Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Microsoft Active Directory Certificate Services (ADCS)

Overview

search
printsuggest an edit

Overview

Microsoft's ADCS on Windows provides customizable services for creating and managing public key certificates used in software security systems employing public key infrastructure. Organizations use certificates to enhance security by binding the identity of a person, device or service to a corresponding private key.

A server configured as a certification authority (CA) provides the management features needed to regulate certificate distribution and use. ADCS is the Windows Server service that provides the core functionality for Windows Server CAs. ADCS provides customizable services for managing certificates for a particular CA and for the enterprise.

The root of trust in a public key infrastructure is the CA. Fundamental to this trust is the CA’s root cryptographic signing key, which is used to sign the public keys of certificate holders and more importantly its own public key. Microsoft ADCS integrates with a ProtectServer 3 HSM to secure the root encryption key.

Using Thales HSMs to secure the Microsoft ADCS root key provides the following benefits:

  • Secure generation, storage and protection of the Identity signing private key on FIPS-validated hardware.

  • Full life-cycle management of the keys.

    Note

    ProtectServer 3 integrations with ADCS/IIS is only supported in FIPS mode with the following versions:

    PTK Version Security Flags
    7.3.1 Default Security Flags*
    7.3.0 FIPS 140-3
    7.2.4 FIPS 140-3
    • The following outlines the workaround scenarios for version 7.3.1:

    Customers with existing ADCS/IIS (older FW, with FIPS mode enabled) integrations wishing to upgrade to FW 7.03.01 and above.

    Due to the setting of the security mode flag “Tamper Before Upgrade”, direct upgrade to FW 7.03.01 is not permitted. The following steps will workaround that issue.

    • Backup the existing keys.
    • Tamper the HSM.
    • Re-initialize the HSM without FIPS mode set.
    • Upgrade to FW 7.03.01 or above.
    • Restore the key backup.
    • Enable FIPS mode.

    New customers or new integrations with FW 7.03.01 and above (no FIPS mode).

    • Initialize the HSM without FIPS mode set.
    • Upgrade to FW 7.03.01 or above.
    • Perform the integration of ADCS or IIS.
    • Enable FIPS mode.

On this page