Configuring for Entrust Datacard nShield HSM

To configure Microsoft CA enrollment agent for an Entrust Datacard® (formerly Thales®) nShield™ HSM, perform the following steps:

  1. Install the Entrust Datacard nShield HSM and associated software (including the Entrust Datacard client) on the CA server. For details refer to the Entrust Datacard technical documentation.

  2. Installing the Entrust Datacard nCipher CNG (Cryptography Next Generation) Provider as described below.

  3. Configuring the Enrollment Agent Template as described below.

  4. Configuring the Key Recovery Agent Template as described below.

  5. Issuing the RA Certificate as described below.

  6. Issuing the KRA Certificate as described below.

You must install the Entrust Datacard (formerly Thales) nCipher CNG provider on the CA server and the ActivID CMS server.

To install the CNG provider, perform the following tasks:

  1. Run the Setup.exe file and make sure to select the components related to the following nShield Cryptography Service Providers (CSP): CryptoAPI (CAPI) and CryptoAPI Next Generation (CAPI-NG or CNG).

  2. Once installed, run the nCipher CNG Providers configuration wizard located on Windows in C:\Program Files (x86)\nCipher\nfast\bin\capingwizard64.exe

  3. Click Next.

  4. Select Use the existing security world, and click Next.

  5. Select the module, and click Next.

  6. Select Module protection (requires no extra cards but is less secure), and click Next.

  7. Click Next.

  8. Click Finish.

Note:

  • If the CA is on another machine, the CNG provider might not display.

  • The Enrollment Agent is used for the RA (Registration Authority) feature of Microsoft CA.

To configure the Microsoft CA Enrollment Agent template, perform the following tasks:

  1. On the computer that is hosting your enterprise CA, on the Windows desktop, click Start, point to Programs, point to Administrative Tools, and then click Certification Authority.

  2. In the navigation pane, expand the CA name, right-click Certificate Templates, and then click Manage.

  3. In the Certificate Templates console, in the results pane, right-click on a template having Certificate Request Agent as its intended purposes, and then click Duplicate Template.

  4. In the Properties of New Template dialog box, in the Compatibility tab, select Show resulting changes, and then click OK.

  5. In the General tab, enter a Template display name for this template; (in this example, RA in HSM Enrollment Agent) and click Apply.

  6. In the Request Handling tab, make sure the Purpose is Signature and select Enroll subject without requiring any user input, and then click Apply.

  7. In the Cryptography tab, select nCipher Security Key Storage Provider, and then click Apply.

  8. In the Issuance Requirements tab, make sure that none of the options are selected (as illustrated above), and then click Apply.

  9. In the Security tab, select the Enroll permissions for the CMS Server service user of your ActivID CMS server so that they can enroll the certificate using the RA HSM Enrollment Agent template.

  10. In the navigation pane, right-click on Certificate Templates, then select New > Certificate Template to issue.

  11. Select the template on the ActivID CMS server that you want to enable, and click OK.

Create a template for creating the KRA certificate in the HSM.

  1. In the Certificate Templates console of your Certificate Authority, right-click Key Recovery Agent, and then click Duplicate Template.

  2. In the Properties of New Template dialog box, in the Compatibility tab, select Show resulting changes, and then click OK.

  3. In the General tab, enter a Template display name for this template (in this example, KRA in HSM), and click Apply.

  4. In the Request Handling tab, make sure the Purpose is Encryption and select Enroll subject without requiring any user input, and then click Apply.

  5. In the Cryptography tab, select nCipher Security Key Storage Provider, and then click Apply.

  6. In the Issuance Requirements tab, configure enrollment to require one authorized signature using the Certificate Request Agent application policy (as illustrated above), and then click Apply.

  7. In the Security tab, select the Enroll permissions for the CMS Server service user of your ActivID CMS server so that they can enroll the certificate using the KRA in HSM template.

  8. Click OK.

  9. Select the template to enable on the ActivID CMS server, and click OK.

You must load the RA certificate into the keystore of the user where ActivID CMS is configured, and remove any system level certificates.

Note: Due to differences in the template versions, Microsoft Certificate Services (see Requesting the Key Recovery Agent Certificate) cannot be used in an Entrust Datacard (formerly Thales) nShield deployment.

To issue the RA certificate, perform the following tasks:

  1. Log on to the ActivID CMS server as the CMS Server user and open an MMC console with the Certificates snap-in for My User account.

  2. Expand the Certificates – Current User node, go to Personal and then right-click on Certificates.

  3. Point to All Tasks and select Request New Certificate…

  4. Select the new template (in this example, RA HSM Enrollment Agent) and click the link to configure the certificate properties.

  5. Enter the name of the CMS Server user as the Subject name and click OK.

  6. Click Enroll, and perform any other template actions applicable to your security policy.

  7. Click Finish, and make the template available for issuance.

You must load the KRA certificate into the keystore of the user where ActivID CMS is configured, and remove any system level certificates.

Note: Due to differences in the template versions, Microsoft Certificate Services (see Requesting the Key Recovery Agent Certificate) cannot be used in an Entrust Datacard (formerly Thales) nShield deployment.

  1. Log on to the ActivID CMS server as the CMS Server user and open an MMC console with the Certificates snap-in for My User account.

  2. Expand the Certificates – Current User node, go to Personal and then right-click on Certificates.

  3. Point to All Tasks and select Request New Certificate….

  4. Select the new template (in this example, KRA in HSM) and click the link to configure the certificate properties.

  5. In the Subject tab, enter the name of the CMS Server user as the Subject name.

  6. In the Signature tab, select the Enrollment Agent certificate that you created in section Configuring the Enrollment Agent Template and click OK.

  7. Click Enroll, and perform any other template actions applicable to your security policy.

  8. Click Finish.

  9. To use the certificate in ActivID CMS, you must export it as a .cer file.

    1. Right-click on the certificate, point to All Tasks and select Export.

    1. Select No, do not export the private key and click Next.

    1. Select Base-64 encoded X.509 as the format and click Next.

    2. Follow the wizard instructions to complete the export.

  10. To make the certificate visible to ActivID CMS as PKCS#11, it must be re-targeted using the Entrust Datacard (formerly Thales) KeySafe tool.

    1. Launch the KeySafe tool, click on the Keys button and locate the KRA certificate.

    1. In the Key Details section, copy or make a note of the Key Instance.

    2. Using PowerShell, go to the nCipher installation directory (C:\Program Files (x86)\nCipher\nfast\bin) and type the following command:

    Copy 
    .\generatekey.exe --retarget pkcs11 protect=token from-application=caping from-ident=s-1-5-
        21-1111689120-393781896-32317366-1105--
        58b7b764bc0deebbd188c90ed4a5cdb6f8904234 plainname=KRA_pkcs11

    Where the:

    • “protect” value must be “token”.

    • “from-application” value must be “caping”.

    • “from-ident” value is the Key Instance noted above.

    • “plainname” value is the label of the key to generate (in this example, KRA_pkcs11).

    You are prompted for the storage of the keymodule passphrase.

    Note: You may be prompted with “from-ident: Source key identifier?” that will suggest key identifiers with a default key identifier. In that case you should re-enter the from-ident value of the original command line or hit Enter if it corresponds to the default value.

    When the certificate is successfully retargeted, it is visible as a PKCS#11 application. Look for the key label used in the previous command (for example, KRA_pkcs11).

  11. Add the KRA certificate to the CA key archival configuration as described in Enabling Key Archiving with a Microsoft CA.