Skip to content

Microsoft CA

General Information

This integrated user guide with MS CA (Microsoft Certificate Authority) has been prepared using the software and firmware versions below:

  • OS: Windows Server 2019 (English)
  • MS Certification Authority: 10.0
  • HSM firmware: 5.0.26.0 (or higher)
  • HSM client: 4.7.30 (or higher)

Requirements

  1. Connectivity with the HSM (TCP port 4433).
  2. HSM client software installed, (see Windows topic).
  3. HSM service started.
  4. Windows account with local administration permission.
  5. Credentials of the HSM partition where the private key will be created or used.
  6. You may need to restart Windows (to load the local machine settings).

CA configuration with HSM

Installation and configuration of MS CA with key generation in HSM.

  1. Configure the MS CAPI parameters with the HSM partition credentials in the GUI console (Dinamocon).

    1. Configure the IP address, user and password of a partition in the HSM. The private key will be generated on this partition.
    2. Select the Enable CNG option.
    3. Click on the Apply button.

    Note

    Keep the Local Machine Configuration option unchecked and the CNG Compatibility Mode option checked.

    MS CAPI configuration
    MS CAPI configuration

  2. Enable the MS CAPI parameters on a local machine in the GUI console (Dinamocon).

    Enable the Local Machine Configuration option. Click the Apply button.

    Note

    Keep the Local Machine Configuration option checked and also the CNG Compatibility Mode option checked.

    MS CAPI configuration, local machine
    MS CAPI configuration, local machine

  3. In the Windows Server Manager Dashboard, start the CA installation by clicking on Add Roles and Features

    Dashboard Server Manager
    Dashboard Server Manager

  4. Select the Role-based or feature-based installation type for the local computer.

    Role-base installation
    Role-base installation

    Server Selection
    Server Selection

  5. Select the Active Directory Certificate Services_role and confirm with _Add Feature.

    Select Active Directory Certificate Services
    Select Active Directory Certificate Services

    List of tools for ADCS
    List of tools for ADCS

  6. Confirm the list of Features shown (no need to reselect). Click Next.

  7. Read the installer's warning note. Note that the computer's domain name and settings cannot be changed once CA has been installed. Click Next.

  8. Select other services to be installed in Active Directory Certificate Services. Other options can be selected according to the needs of each environment. For HSM integration purposes, only Certification Authority is required. Click Next.

    Other services for ADCS
    Other services for ADCS

  9. Confirm the summary of role, features and services information. Click on Install

    Confirm installation
    Confirm installation

  10. Once the installation is complete, the CA must be configured. This can be done on the installation completion screen or in the notification area of the Server Manager dashboard.

    Completion of installation
    Completion of installation

    During configuration it can be useful to leave the console CLI hsmcon.exe (command line) showing in real time the activity of the HSM (option Logs/Follow) and verifying that the private key will be generated and used.

  11. Check and confirm the Windows credentials that will be used in the service.

    Confirmation of credentials for the service
    Confirmation of credentials for the service

  12. Select the services to be configured. For HSM integration purposes, only the Certification Authority is required.

    Services to be configured
    Services to be configured

  13. Specify the type of AC setup. In this guide we are assuming the Standalone AC type.

  14. Specify the type of CA. In this guide we are assuming the Root CA type.

  15. Specify the type of private key as Create a new private key.

    Type of private key
    Type of private key

  16. In the encryption options select the HSM RSA algorithm provider as the cryptopraphic provider Dinamo:

    RSA#Dinamo HSM Cryptographic Provider

    Select the size of the key and the hash algorithm for signing the certificates as defined by your specific environment. For example, 4096-bit RSA key and SHA256 hash algorithm.

    Cryptographic Provder
    Cryptographic Provder

  17. Specify the Common Name for the CA. This name will be used on all certificates issued by the CA.

    AC Common Name
    AC Common Name

  18. Specify the validity period of the certificates issued by the CA. For example 01 year.

  19. Specify the CA's storage and log and database locations.

  20. Check and confirm the CA configuration information.

    AC configuration confirmation
    AC configuration confirmation

  21. The ADCS service will generate an RSA private key in the HSM and complete the configuration process.

    AC configuration confirmation
    AC configuration confirmation

  22. In the CA manager(Certification Authority) you can check the CA's information and details.

    AC manager properties menu
    AC manager properties menu

    AC details
    AC details

    The HSM should display the generation of the private key and its use by ADCS during the CA configuration process. In the log example below, the RSA key was generated with the name DBB0823FF3A4C57A993829E486C81038. This is the CA's private key. It is recommended to immediately generate a backup of the HSM.

    HSM logs
    2021/02/23 22:51:53 000074BA 00043EA3 87444AC1 msca auth ok, 10.61.53.163, 6|10.61.53.163 10.61.53.60:4433 -
    2021/02/23 22:51:53 000074BA 00043EA4 87444AC1 new key DBB0823FF3A4C57A993829E486C81038, t: 11, a: 01000001, c: 31|10.61.53.163 10.61.53.10:2433 msca
    2021/02/23 22:51:54 000074BA 00043EA5 87444AC1 R_COOR trying to setup E5E584C71B5C8991 04|10.61.53.163 10.61.53.60:4433 msca
    2021/02/23 22:51:54 000074BA 00043EA6 87444AC1 R_COOR prepared E5E584C71B5C8991 04|10.61.53.163 10.61.53.60:4433 msca
    2021/02/23 22:51:54 000074BA 00043EA7 87444AC1 DBB0823FF3A4C57A993829E486C81038 created|10.61.53.163 10.61.53.60:4433 msca
                                                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^
    .
    .
    .
    2021/02/23 22:51:54 000074BE 00043EBF 493E887F msca auth ok, 10.61.53.163, 6|10.61.53.163 10.61.53.60:4433 -
    2021/02/23 22:51:54 000074BE 00043EC0 493E887F rsa DBB0823FF3A4C57A993829E486C81038!teeawBSSAaMjsmTpTSGY1rjnfXjAxoZn74RFrZFQ8L0=, c: 31|10.11.23.363 10.61.53.60:4433 msca
    .
    .
    .
    2021/02/23 22:51:54 000074C2 00043ED7 DDCC7585 msca auth init, c: 31|10.61.53.163 10.61.53.60:4433 -
    2021/02/23 22:51:54 000074C2 00043ED8 DDCC7585 msca auth ok, 10.61.53.163, 6|10.61.53.163 10.61.53.60:4433 -
    2021/02/23 22:51:54 000074C2 00043ED9 DDCC7585 rsa DBB0823FF3A4C57A993829E486C81038!teeawBSSAaMjsmTpTSGY1rjnfXjAxoZn74RFrZFQ8L0=, c: 31|10.11.23.363 10.61.53.60:4433 msca
    2021/02/23 22:51:54 000074C2 00043EDA DDCC7585 e-conn: 10.61.53.163|10.61.53.163 10.61.53.60:4433 msca
    .
    .
    .
    2021/02/23 22:51:54 000074C4 00043EE4 972B2404 msca auth init, c: 31|10.61.53.163 10.61.53.60:4433 -
    2021/02/23 22:51:54 000074C4 00043EE5 972B2404 msca auth ok, 10.61.53.163, 6|10.61.53.163 10.61.53.60:4433 -
    2021/02/23 22:51:54 000074C4 00043EE6 972B2404 rsa DBB0823FF3A4C57A993829E486C81038!teeawBSSAaMjsmTpTSGY1rjnfXjAxoZn74RFrZFQ8L0=, c: 31|10.11.23.363 10.61.53.60:4433 msca
    

    The details of the CA's private key can be checked in the HSM console.

    Note

    ADCS explicitly requests that the generated key be exportable.

    Key attributes
    Dinamo - Remote Management Console v. 4.7.29.0 2018 (c) Dinamo Networks
    
    HSM 10.61.53.60 e - Engine 5.0.27.0 (DCD) - TCA0000000  - ID msca
    
    Keys/Objects - Attributes
    
    Name (HSM) : DBB0823FF3A4C57A993829E486C81038
                                Type : rsa4096
                           Temporary : no
                          Exportable : yes
                           Encrypted : yes
                             Blocked : no
    
                       Usage-profile : signature generation/verification
    
                               State : ACTIVE
                                Mask : SIGN, VERIFY, CERTIFICATE_SIGN, CRL_SIGN
                        Initial date : 2021-02-23 22:51:54 GMT
                     Activation date : 2021-02-23 22:51:54 GMT
                        Archive date : none
                     Compromise date : none
          Compromise occurrence date : none
                   Deactivation date : none
                    Last change date : 2021-02-23 22:51:54 GMT
              Original creation date : 2021-02-23 22:51:54 GMT
                  Process start date : none
                   Protect stop date : none
    
                Public exponent(hex) : 010001
                            Key size : 4096 bits
    
                        CKA_KEY_TYPE : 0
                           CKA_CLASS : 3
                     CKA_EXTRACTABLE : yes
                       CKA_SENSITIVE : no
               CKA_NEVER_EXTRACTABLE : no
                           CKA_LOCAL : no
                CKA_CERTIFICATE_TYPE : 0
                         CKA_MODULUS : C0AA6E046A40F003B7B3BCF17D862A656F7D0C2C8ADC794E2ABE0B0A695736A5CBF90F0294B6C8    75DD35E6C10C10AA7A40CA1FF28F01A5103F0BDA6B3CFF1B3CC4E3365D47EB831D4BC0907AC78A     D47B1206686E984A86CAD2B29226181D3F702363C6983942DF1833EC1EA702781C7783D014778E     DB80D04834959B3F9126C8E5AD1D4F020CFE3EAF39147701F88C5A0DCE5029DE388F17DF3A8608      AC48816F4552EDB6F3C09D254608D216D1205BD69CB6B97B1E5E1835A30B018D2D3E881128E8F2    E1281EFE65D4C35C5E54FF643F40AF41D4528E944C3ECEA0B0ACC7DC7AC2C96A2BE6FB2A5C6890     A497D35BD77FF73557A31E2DC7E5AA298A0E805253DC5DF3327DD78A23F0B0C72283DD9D7D6605     D961A151BEA8145833DF21BE92D821DD11EE07EFF67ACCECB1C49C478D1C4CF81F51D300A03255      AE2429245BCCB49423F525E6787BABF1AB95BFB930B1F50E9AFA0C083D57E57ABC747DC135AE71    4BA22BBC22C00669575397071E1FC2B2395BDDDD53F7D021C954467EECF3C36CF6C75C1604577A     6789D87421F929099EB2E99AD7C735454E52D74ED962B980F414BF96334F380A6776813C3B9624     4288F9D1D696D7B9B19534B21217026C5517691AE997C7839BE64AE0EE0BD22F7C295E318D71A9      7F620348C4E117F20D941D541401B78EA6F6110420F348EDF1B0822274F33C78F37CFC6171BC85    42C2A64793P~Ä   ³
                 CKA_PUBLIC_EXPONENT : 010001
                 CKA_PUBLIC_KEY_INFO :
                       CKA_EC_PARAMS :
                         CKA_SUBJECT :
                          CKA_ISSUER :
                              CKA_SN :
                           CKA_TOKEN : yes
                      CKA_MODIFIABLE : yes
                    CKA_MODULUS_BITS : 4096
                         CKA_PRIVATE : yes
                          CKA_DERIVE : yes
                            CKA_WRAP : yes
                          CKA_UNWRAP : yes
                            CKA_SIGN : yes
                          CKA_VERIFY : yes
                         CKA_ENCRYPT : no
                         CKA_DECRYPT : no
                       CKA_OBJECT_ID :
                     HSM_OBJ_VERSION : 2
                        HSM_OBJ_TYPE : 11
                        HSM_OBJ_ATTR : 16777217
                         HSM_OBJ_LEN : 2875
                          HSM_OBJ_ID : msca/DBB0823FF3A4C57A993829E486C81038
                      HSM_OBJ_PVALUE : 736E28329D4D74AF195A6A0F041C24AA464CD87E
                           CKA_LABEL :
                              CKA_ID :
                    CKA_SIGN_RECOVER : no
                  CKA_VERIFY_RECOVER : no
                     CKA_APPLICATION :
                         CKA_TRUSTED : no
                CKA_JMIDP_SEC_DOMAIN : 0
                   CKA_CERT_CATEGORY : 0
               CKA_KEY_GEN_MECHANISM : 0
               CKA_WRAP_WITH_TRUSTED : no
                       HSM_ASSOCIATE :
    
    Actions:
    
     1 - Block
     2 - Edit Metadata
     3 - PKCS#10 CSR
    
     0 - Main Menu
    Option :