Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Microsoft Active Directory Certificate Services (ADCS)

Getting started

search

Getting started

Refer to the sections below to get started with the integration.

Supported configurations

Thales has tested integration with Microsoft ADCS using the configurations listed in the table below.

Operating system PTK version PS3 HSM hardware PS3 HSM firmware
Windows Server 2019 7.1.0 PCIe3, PSE3, PSE3+ 7.01.00
Windows Server 2016 7.1.0 PCIe3, PSE3, PSE3+ 7.01.00
Windows Server 2012 R2 7.1.0 PCIe3, PSE3, PSE3+ 7.01.00

Setting up your environment for the integration

Before beginning the integration, you must set up your environment for the integration.

To set up your environment for the integration

  1. Install one of the supported operating systems on the client machine. Refer to Supported configurations for more information.

  2. Set up, initialize, provision, and prepare a ProtectServer 3 HSM for deployment. Refer to ProtectServer 3 HSM and ProtectToolkit 7 installation and configuration for more information.

  3. Install the ProtectToolkit-C Runtime and CNG Provider packages on the client machine. Refer to ProtectToolkit 7 software installation and Setup and configuration for more information about installing ProtectToolkit and configuring ProtectToolkit-M, respectively.

    Note

    If you are operating the ProtectServer 3 HSM in FIPS Mode for this integration, ensure that client system is configured to communicate with the HSM over the Secure Messaging System (SMS). For more information, refer to Using ProtectToolkit-M with the Secure Messaging System enabled.

  4. Configure the ProtectServer 3 HSM for the integration.

    1. Create a slot on the HSM that will be used by ADCS. Refer to Adding and removing slots for more information.

    2. Verify that the the HSM is successfully configured by running hsmstate.

      C:\Users\Administrator>hsmstate
HSM device 0:   HSM in NORMAL MODE. RESPONDING. Usage Level=0%

C:\Users\Administrator>ctkmu l
ProtectToolkit C Key Management Utility 7.0.0
Copyright (c) Safenet, Inc. 2009-2021
Cryptoki Version  = 2.20
Manufacturer      = Safenet, Inc.
Test                             (Slot 0)
CA_Slot                          (Slot 1)
AdminToken (583171)              (Slot 2)

C:\Users\Administrator>

    3. If you are using a ProtectServer 3 Network HSM, initialize a slot with a label, user PIN and Security Officer (SO) PIN.

      <path to ctkmu utility>ctkmu

      Configuring the PS

      Note

      Use Slot 1 for CA key generation.

  5. Configure the SafeNet Key Storage Provider (KSP) to allow the user account and system to access the ProtectServer 3 HSM.

    1. Navigate to C:\Program Files\Safenet\ProtectToolkit 7\CNG.

    2. Run the KSP configuration wizard (KspConfig.exe).

    3. Double-click Register Or View Security Library.

    4. Browse the library cryptoki.dll from the SafeNet ProtectServer 3 HSM Client installation directory Register.

      Browse the cryptoki.dll

      On successful registration, the following message appears:

      Success Registering Security Library

    5. Double-click Register HSM Slots on the left side of the pane.

    6. Enter the slot password.

    7. Select Register Slot to register the slot for Domain\User.

      On successful registration, the following message appears:

      Slot Successfully Registered

    8. Register the same slot for NT AUTHORITY\SYSTEM.

      Register for NT

On this page