Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

ProtectServer 3 HSM and ProtectToolkit 7
ProtectServer 2 HSM and ProtectToolkit 5
ProtectServer 3 HSM Integration Guides

All

All

Microsoft Active Directory Certificate Services (ADCS)

Archiving the CA key

ProtectServer 3 HSM Integration Guides
Apache Tomcat
- Overview
- Getting started
- Generating a new SSL certificate and key on a ProtectServer 3 HSM
CyberArk Vault
- Overview
- Getting started
- Generating a CyberArk Vault server key on a ProtectServer 3 HSM
- Migrating an existing CyberArk Vault server key to a ProtectServer 3 HSM
HashiCorp Vault
- Overview
- Getting started
- Configuring HashiCorp Vault
- Rotating HashiCorp Vault Keys
Microsoft Active Directory Certificate Services (ADCS)
- Overview
- Getting started
- Installing Microsoft ADCS on Windows Server using SafeNet KSP
- Enrolling the certification authority certificate
- Archiving the CA key
- Performing a key recovery
Microsoft Online Certificate Status Protocol (OCSP)
- Overview
- Getting started
- Setting up an enterprise root certificate authority
- Installing the Online Responder service
- Configuring CA to issue OCSP response signing certificates
- Creating a revocation configuration
- Verifying auto-enrollment
- Validating OCSP integration
- Troubleshooting
OpenSSL
- Overview
- Getting started
- Configuring OpenSSL and GemEngine for a ProtectServer 3 HSM
Oracle Database Transparent Data Encryption (TDE)
- Overview
- Getting started
- Granting the Oracle Database access to the PKCS#11 library
- Configuring a master encryption key for HSM-based encryption
- Verifying that the master encryption key is encrypting the database

Was this document helpful? Yes No

Feedback Sent!

If you like, you can provide additional feedback.

Home
ProtectServer 3 HSM Integration Guides
Microsoft Active Directory Certificate Services (ADCS)
Archiving the CA key

Archiving the CA key

You can verify that the configurations that are possible with the Thales ProtectServer 3 HSM can be used and do not interfere with the CA key archival functionality.

To complete archiving the CA-Key you must complete the steps described in this section.

Note

If you wish to secure the key on a Thales HSM that is used to encrypt the archived keys, then you need to select the SafeNet Key Storage Provider (KSP) for generating the keys for a Key Recovery Agent (KRA) certificate.

To archive the CA key

Install the Enterprise Certificate Server using the SafeNet KSP.
Verify the CA is installed correctly.
Add a KRA template to CA for issuing.
Open the command prompt and run the certsrv.msc command.
Right-click the Certificate Templates node and select New > Certificate Template to Issue.
Select the Key Recovery Agent template and OK.

To Issue the KRA Certificate

Request the KRA certificate. Open the command prompt and run the certmgr.msc command.
Right-click Personal node and select All Tasks > Request new certificate…
Select Next.
Select Active Directory Enrollment Policy and Next.
Select the Key Recovery Agent check box template and Enroll.
Verify the enrollment is pending and select Finish.

To issue the KRA certificate from the CA snap-in

Open the command prompt and run the certsrv.msc command.
Select the Pending Requests node, right-click the latest request for the KRA template, and select All Tasks and Issue.
Select Issued Certificates and verify that the new certificate is issued.

To retrieve the issued certificate from CA

Open the command prompt and run certmgr.msc command.
Right-click Certificates – Current User
Select All Tasks and Automatically enroll and retrieve certificates….
Select Next.
Select the KRA certificate you just issued and enroll it.

To configure the CA to support key archival

Open the command prompt and run the certsrv.msc command.
Right-click CA Name and select Properties.
Select the Recovery Agent tab.
Select the Archive the key radio button.
Select Add... and then select the KRA certificate you just issued.
Select OK.
Verify that the CA service must be restarted and select Yes.

To create a template with key archival enabled

Open the command prompt and run the certtmpl.msc command.
Right-click the User template and select Duplicate Template.
Select Windows Server 2008 for both Certification Authority and Certificate recipient under Compatibility Settings, and OK.
On the Resulting Changes menu, select OK.
Go to the General tab and enter a name for the template (UserKeyArchival).
Go to the Request Handling tab and enable the Archive subject’s encryption private key check box.
Select the Subject Name tab.
Uncheck the Include e-mail name in subject name check box.
Uncheck the E-mail name check box.
Select Apply and OK.

To add a new template to CA for issuing

Open the command prompt and run the certsrv.msc command.
Right-click the Certificate Templates node.
Select New > Certificate Template to Issue.
Select new template for key archival and OK.

To issue a user template with key archival enabled

Open the command prompt and run the certmgr.msc command.
Right-click Personal node.
Select All Tasks > Request New Certificate.
Select Next
Select Next.
Select the new template for key archival check box and Enroll.
The Enrollment Wizard UI displays. Verify the enrollment is successful.
Select Finish.

On this page

ProtectServer HSM and ProtectToolkit

© Copyright 2019-2024, Thales Group
Last Updated: 2024-11-05 11:15:59

+1 410-469-1651 supportportal.thalesgroup.com

Support
- Document Conventions
- Support Contacts
Legal

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com