and click Add Roles and Features to launch the Add Roles and Features Wizard.
On the Before you Begin page, click Next.
Select the Role-based or feature-based installation radio button and click Next.
Select the Select a server from the server pool radio button and from Server Pool, select your server.
Click Next.
Select the Active Directory Certificate Services check box from the Server Roles. A window stating Add features that are required for Active Directory Certificate Services appears on your screen.
To add a feature, click Add Features.
Click Next twice to continue until the Role Services options are displayed.
Select the Certification Authority check box from the Role services list and click Next.
Verify that the role you are about to install is appropriate and click Install.
Once installation is complete, click the link Configure Active Directory Certificate Services on the destination server; it opens ADCS Configuration wizard.
On the Credentials page of ADCS Configuration wizard, click Next to continue.
Select the Certification Authority check box and click Next.
Select the Enterprise CA radio button and click Next.
Select the Root CA radio button and click Next.
Proceed to set up the Private Key for CA to generate and issue certificates to clients. Select Use existing private key and Select an existing private key on this computer. Click Next to continue.
Click Change. Select the SafeNet Key Storage Provider algorithm that you used to generate the private keys. Clear the CA Common name. Click Search.
Select the existing key and click Next. Select the Allow administrator interaction when the private key is accessed by the CA check box.
Select the Hash Algorithm for signing certificates issued by this Certificate Authority and key length settings for your installation.
Click Next to continue.
Configure a common name to identify this Certificate Authority. Click Next to continue.
Set the Certificate Validity Period. Click Next to continue.
Configure the Certificate Database. Click Next to continue.
Click Configure to set up the selected roles, role services, or features.
Click Close to exit the ADCS Configuration wizard after reviewing the installation results.
After completing the installation successfully, it is essential to restore the CA certificate database using the backup created prior to initiating the key migration process.
Restore MS CA
If you need to restore your backed-up MS CA database, here's how you can do it:
Click the Start button, then choose Run, type certsrv.msc, and hit OK.
In the left pane, select your CA node.
From the Action menu, select All Tasks, and then click Restore CA.
Click Next on the Welcome page of the CA Restore wizard.
Check the boxes for Certificate database and certificate database log. Specify a directory to temporarily store the CA certificate and key. Click Next.
Create a password to protect your CA key and click Next.
Click Finish.
A window will appear asking if you want to start Active Directory certificate services. Click Yes.
Verify that Active Directory Services have been successfully restarted.
Congratulations! Your CA keys have now been migrated from Microsoft Key Storage Provider to SafeNet Key Storage Provider, utilizing Luna HSM for secure access whenever CA services need the keys.
Install and configure the CA Cluster using SafeNet KSP
Follow the procedure explained below to install and configure a CA on a failover cluster running on Windows Server using SafeNet KSP.
Set up CA server role on the first cluster node
Set up CA server role on the second cluster node
Set up failover cluster feature on cluster nodes
Configure ADCS failover cluster
Set up CA server role on the first cluster node
To set up the CA server role on the first cluster node:
Log in as an Enterprise Admin/Domain Admin with administrative privileges.
Install Microsoft Active Directory Certificate Services on the first node as per the steps outlined in the Install Active Directory Certificate Services section.
Click the Start button, point to Run, type certsrv.msc, and then click OK.
Select the CA node in the left pane.
On the Action menu, click All Tasks, and then select Backup CA.
Click Next on the Welcome page of the CA backup wizard.
Select Private key and CA certificate and provide a directory name to temporarily store the CA certificate and optionally the key. Click Next.
Provide a password to protect the CA key and click Next.
Click Finish.
You'll receive a warning that the private key cannot be exported.
Click OK to continue.
Use the ksputil.exe utility to migrate keys to the cluster for the second node. Contact Customer Support if you don't have the utility.
Create a cluster key for the second node using the existing key. Run ksputil.exe to make the keys visible to the secondary node in the cluster.
On the Action menu, click All Tasks, and then select Stop Service. After successful key migration, shut down the CA service to unlock disk resources.
Close the CA management snap-in.
Detach shared storage from the cluster node: Go to the Server Manager MMC snap-in. Click File and Storage Services, then click Disks. Select the shared disk resource, right-click on it, and select Take Offline.
Release HSM from the cluster node: Disable the network connection to release the Luna HSM from the first cluster node and then log off from the first node.
Set up CA server role on the second cluster node
This section provides instructions for configuring the second cluster node. Follow these steps for each additional cluster node beyond the first:
Configure the secondary cluster node
To configure the secondary cluster node:
Log in to the cluster node using a user account with permissions to install the second cluster node. For an enterprise CA, log in with enterprise admin permissions in the Active Directory domain. For a standalone CA, local admin permissions are sufficient if you don't intend to register the CA in the Active Directory configuration container.
Click the Start button, open Run, type servermanager.msc, and click OK.
Open the Server Manager MMC snap-in. Navigate to File and Storage Services, then click Disks.
Ensure the shared disk used for the CA is online.
Copy the previously exported CA certificate to the second cluster node.
Click the Start button, point to Run, type mmc, and click OK.
From the File menu, click Add/Remove Snap-in....
Select Certificates from the list of available snap-ins and click Add.
Choose the Computer Account radio button and click Next.
Select the Local Computer radio button and click Finish.
Click OK.
Import existing CA certificate
To import an existing CA certificate:
In the Certificate Manager MMC snap-in, expand the Certificates (Local Computer) node and select the Personal store.
From the Action menu, click All Tasks, and then select Import....
In the Certificate Import Wizard, click Next.
Enter the filename of the CA certificate created on the first node and click Next. If you are using the Browse button to locate the certificate, change the file type to Personal Information Exchange (.pfx, .p12).
Type the password used to protect the private key. This password is required, even if there is no private key in the PFX file. Click Next.
Do not select the Mark this key as exportable checkbox.
Select the Place all certificates in the following store radio button and then choose the Personal certificate store.
Click Next and then click Finish to import the certificate.
Click OK to confirm the successful import.
Repair the association between the certificate and the private key stored in the HSM.
In the Certificate Manager, expand the Personal store and select the Certificates container.
Select the imported certificate, and choose Open from the Action menu. Navigate to the Details tab.
Select the field Serial Number and copy the serial number into the clipboard. Click OK.
Open the command prompt and type certutil –repairstore My "{Serial number}" and press Enter.
Add ADCS role
Follow these steps to add the ADCS role to your server:
Open Server Manager by navigating to Configure this Local Server and clicking Add Roles and Features. The Add Roles and Features Wizard will appear on your screen.
Click Next.
Select the Role-based or feature-based installation radio button and click Next.
Select the Select a server from the server pool radio button and from Server Pool, select your server.
Click Next.
Select the Active Directory Certificate Services check box from the Server Roles.
The Add features that are required for Active Directory Certificate Services window will appear. To add a feature, click the Add Features button.
Click Next to continue.
Click Next to continue.
Click Next to continue.
Select the Certification Authority check box from the Role services list and click Next.
Click Install.
Once the installation is complete, navigate to the destination server and click on the link Configure Active Directory Certificate Services. This action will launch the ADCS Configuration wizard.
Configure ADCS role
Follow these steps to configure the ADCS role:
On the Credentials page of the ADCS Configuration wizard, click Next to continue.
Select the Certification Authority check box and click Next.
Choose Enterprise CA as the Setup Type and click Next.
Select Root CA as the type of CA and click Next.
Choose the Use existing private key radio button and select the option Select a certificate and use its associated private key. Click Next.
Select the CA certificate that was generated on the first node and click Next.
Change the default paths for the database log location. Click Next to continue.
A dialog box displays stating that an existing database was found. Click Yes to overwrite.
On the Confirmation page, click Configure.
Click Close to finish the role installation.
Log off from the second cluster node.
Set up failover cluster feature on cluster nodes
To configure the failover cluster feature on each node of the cluster, follow these steps:
Begin by logging on to the cluster node with local administrator permissions.
Navigate to Server Manager under Configure this Local Server and click on Add Roles and Features. This action triggers the display of the Add Roles and Features Wizard.
Click Next to proceed.
Choose the Role-based or feature-based installation radio button and click Next.
Select the Select a server from the server pool radio button, and then choose your server from the server pool.
Click Next twice. From the list of available features, check the box for Failover Clustering and click Next.
A notification will appear on your screen, indicating the need to add features essential for failover clustering. Click the Add Features button.
Click Next.
Click Install.
Once the installation is finished, click Close.
Create failover cluster
To establish a failover cluster, follow these steps:
Begin by logging into the cluster node where the shared storage is attached and accessible.
Open Server Manager, go to Tools, and select Failover Cluster Manager.
From the Action menu, choose Create a Cluster.
On the Before You Begin page, click Next.
Enter the computer name of the initial cluster node in the Enter Server Name field and click Add.
Input the computer name of the second cluster node and click Add.
Proceed by clicking Next.
Provide a name for the cluster and continue by clicking Next until you reach the Summary page.
Ensure the cluster configuration is accurate and finalize the process by clicking Finish.
Configure ADCS failover cluster
To configure an ADCS failover configuration for certificate services, follow these steps:
In the Failover Cluster Management snap-in, right-click on Role and then choose Configure Role.
Proceed to Before You Begin page and click Next.
From the role list, select Generic Service and then click Next.
In the service list, select Active Directory Certificate Services and click Next.
On the Client Access Point page, enter the service name in the Name field, and then click Next.
Select the disk storage that is still mounted to the node and click Next.
Configure a shared registry hive by clicking the Add button, followed by entering SYSTEM\CurrentControlSet\Services\CertSvc, and then clicking OK.
Click Next on the Confirmation page.
Click Finish to complete the failover configuration for certificate services.
Open the Failover Cluster Manager and ensure the Status of the newly created service is Running.
Create CRL objects in Active Directory
By default, the AD permissions for the CA cluster do not permit the publication of the CRL into the Active Directory. Alternatively, users can establish a CRL container to enable the publication of the CRL into the Active Directory. To create CRL objects in the Active Directory, follow these steps:
Log in to the active cluster node with enterprise permissions.
Click the Start button, navigate to Run, type cmd, and then click OK.
In the command line interface, type cd %WINDIR%\System32\CertSrv\CertEnroll and press Enter.
To publish the CRL into the Active Directory, input the command certutil -f -dspublish {CRLfile}.
Modify CA configuration in Active Directory
The AIA object in Active Directory stores the CA’s certificate, allowing both cluster nodes to update the CA certificate when necessary. The tasks outlined below can be carried out from any computer within your Active Directory configuration that has the Active Directory Sites and Services snap-in and ADSIEDIT installed. To modify the CA configuration in Active Directory:
Log in to the computer with enterprise permissions.
Click the Start button, go to Run, type dssite.msc, and then click OK.
Select the top node in the left pane. In the View menu, choose Show services node.
In the left pane, expand Services and Public Key Services, and select AIA.
In the middle pane, choose the CA name as it appears in the Certification Authority MMC snap-in.
From the Action menu, select Properties. Click the Security tab and choose Add….
Click Object Types and select the Computers checkbox. Click OK.
In the Enter the object names to select field, enter the computer name of the second cluster node. Click OK.
Ensure that the computer accounts of both cluster nodes have Full Control permissions.
Click OK.
In the left pane, choose Enrollment Services.
In the middle pane, select the CA name.
From the Action menu, choose Properties. Click the Security tab and choose Add….
Click Object Types and select the Computers checkbox. Click OK.
In the Enter the object names to select field, enter the computer name of the second cluster node. Click OK.
Ensure that the computer accounts of both cluster nodes have Full Control permissions.
Click OK.
In the left pane, choose KRA.
In the middle pane, select the CA name.
From the Action menu, choose Properties. Click the Security tab and choose Add….
Click Object Types and select the Computers checkbox. Click OK.
Type the computer name of the second cluster node as the object name and click OK.
Verify that the computer accounts of both cluster nodes have Full Control permissions.
Click OK.
Close the Sites and Services MMC snap-in.
Migrate ADCS cluster keys from Microsoft Software KSP to SafeNet KSP
This section provides a detailed guide on migrating the CA keys used by ADCS from the Microsoft Software KSP to the SafeNet KSP. Upon completion of the migration, the ADCS cluster will utilize the CA signing keys securely stored in the Luna HSM. Before initiating the migration process, ensure the following prerequisites are met:
-
The ADCS Cluster is currently operational using the Microsoft Software Key Storage Provider.
-
The Luna Client is installed, and a partition is registered on each node of the cluster.
-
The SafeNet KSP is registered and configured on every node of the cluster.
To migrate the AD CS Cluster from Microsoft KSP to SafeNet KSP, associate the CA key with the SafeNet KSP on each cluster node. The steps for performing the migration process are outlined below:
Log in to the first node of the cluster and verify that the ADCS cluster service is operational and owned by the first cluster node where the CA keys were originally generated.
Navigate to the Resources tab, select Active Directory Certificate Services, and then click on Remove in the Actions pane to remove the ADCS service from the cluster. When prompted, click Yes to remove the service.
Launch the Certificate Authority snap-in from the Administrative Tools menu.
Before proceeding with the backup of the existing CA database and keys, ensure that CA certificate services are running. If the services are not running, start them before proceeding with the backup process.
Select the CA in the Certificate Authority, then click on Action in the menu bar. From there, select All Tasks and choose Back up CA… to initiate the backup process.
Open the Certificate Authority Backup Wizard and follow the steps provided by the wizard to create a backup of the CA certificate database. When prompted to select a directory for the backup, make sure to choose an empty directory.
Follow the steps provided by the wizard to complete the backup process and then click on the Finish button to close the wizard.
In the Certificate authority snap in, select the CA-Name, then click on the Action menu and then click Properties. This will open the CA Properties window where you can view the current provider and CA Name. Next, click on View Certificate and when the certificate is displayed, click on Details. In the Field section click Thumbprint. Take note of the certificate Thumbprint and CA-Name, as you will need them later when migrating the key. For example:
-
CA-Name: EYHSM-CA
-
Thumbprint: da205e29cb1e1ebaebc50dbe4458e0443baa769a
Close the Certificate and Properties window by clicking the OK button twice.
Open the command prompt and run the below command to find the unique key container. Take note of the container name as you will need it later when migrating the keys to Luna HSM. For example:
certutil -verifystore my <CA_Certificate_Thumbprint>
Go to the KSP folder of Luna Client and open the command prompt. Run the ms2luna command and provide the CA certificate thumbprint when prompted to migrate the CA key.
Ensure that CA service provider is now set to SafeNet Key Storage Provider. You can confirm this in two ways. First, check the CA Service Properties window in the Certificate Authority snap-in. Alternatively, you can use the following command to verify the store:
certutil -verifystore My <CA_Certificate_Thumbprint>
Make sure to replace <CA_Certificate_Thumbprint> with the thumbprint of the certificate for which you migrated the key using the ms2luna command. Check that the unique container name and provider have been changed accordingly.
Ensure that the output shows Encryption test passed. If the command output does not show the association of CA certificate with the key migrated to Luna HSM, run the -repairstore command.
certutil -repairstore -csp “SafeNet Key Storage Provider” My <CA_Certificate_Thumbprint>
Replace <CA_Certificate_Thumbprint> with the thumbprint of the CA certificate.
Ensure that AD CS services are running correctly after the key migration by stopping and then restarting the services.
Use the ksputil utility to create a key for all the other nodes in the AD CS Cluster. Provide the partition password when prompted.
ksputil clusterKey /s <SlotNum> /n <CA_Name> /t <TargetCluster_Host>
Here:
-
<SlotNum>: Luna HSM partition slot id -
<CA_Name>: Name of the CA -
<TargetCluster_Host>: Fully qualified domain name of cluster node
You must create a key for every node in the cluster. The above command will duplicate the same key and associate it with the cluster node so that each node has access to the same key.
Log in to the other cluster nodes and associate the CA certificate with the key migrated and created in the HSM for that particular node.
Ensure to create key for every node in the cluster.
Open the command prompt and run the following command to check that the CA certificate is initially associated with Software Key Storage Provider:
certutil -verifystore My <CA_Certificate_Thumbprint>
The thumbprint must be the same on all the nodes of the cluster because the cluster is using the same key and certificate for each node. From the output of the command note the Unique key container which contains the key.
Go to the C:\ProgramData\Microsoft\Crypto\Keys directory and locate the Unique key container associated with the CA certificate. Right-click on container and select Delete to delete the key container.
Ensure that you are deleting the correct key container that matches the Unique Key Container from the previous step.
Run the repair store command below in the command prompt, to associate the CA certificate with the key migrated to Luna HSM.
certutil -repairstore -csp “SafeNet Key Storage Provider” My <CA_Certificate_Thumbprint>
When the command is successfully completed, it will show that the provider now points to SafeNet Key Storage Provider and unique container name has been changed.
Open the registry editor and navigate to the following path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CA-Name>\CSP. Then, change the value of Provider from Microsoft Software Key Storage Provider to SafeNet Key Storage Provider. Here, <CA-Name> is the actual name of your CA.
Launch the Failover Cluster Manager, navigate to the Roles section and then select the cluster service. In the Actions pane, choose the Move option and then select the Best Possible Node to assign the shared disk to the node that’s currently in use.
Open the certificate authority snap-in and start the CA service. When it starts successfully, ensure that provider is SafeNet Key Storage Provider.
Perform these steps on each node of the cluster. Proceed to the next step only after you have associated the CA certificate to the key on Luna HSM using SafeNet Key Storage Provider and confirmed that CA Services are active when the shared disk is connected to that node.
Log on to any node where the shared storage is available and CA services are operational.
In the Failover Cluster Manager, navigate to the Roles section and select the service. Then, click on Resources, followed by Add Resource>Generic Service.
In New Resource Wizard, select Active Directory Certificate Services and follow the instructions to complete the Wizard.
Navigate to the Resources section and choose Active Directory Certificate Services. Click on Properties to open the property window, select Registry Replication, and then click Add. Enter the registry value for CA services as SYSTEM\CurrentControlSet\Services\CertSvc and then click OK to save the changes.
Click OK to close the Properties window and save the settings.
In the Failover Cluster Manager, go to Roles and select the service. Click Stop Role in the Actions pane to stop the cluster service.
Click Start Role in the Actions pane to restart the cluster service. Verify that the service is starting and is running properly.
Log in to each node of the cluster one by one and verify that the cluster services are running on each node.
Open the Failover Cluster Manager and select the cluster service under Roles. In the Actions pane, click Move and then click Best Possible Node. If the cluster service starts and runs on the currently logged-in node, then everything is working properly, and you have successfully migrated the CA keys from the Microsoft Provider to the Luna HSM Provider.
