CA replication (key backup and recovery)
Typically, to replicate a CA installation, keys can be backed up to smart cards and then restored from the smart cards to establish the new CA installation. One smart card per keyset is required.
A triple-DES BackupKey is used to encrypt each keyset prior to storage on a smart card. A different BackupKey is automatically created for each keyset when the keysets are created but these keys are not visible under normal ProtectToolkit-M operation. A BackupKey for a keyset is derived from a combination of the password used to secure that particular keyset and the keyset name. In the case of the MACHINE and SYSTEM keysets, the device administrator’s password and the keyset name are used to derive the key. Thus, to restore a keyset that was previously backed up, the same password and keyset name must be used.
Replicating a CA installation by restoring from a smart card requires access to the ProtectToolkit-C. The command line tool ctkmu and the GUI tool kmu can be used to backup or restore keys from a smart card. Both the ctkmu utility and the kmu utility are included in the ProtectToolkit-C package. See ctkmu and Key Management Utility (KMU) reference for more information about these utilities.
Note
When logging in to a smart card, the card is locked after 7 consecutive incorrect PIN attempts. You must re-initialize the card to set a new PIN.
To back up keys for a CA installation to smart cards
-
Obtain a listing of all keysets by executing ctkmu l from a command prompt. A list of all keysets and associated slots displays.
Note
Decide which keysets to back up. At a minimum, the MACHINE_Keyset must be backed up, as this is where the CA keys are stored.
-
Record the slot number for each keyset that you wish to back up.
-
To back up the MACHINE_Keyset to smart card, type the following in a command prompt, where n is the slot number of the MACHINE_keyset and b is the slot number representing the smart card reader. Both n and b can be found in the listing obtained at step 1.
ctkmu x -sn -wBackupKey -c
-
When prompted for a user password, enter the default “password”.
-
Insert a new smart card and repeat steps 3 and 4 for the SYSTEM_Keyset if required.
-
Repeat steps 3 and 4 for each of the other required keysets.
Replicating a CA using keys restored from backup smart cards
The following procedure takes the following key points into account:
-
On the machine where the replica is to be created, ProtectToolkit-M must be installed before the Microsoft CA.
-
To allow installation of a CA that utilizes the SafeNet CSP for HSM storage of keysets, both the MACHINE_Keyset (where the CA stores keys) and a user keyset for the current user must be available. At CA installation time if either or both of these keysets are missing, the SafeNet CSP will not display in the list of CSPs available for selection.
-
All keyset names and associated passwords created when establishing the replica must match the originals that are to be restored from the backup smart cards.
To replicate a CA using keys restored from backup smart cards
-
Start the ProtectToolkit-M administration utility. This can be done via the Windows Start menu. Select Start > Programs > SafeNet > Protect Toolkit M > gmadmin.
A MACHINE_Keyset and a SYSTEM_Keyset will be created. Later on, the MACHINE_Keyset created here will be replaced with the version that was backed up to smart card, containing the CA keys.
The device administrator password will be requested, or must be set if this is the first time the HSM has been accessed.
The Administration Utility default view displays.
-
Under Active Adapters, expand All to reveal the device and the Machine and System key sets just created on that device.
-
Highlight the device entry and select Adapter on the menu bar. Now select Allocate Space to create a keyset space.
-
Under Active Adapters, select the spare keyset space.
-
Select Keyset on the menu bar and then choose Create Keyset. The Administration Utility will now prompt for a keyset name to use and the password for the currently logged-on user. The default name should be accepted.
-
If additional user keysets containing keys are to be restored from smart card, create an empty replica keyset on the HSM for each keyset to be restored with the same name and user password as the original. To do this, repeat steps 4 to 6 for each keyset, using the appropriate keyset name and user password each time.
-
Obtain a listing by name of all the keysets that now exist on the HSM and their corresponding slot numbers by executing ctkmu l from a command prompt.
-
Import a keyset from smart card to the HSM. To do this, insert the smart card containing the keyset. ssh into the device and execute the following command from a command prompt:
ctkmu i -sn -wBackupKey -cm
where n is the slot number of the keyset on the HSM discovered in step 8, and m is the smart card reader slot number. This will also be shown in the listing obtained at step 8.
-
When prompted for a user password, enter the value for the keyset being restored. In the case of the machine and system keysets, the default is “password”.
-
Insert a new smart card and repeat step 4-10 for each additional keyset until all have been restored.
-
Install the Microsoft CA.
-
Select the SafeNet CSP from the drop-down box during installation. If the SafeNet option is not present, this means that the keyset for the currently logged on user does not exist. Ensure the user is the same as the user who did the backing up of the CA initially.
-
After selection of the SafeNet CSP, select the Use existing keys box and select the key that corresponds to the CA key pair.