Installing Microsoft ADCS on Windows Server using SafeNet KSP

You must configure Microsoft ADCS to use the ProtectServer 3 HSM when you configure the Microsoft Certificate Authority (CA) user role.

To install Microsoft ADCS

1. Log on as an Enterprise Admin/Domain Admin with Administrative privileges.

2. Open the Server Manager under Configure this Local Sever and select Add Roles and Features.

3. The Add Roles wizard appears.

4. Select Next.

5. Select the Role-based or feature-based installation radio button and Next.

6. Select the Select a server from the server pool radio button and select your server from the Server Pool menu.

   

7. Select Next.

8. Select the Active Directory Certificate Services check box.

   

   A window displays stating Add features that are required for Active Directory Certificate Services?.

9. To add a feature, select the Add Features button.

10. Select Next to continue.

11. On the Active Directory Certificate Services page, select Next to continue.

12. Select the Certification Authority check box from the Role services list and Next.

    

13. Select Install.

14. When the installation is complete, select Configure Active Directory Certificate Services on the destination server.

    The ADCS Configuration wizard displays

    

15. Select the Notification tab of Server Manager, configure ADCS, and then Next.

16. Select the Certification Authority check box and Next.

    

17. Select the Enterprise CA radio button and Next.

18. Select the Root CA radio button and Next.

19. Setup the Private Key for the CA to generate and issue certificates to clients. If you would like to create a new private key, select the Create a new private key radio button and Next. If you would like to use an existing private key, proceed to step 24.

    

20. Open the Select a cryptographic provider: drop-down menu and select an algorithm using a SafeNet Key Storage Provider. Open the Key length: drop-down menu and select a key-length.

    

21. Select the Hash Algorithm for signing certificates issued by this Certificate Authority and key length settings for your installation.

22. Select the Allow administrator interaction when the private key is accessed by the CA check box and Next. Proceed to Step 27.

    

23. Select the Use existing private key check box. Setup the Private Key for CA to generate and issue certificates to clients. Select Use existing private key and Select an existing private key on this computer. Select Next to continue.

    

24. Select Change. Select the SafeNet Key Storage Provider algorithm that you have used to generate the private keys and clear the CA Common name, select Search.

    

25. Select the Existing Key and select Next.

26. Configure a common name to identify this Certificate Authority and select Next.

    

27. Proceed to set the Certificate Validity Period and select Next. Configure the Certificate database location. It records all the certificate requests, issued certificates, and revoked or expired certificates. Select Next.

28. Select Configure to configure the selected roles, role services, or features.

29. Select Close to exit the ADCS Configuration wizard after viewing the installation results.

    A private key for the CA will be generated and stored on the HSM.

30. Open a command prompt and run sc query certsvc to verify that service is running:

31. Open a command prompt and run certutil –verifykeys to verify the CA key:

    The result of the command shows the CA keys have successfully been verified.