Microsoft ADCS

1Ensure that the HSM is set up, initialized, provisioned, and ready for deployment. For more information, refer to Luna HSM documentation.

2Create a partition that will be later on used by Microsoft ADCS.

3Create and exchange certificate between the Luna Network HSM and client system. Register client and assign partition to create an NTLS connection.

4Initialize Crypto Officer and Crypto User roles for the registered partition.

5Run the following command to verify that the partition has been successfully registered and configured:

C:\Program Files\SafeNet\LunaClient>lunacm.exe

Upon successful execution, you should observe an output similar to the example provided below:

lunacm.exe (64-bit) v10.2.0-111. Copyright (c) 2020 SafeNet. All rights reserved.
Available HSMs:
Slot Id ->                           0
Label ->                             ms-adcs
Serial Number ->                     1238696044953
Model ->                             LunaSA 7.3.0
Firmware Version ->                  7.3.0
Configuration ->                     Luna User Partition With SO (PW) Signing With Cloning Mode
Slot Description ->                  Net Token Slot

Note

Refer to Luna HSM documentation for detailed steps on creating NTLS connection, initializing the partitions, and assigning various user roles.

1Transfer the downloaded .zip file to your client workstation using pscp, scp, or other secure means

2Extract the .zip file into a directory on your client workstation.

3Extract or untar the appropriate client package for your operating system. Do not extract to a new subdirectory; place the files in the client install directory.

cvclient-min.zip

4Run the setenv script to generate a new configuration file with the necessary information for the Luna Cloud HSM service. Right-click setenv.cmd and select Run as Administrator.

Note

To add the configuration to an already installed UC client, use the –addcloudhsm option when running the setenv script.

5Run the LunaCM utility and verify that the Cloud HSM service is listed.

1Configure SafeNet Key Storage Provider

2Install Microsoft ADCS on Windows server using SafeNet KSP

3Enroll certificates

4Archive CA key

5Perform key recovery

1Ensure that the SafeNet Key Storage Provider (KSP) is configured to enable user accounts and the system to access the Luna HSM or Luna Cloud HSM. For Luna HSM, install the KSP package during the Luna Client software installation. For Luna Cloud HSM, find the KSP package within the service client package located in the /KSP directory.

2Navigate to the /KSP directory.

3Run the KspConfig.exe (KSP configuration wizard).

4Double-click Register Or View Security Library.

5Browse the library cryptoki.dll from the Luna HSM Client installation directory or Luna Cloud HSM client package and click Register. Upon successful registration, a message will appear: Success registering the security library!

6Double-click Register HSM Slots on the left side of the pane.

7Enter the Slot (Partition) password.

8Click Register Slot to register the slot for Domain\User. On successful registration, a message The slot was successfully and securely registered will be displayed.

9Register the same slot for NT AUTHORITY\SYSTEM.

Note

Both slots are registered, even if only one entry appears for the service in the Registered Slots section of the KSP interface.

1Log in with an account that has Enterprise Admin/Domain Admin privileges.

2Confirm that SafeNet Key Storage Provider (KSP) is configured, as explained in the previous section.

3Open Server Manager by navigating to Configure this Local Server and selecting Add Roles and Features.

4In the Add Roles wizard that appears, click Next to proceed.

5Select the Role-based or feature-based installation radio button and click Next.

6Choose the server from the Server Pool menu after selecting the Select a server from the server pool radio button.

7Click Next after selecting the Active Directory Certificate Services checkbox. A window will prompt to add features required for Active Directory Certificate Services.

8Click the Add Features button, and then click Next.

9Click Next within the Active Directory Certificate Services page.

10Choose the Certification Authority checkbox from the Role services list, and then click Next.

11Click Install to start the installation process.

12After installation completion, click Configure Active Directory Certificate Services on the destination server. This action triggers the ADCS Configuration wizard.

13On the Credentials page of the ADCS Configuration wizard, click Next to proceed.

14Choose the Certification Authority checkbox, and then click Next.

15Select the Enterprise CA radio button, and then click Next.

16Choose the Root CA radio button and then click Next.

17Configure the private key for the CA to generate and issue certificates to clients. If opting for a new private key, choose the Create a new private key radio button and proceed with the Next button. In case of using an existing private key, you may skip the next few steps and proceed directly to step 21 that involves utilizing an existing private key.

18Open the Select a cryptographic provider drop-down menu. Choose an algorithm using SafeNet Key Storage Provider. Open the Key length drop-down menu and select a key-length.

19Choose the Hash Algorithm for signing certificates issued by this Certificate Authority and specify the key length settings for your installation.

20Enable the Allow administrator interaction when the private key is accessed by the CA checkbox, and then click Next.

21Select the Use existing private key checkbox. Set up the Private Key for the CA to generate and issue certificates to clients. Choose Use existing private key and select an existing private key on this computer. Click Next to continue.

22Click Change. Choose the SafeNet Key Storage Provider algorithm used to generate the private keys. Clear the CA Common name and click Search.

23Choose the Existing Key and click Next.

24Proceed to configure a common name to identify this Certificate Authority. Click Next.

25Proceed to set the Certificate Validity Period. Click Next.

26Configure the Certificate database location, where it records all certificate requests, issued certificates, and revoked or expired certificates. Click Next.

27Click Configure to set up the selected roles, role services, or features.

28Click Close to exit the ADCS Configuration wizard after reviewing the installation results. A private key for the CA will be generated and stored on the HSM.

29Open a command prompt and run the following command to verify that the service is running:

sc query certsvc

30Open another command prompt and run the following command to verify the CA key:

certutil –verifykeys

The result should show that the CA keys have been successfully verified.

Note

If Luna HSM is in FIPS mode and using firmware version 7.7.2 or above, you may encounter the following error when verifying the certificate using the certutil -verifystore command: ERROR: Could not verify certificate public key against private key.

1Open a command prompt and run certtmpl.msc.

2Right-click on the desired certificate template and select Duplicate Template.

3In the Properties of New Template window that appears, navigate to the Compatibility tab and choose Windows Server 2008 or above for both Certification Authority and Certificate recipient. Click OK to apply the changes.

4Navigate to the General tab and enter the template name.

5Navigate to the Cryptography tab and make the following changes:

• Choose Key Storage Provider for Provider Category.

• Select Requests must use one of the following providers radio button.

• In the Providers field, select SafeNet Key Storage Provider.

• Choose an algorithm for Algorithm Name.

• Select Request Hash.

6Navigate to the Subject Name tab and configure the settings:

• Uncheck Include e-mail name in subject name and E-mail name checkboxes.

• Click Apply to save the template settings, and then click OK to confirm the changes.

7Open the command prompt and run certsrv.msc.

8Double-click on the name of your CA.

9Right-click on the Certificate Templates node.

10Select New and then choose Certificate Template to Issue.

11Choose the template you recently created and click OK to complete the process.

12Request a certificate based on the template, as follows:

• Open the command prompt and run the certmgr.msc command.

• Right-click on the Personal node.

• Select All Tasks and then choose Request New Certificate…

• Progress through the Certificate Request Wizard by clicking Next.

• Continue with the wizard by clicking Next again.

• Initiate the certificate enrollment process by clicking Enroll.

• Verify that the certificate is enrolled successfully using the UI enrollment wizard.

1Choose KRA template

2Request KRA certificate

3Obtain KRA certificate from the CA snap-in

4Retrieve the issued certificate

5Configure CA to support key archival

6Create a template with key archival enabled

7Add a new template in the CA configuration

8Issue a user template with key archival enabled

1Begin by installing the Enterprise Certificate Server through the SafeNet Key Storage Provider, and utilizing an ECC key for enhanced security.

2Verify the proper installation of the CA to guarantee a seamless foundation for subsequent key archiving steps.

Expand the CA's capabilities by adding a Key Recovery Agent (KRA) template for issuing. This template facilitates secure recovery processes for cryptographic keys.

3Open the command prompt and initiate the Certificate Services console by running the certsrv.msc command.

4Within the Certificate Templates node, right-click and navigate to New, and then choose Certificate Template to Issue.

5Choose the Key Recovery Agent template from the available options and confirm your selection by clicking OK. This template will be instrumental in managing and recovering cryptographic keys as needed.

1Launch the command prompt and execute the certmgr.msc command.

2Within the Personal node, right-click and navigate to All Tasks, and then choose Request new certificate...

3Proceed through the Certificate Request Wizard by clicking Next.

4Select Active Directory Enrollment Policy and continue by clicking Next.

5Identify the Key Recovery Agent template by selecting the corresponding checkbox and initiate the enrollment by clicking Enroll.

6Confirm that the enrollment is pending and finalize the process by clicking Finish.

1Launch the command prompt and execute the command certsrv.msc.

2In the Certificates snap-in, navigate to the Pending Requests node. Right-click on the most recent request associated with the KRA template. Choose All Tasks and then select Issue.

3Go to the Issued Certificates section. Confirm that the new certificate has been successfully issued.

1Open the command prompt and execute the command certmgr.msc.

2Right-click on Certificates –> Current User.

3Choose All Tasks and then click Automatically enroll and retrieve certificates....

4Click Next.

5From the list, select the KRA certificate that was recently issued, and proceed to enroll it.

1Open the command prompt and execute the command certsrv.msc.

2Right-click on the CA Name and choose Properties.

3Navigate to the Recovery Agent tab.

4Choose the Archive the key radio button.

5Click the Add button.

6From the available certificates, select the KRA certificate that was recently issued. Click OK.

7Click OK to confirm your selections.

8If prompted, acknowledge that the CA service needs to be restarted and click Yes.

1Open the command prompt and execute the command certtmpl.msc.

2Right-click on the user template and choose Duplicate Template.

3Under Compatibility Settings, select Windows Server 2008 or above for both certification authority and certificate recipient. Click OK.

4On the Resulting Changes menu, click OK.

5Navigate to the General tab and enter a name for the template (for example, UserKeyArchival).

6Navigate to the Request Handling tab and enable the Archive subject’s encryption private key checkbox.

7Select the Subject Name tab.

8Uncheck the Include e-mail name in subject name checkbox.

9Uncheck the E-mail name checkbox.

10Click Apply and then OK.

1Open the command prompt and execute the command certsrv.msc.

2Right-click on the Certificate Templates node.

3Choose New and the select Certificate Template to Issue.

4Select the new template for key archival and click OK.

1Open the command prompt and execute the command certmgr.msc.

2Right-click on the Personal node.

3Select All Tasks and then choose Request New Certificate.

4Click Next.

5Click Next.

6Select the checkbox for the new template with key archival and click Enroll.

7Verify the enrollment's success in the Enrollment Wizard UI.

8Click Finish.

1Verify archive status:

a. Log on to the system as the Domain Administrator.

b. Open the Certification Authority console by navigating to Administrative Tools, selecting Certification Authority, and then clicking Issued Certificates.

c. From the View menu, access Add/Remove Columns, select Archived Key from Available Columns, and click Add.

d. Confirm the presence of Yes value in the Archived Key column for the last issued certificate to UserKeyArchival.

Note

Ensure the certificate template has been modified to enable the archive bit and mark private key as exportable attributes for successful key recovery.

e. Double-click the Archive User certificate.

f. Click the Details tab, write down the hexadecimal serial number (referred to as serialnumber), and click OK.

g. Close the Certification Authority.

2Recover the private key:

a. Open a command prompt by clicking Start, selecting Run, typing cmd, and pressing ENTER.

b. Ensure you are in the c:\ directory by typing cd \ and pressing ENTER.

c. Execute the following command:

Certutil -getkey serialnumber outputblob

Here, replace serialnumber with the actual serial number of the certificate you are trying to retrieve, and replace outputblob with the desired output file name.

Note

Verify the existence of the outputblob file by typing dir outputblob in the command prompt.

3Recover the original private/public key pair:

a. Open a new command prompt window.

b. Execute the following command:

Certutil -recoverkey outputblob user.pfx

c. When prompted, enter the new password and confirm it.

d. Type exit and press ENTER.

e. Close all windows and log off as the current user.

4Import the recovered private key/certificate:

a. Open a command prompt and type certmgr.msc.

b. Right-click on Certificates (Current User) and select Find Certificates.

c. Under Contains, type CA Name and click Find Now.

d. In Find Certificates, select all, delete, and confirm.

e. Close Find Certificates.

5Import the certificate:

a. In the Certification Authority console, right-click Personal, choose All Tasks, and click Import.

b. In the Certificate Import Wizard, click Next.

c. Under Files to Import, enter c:\user.pfx in the File name box and click Next.

d. Enter the password and click Next.

e. On Certificate Store, select Automatically select the certificate store and click Next.

f. On Completing the Certificate Import Wizard, click Finish.

6Verify the serial number:

a. In the Certification Authority console, double-click Personal and click Certificates.

b. Double-click the certificate, go to the Details tab, and verify that the serial number matches the original.

1Configure SafeNet KSP

2Back up CA

3Migrate Microsoft CA onto Luna HSM using ms2Luna

4Install Microsoft ADCS using SafeNet KSP

5Restore MS CA

1Locate the installation directory of the SafeNet Key Storage Provider.

2Run the KspConfig.exe (KSP configuration wizard).

3Double-click on Register Or View Security Library on the left side of the pane.

4Browse the library cryptoki.dll from Luna Network HSM Client installation directory and click Register. Upon successful registration, a message Success registering the security library will be displayed.

5Register HSM Slots:

a. Double-click on "Register HSM Slots" on the left side of the pane.

b. Enter the Slot (Partition) password.

c. Click Register Slot to register the slot for Domain\User. Upon successful registration, a confirmation message will be displayed.

6Ensure you register the same slot for NT AUTHORITY\SYSTEM.

Note

Both slots have been successfully registered. However, the KSP interface may display only a single entry for the service in the Registered Slots section. This is a common behavior and does not indicate an issue with the registration process.

1Click the Start button.

2Click Run, type certsrv.msc, and then click OK.

3In the left pane, select the CA node.

4On the Action menu, click All Tasks, and then select Backup CA.

5Click Next on the Welcome page of the CA backup wizard.

6Select the Private key and CA certificate check box.

7Provide a directory name where the system will temporarily store the CA certificate and optionally the key. Click Next.

8Provide a password to protect the CA key and click Next.

9Click Finish to complete the CA backup process.

1Copy the CA certificate thumbprint.

2Open a command prompt and run ms2Luna.exe from the "/KSP directory" in case of Key Storage Provider (KSP) registration.

Note

Ensure that you have registered a slot using KSP before proceeding with the migration of Microsoft CA to Luna HSM.

3Enter the thumbprint of the CA certificate when prompted and press Enter.

4Verify that the CA provider changes to SafeNet Key Storage Provider.

5Restart the CA services. After restarting, CA services will utilize the keys from Luna HSM for signing new certificate requests and verifying already signed certificates.

1Log in as an Enterprise Admin/Domain Admin with Administrative privileges.

2Open Server Manager under Configure this Local Server and click Add Roles and Features to launch the Add Roles and Features Wizard.

3On the Before you Begin page, click Next.

4Select the Role-based or feature-based installation radio button and click Next.

5Select the Select a server from the server pool radio button and from Server Pool, select your server.

6Click Next.

7Select the Active Directory Certificate Services check box from the Server Roles. A window stating Add features that are required for Active Directory Certificate Services appears on your screen.

8To add a feature, click Add Features.

9Click Next twice to continue until the Role Services options are displayed.

10Select the Certification Authority check box from the Role services list and click Next.

11Verify that the role you are about to install is appropriate and click Install.

12Once installation is complete, click the link Configure Active Directory Certificate Services on the destination server; it opens ADCS Configuration wizard.

13On the Credentials page of ADCS Configuration wizard, click Next to continue.

14Select the Certification Authority check box and click Next.

15Select the Enterprise CA radio button and click Next.

16Select the Root CA radio button and click Next.

17Proceed to set up the Private Key for CA to generate and issue certificates to clients. Select Use existing private key and Select an existing private key on this computer. Click Next to continue.

18Click Change. Select the SafeNet Key Storage Provider algorithm that you used to generate the private keys. Clear the CA Common name. Click Search.

19Select the existing key and click Next. Select the Allow administrator interaction when the private key is accessed by the CA check box.

20Select the Hash Algorithm for signing certificates issued by this Certificate Authority and key length settings for your installation.

21Click Next to continue.

22Configure a common name to identify this Certificate Authority. Click Next to continue.

23Set the Certificate Validity Period. Click Next to continue.

24Configure the Certificate Database. Click Next to continue.

25Click Configure to set up the selected roles, role services, or features.

26Click Close to exit the ADCS Configuration wizard after reviewing the installation results.

1Click the Start button, then choose Run, type certsrv.msc, and hit OK.

2In the left pane, select your CA node.

3From the Action menu, select All Tasks, and then click Restore CA.

4Click Next on the Welcome page of the CA Restore wizard.

5Check the boxes for Certificate database and certificate database log. Specify a directory to temporarily store the CA certificate and key. Click Next.

6Create a password to protect your CA key and click Next.

7Click Finish.

8A window will appear asking if you want to start Active Directory certificate services. Click Yes.

9Verify that Active Directory Services have been successfully restarted.

1Set up CA server role on the first cluster node

2Set up CA server role on the second cluster node

3Set up failover cluster feature on cluster nodes

4Create failover cluster

5Configure ADCS failover cluster

6Create CRL objects in Active Directory

7Modify CA configuration in Active Directory

1Log in as an Enterprise Admin/Domain Admin with administrative privileges.

2Install Microsoft Active Directory Certificate Services on the first node as per the steps outlined in the Install Active Directory Certificate Services section.

3Click the Start button, point to Run, type certsrv.msc, and then click OK.

4Select the CA node in the left pane.

5On the Action menu, click All Tasks, and then select Backup CA.

6Click Next on the Welcome page of the CA backup wizard.

7Select Private key and CA certificate and provide a directory name to temporarily store the CA certificate and optionally the key. Click Next.

8Provide a password to protect the CA key and click Next.

9Click Finish.

Note

You'll receive a warning that the private key cannot be exported.

10Click OK to continue.

11Use the ksputil.exe utility to migrate keys to the cluster for the second node. Contact Customer Support if you don't have the utility.

12Create a cluster key for the second node using the existing key. Run ksputil.exe to make the keys visible to the secondary node in the cluster.

13On the Action menu, click All Tasks, and then select Stop Service. After successful key migration, shut down the CA service to unlock disk resources.

14Close the CA management snap-in.

15Detach shared storage from the cluster node: Go to the Server Manager MMC snap-in. Click File and Storage Services, then click Disks. Select the shared disk resource, right-click on it, and select Take Offline.

16Release HSM from the cluster node: Disable the network connection to release the Luna HSM from the first cluster node and then log off from the first node.

1Configure the secondary cluster node

2Import existing CA certificate

3Add ADCS role

4Configure ADCS role

1Log in to the cluster node using a user account with permissions to install the second cluster node. For an enterprise CA, log in with enterprise admin permissions in the Active Directory domain. For a standalone CA, local admin permissions are sufficient if you don't intend to register the CA in the Active Directory configuration container.

2Click the Start button, open Run, type servermanager.msc, and click OK.

3Open the Server Manager MMC snap-in. Navigate to File and Storage Services, then click Disks.

4Ensure the shared disk used for the CA is online.

5Copy the previously exported CA certificate to the second cluster node.

6Click the Start button, point to Run, type mmc, and click OK.

7From the File menu, click Add/Remove Snap-in....

8Select Certificates from the list of available snap-ins and click Add.

9Choose the Computer Account radio button and click Next.

10Select the Local Computer radio button and click Finish.

11Click OK.

1In the Certificate Manager MMC snap-in, expand the Certificates (Local Computer) node and select the Personal store.

From the Action menu, click All Tasks, and then select Import....

2In the Certificate Import Wizard, click Next.

3Enter the filename of the CA certificate created on the first node and click Next. If you are using the Browse button to locate the certificate, change the file type to Personal Information Exchange (.pfx, .p12).

4Type the password used to protect the private key. This password is required, even if there is no private key in the PFX file. Click Next.

Note

Do not select the Mark this key as exportable checkbox.

5Select the Place all certificates in the following store radio button and then choose the Personal certificate store.

6Click Next and then click Finish to import the certificate.

7Click OK to confirm the successful import.

8Repair the association between the certificate and the private key stored in the HSM.

9In the Certificate Manager, expand the Personal store and select the Certificates container.

10Select the imported certificate, and choose Open from the Action menu. Navigate to the Details tab.

11Select the field Serial Number and copy the serial number into the clipboard. Click OK.

12Open the command prompt and type certutil –repairstore My "{Serial number}" and press Enter.

1Open Server Manager by navigating to Configure this Local Server and clicking Add Roles and Features. The Add Roles and Features Wizard will appear on your screen.

2Click Next.

3Select the Role-based or feature-based installation radio button and click Next.

4Select the Select a server from the server pool radio button and from Server Pool, select your server.

5Click Next.

6Select the Active Directory Certificate Services check box from the Server Roles.

7The Add features that are required for Active Directory Certificate Services window will appear. To add a feature, click the Add Features button.

8Click Next to continue.

9Click Next to continue.

10Click Next to continue.

11Select the Certification Authority check box from the Role services list and click Next.

12Click Install.

13Once the installation is complete, navigate to the destination server and click on the link Configure Active Directory Certificate Services. This action will launch the ADCS Configuration wizard.

1On the Credentials page of the ADCS Configuration wizard, click Next to continue.

2Select the Certification Authority check box and click Next.

3Choose Enterprise CA as the Setup Type and click Next.

4Select Root CA as the type of CA and click Next.

5Choose the Use existing private key radio button and select the option Select a certificate and use its associated private key. Click Next.

6Select the CA certificate that was generated on the first node and click Next.

7Change the default paths for the database log location. Click Next to continue.

8A dialog box displays stating that an existing database was found. Click Yes to overwrite.

9On the Confirmation page, click Configure.

10Click Close to finish the role installation.

11Log off from the second cluster node.

1Begin by logging on to the cluster node with local administrator permissions.

2Navigate to Server Manager under Configure this Local Server and click on Add Roles and Features. This action triggers the display of the Add Roles and Features Wizard.

3Click Next to proceed.

4Choose the Role-based or feature-based installation radio button and click Next.

5Select the Select a server from the server pool radio button, and then choose your server from the server pool.

6Click Next twice. From the list of available features, check the box for Failover Clustering and click Next.

7A notification will appear on your screen, indicating the need to add features essential for failover clustering. Click the Add Features button.

8Click Next.

9Click Install.

10Once the installation is finished, click Close.

1Begin by logging into the cluster node where the shared storage is attached and accessible.

2Open Server Manager, go to Tools, and select Failover Cluster Manager.

3From the Action menu, choose Create a Cluster.

4On the Before You Begin page, click Next.

5Enter the computer name of the initial cluster node in the Enter Server Name field and click Add.

6Input the computer name of the second cluster node and click Add.

7Proceed by clicking Next.

8Provide a name for the cluster and continue by clicking Next until you reach the Summary page.

9Ensure the cluster configuration is accurate and finalize the process by clicking Finish.

1In the Failover Cluster Management snap-in, right-click on Role and then choose Configure Role.

2Proceed to Before You Begin page and click Next.

3From the role list, select Generic Service and then click Next.

4In the service list, select Active Directory Certificate Services and click Next.

5On the Client Access Point page, enter the service name in the Name field, and then click Next.

6Select the disk storage that is still mounted to the node and click Next.

7Configure a shared registry hive by clicking the Add button, followed by entering SYSTEM\CurrentControlSet\Services\CertSvc, and then clicking OK.

8Click Next on the Confirmation page.

9Click Finish to complete the failover configuration for certificate services.

10Open the Failover Cluster Manager and ensure the Status of the newly created service is Running.

1Log in to the active cluster node with enterprise permissions.

2Click the Start button, navigate to Run, type cmd, and then click OK.

3In the command line interface, type cd %WINDIR%\System32\CertSrv\CertEnroll and press Enter.

4To publish the CRL into the Active Directory, input the command certutil -f -dspublish {CRLfile}.

1Log in to the computer with enterprise permissions.

2Click the Start button, go to Run, type dssite.msc, and then click OK.

3Select the top node in the left pane. In the View menu, choose Show services node.

4In the left pane, expand Services and Public Key Services, and select AIA.

5In the middle pane, choose the CA name as it appears in the Certification Authority MMC snap-in.

6From the Action menu, select Properties. Click the Security tab and choose Add….

7Click Object Types and select the Computers checkbox. Click OK.

8In the Enter the object names to select field, enter the computer name of the second cluster node. Click OK.

9Ensure that the computer accounts of both cluster nodes have Full Control permissions.

10Click OK.

11In the left pane, choose Enrollment Services.

12In the middle pane, select the CA name.

13From the Action menu, choose Properties. Click the Security tab and choose Add….

14Click Object Types and select the Computers checkbox. Click OK.

15In the Enter the object names to select field, enter the computer name of the second cluster node. Click OK.

16Ensure that the computer accounts of both cluster nodes have Full Control permissions.

17Click OK.

18In the left pane, choose KRA.

19In the middle pane, select the CA name.

20From the Action menu, choose Properties. Click the Security tab and choose Add….

21Click Object Types and select the Computers checkbox. Click OK.

22Type the computer name of the second cluster node as the object name and click OK.

23Verify that the computer accounts of both cluster nodes have Full Control permissions.

24Click OK.

25Close the Sites and Services MMC snap-in.

1Log in to the first node of the cluster and verify that the ADCS cluster service is operational and owned by the first cluster node where the CA keys were originally generated.

2Navigate to the Resources tab, select Active Directory Certificate Services, and then click on Remove in the Actions pane to remove the ADCS service from the cluster. When prompted, click Yes to remove the service.

3Launch the Certificate Authority snap-in from the Administrative Tools menu.

Note

Before proceeding with the backup of the existing CA database and keys, ensure that CA certificate services are running. If the services are not running, start them before proceeding with the backup process.

4Select the CA in the Certificate Authority, then click on Action in the menu bar. From there, select All Tasks and choose Back up CA… to initiate the backup process.

5Open the Certificate Authority Backup Wizard and follow the steps provided by the wizard to create a backup of the CA certificate database. When prompted to select a directory for the backup, make sure to choose an empty directory.

6Follow the steps provided by the wizard to complete the backup process and then click on the Finish button to close the wizard.

7In the Certificate authority snap in, select the CA-Name, then click on the Action menu and then click Properties. This will open the CA Properties window where you can view the current provider and CA Name. Next, click on View Certificate and when the certificate is displayed, click on Details. In the Field section click Thumbprint. Take note of the certificate Thumbprint and CA-Name, as you will need them later when migrating the key. For example:

• CA-Name: EYHSM-CA

• Thumbprint: da205e29cb1e1ebaebc50dbe4458e0443baa769a

8Close the Certificate and Properties window by clicking the OK button twice.

9Open the command prompt and run the below command to find the unique key container. Take note of the container name as you will need it later when migrating the keys to Luna HSM. For example:

certutil -verifystore my <CA_Certificate_Thumbprint>

10Go to the KSP folder of Luna Client and open the command prompt. Run the ms2luna command and provide the CA certificate thumbprint when prompted to migrate the CA key.

11Ensure that CA service provider is now set to SafeNet Key Storage Provider. You can confirm this in two ways. First, check the CA Service Properties window in the Certificate Authority snap-in. Alternatively, you can use the following command to verify the store:

certutil -verifystore My <CA_Certificate_Thumbprint>

12Make sure to replace <CA_Certificate_Thumbprint> with the thumbprint of the certificate for which you migrated the key using the ms2luna command. Check that the unique container name and provider have been changed accordingly.

13Ensure that the output shows Encryption test passed. If the command output does not show the association of CA certificate with the key migrated to Luna HSM, run the -repairstore command.

certutil -repairstore -csp “SafeNet Key Storage Provider” My <CA_Certificate_Thumbprint>

14Replace <CA_Certificate_Thumbprint> with the thumbprint of the CA certificate.

15Ensure that AD CS services are running correctly after the key migration by stopping and then restarting the services.

16Use the ksputil utility to create a key for all the other nodes in the AD CS Cluster. Provide the partition password when prompted.

ksputil clusterKey /s <SlotNum> /n <CA_Name> /t <TargetCluster_Host>

Here:

• <SlotNum>: Luna HSM partition slot id

• <CA_Name>: Name of the CA

• <TargetCluster_Host>: Fully qualified domain name of cluster node

Note

You must create a key for every node in the cluster. The above command will duplicate the same key and associate it with the cluster node so that each node has access to the same key.

17Log in to the other cluster nodes and associate the CA certificate with the key migrated and created in the HSM for that particular node.

Note

Ensure to create key for every node in the cluster.

18Open the command prompt and run the following command to check that the CA certificate is initially associated with Software Key Storage Provider:

certutil -verifystore My <CA_Certificate_Thumbprint>

19The thumbprint must be the same on all the nodes of the cluster because the cluster is using the same key and certificate for each node. From the output of the command note the Unique key container which contains the key.

20Go to the C:\ProgramData\Microsoft\Crypto\Keys directory and locate the Unique key container associated with the CA certificate. Right-click on container and select Delete to delete the key container.

Note

Ensure that you are deleting the correct key container that matches the Unique Key Container from the previous step.

21Run the repair store command below in the command prompt, to associate the CA certificate with the key migrated to Luna HSM.

certutil -repairstore -csp “SafeNet Key Storage Provider” My <CA_Certificate_Thumbprint>

When the command is successfully completed, it will show that the provider now points to SafeNet Key Storage Provider and unique container name has been changed.

22Open the registry editor and navigate to the following path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CA-Name>\CSP. Then, change the value of Provider from Microsoft Software Key Storage Provider to SafeNet Key Storage Provider. Here, <CA-Name> is the actual name of your CA.

23Launch the Failover Cluster Manager, navigate to the Roles section and then select the cluster service. In the Actions pane, choose the Move option and then select the Best Possible Node to assign the shared disk to the node that’s currently in use.

24Open the certificate authority snap-in and start the CA service. When it starts successfully, ensure that provider is SafeNet Key Storage Provider.

25Perform these steps on each node of the cluster. Proceed to the next step only after you have associated the CA certificate to the key on Luna HSM using SafeNet Key Storage Provider and confirmed that CA Services are active when the shared disk is connected to that node.

26Log on to any node where the shared storage is available and CA services are operational.

27In the Failover Cluster Manager, navigate to the Roles section and select the service. Then, click on Resources, followed by Add Resource>Generic Service.

28In New Resource Wizard, select Active Directory Certificate Services and follow the instructions to complete the Wizard.

29Navigate to the Resources section and choose Active Directory Certificate Services. Click on Properties to open the property window, select Registry Replication, and then click Add. Enter the registry value for CA services as SYSTEM\CurrentControlSet\Services\CertSvc and then click OK to save the changes.

30Click OK to close the Properties window and save the settings.

31In the Failover Cluster Manager, go to Roles and select the service. Click Stop Role in the Actions pane to stop the cluster service.

32Click Start Role in the Actions pane to restart the cluster service. Verify that the service is starting and is running properly.

33Log in to each node of the cluster one by one and verify that the cluster services are running on each node.

34Open the Failover Cluster Manager and select the cluster service under Roles. In the Actions pane, click Move and then click Best Possible Node. If the cluster service starts and runs on the currently logged-in node, then everything is working properly, and you have successfully migrated the CA keys from the Microsoft Provider to the Luna HSM Provider.