Go to content

Use with system accounts

All the configuration done using the HSM Dinamocon console will be in the scope of thecurrent user. To configure the parameters for system accounts, it is necessary to impersonate the execution of the console in Windows under the account in question. This can be done using tools provided by Microsoft itself, the operating system manufacturer.

The system accounts dealt with here are:

  • System (or SYSTEM), sid: S-1-5-18
  • LocalService (or LOCAL SERVICE), sid: S-1-5-19
  • NetworkService (or NETWORK SERVICE), sid: S-1-5-20

Strictly speaking, these aren't exactly Windows accounts, but we'll call them that for ease of understanding.

Tools used

  • Tool used for impersonation: psexec64from the suite PSTtools provided by Microsoft.
  • HSM client software Dinamo: msi 64-bit, includes GUI management console (Dinamocon).
  • Utility for HSM Dinamo: hsmutil.

Procedure for associating a certificate in a system account with a key in the HSM

Danger

Warning: execution with SYSTEM identity gives virtually unlimited access to the entire environment and can cause real damage if used inappropriately. Be very careful when using this facility.

  1. Instantiating a terminal cmd under the profile of a Windows system account. Run the command below (depending on the account of interest) in a terminal (powershell or cmd) with elevation of administrative privilege:

    psexec64 -i -u "NT AUTHORITY\System" cmd

    psexec64 -i -u "NT AUTHORITY\LocalService" cmd

    psexec64 -i -u "NT AUTHORITY\NetworkService" cmd

    The accounts must be entered exactly by these names(in English) even on Portuguese systems; although they can be shown localized in certain Windows utilities (gui and cli).

    Note that these accounts do not have a password. If you are being asked for one, it is likely that the account name is being entered incorrectly.

    Ex: 

    > psexec64 -i -u "NT AUTHORITY\system" cmd

PsExec v2.43 - Execute processes remotely
Copyright (C) 2001-2023 Mark Russinovich
Sysinternals - www.sysinternals.com
               .
               .
               .
   cmd launched on another terminal (interactive) ...
               .
               .
               .
   ... exit in the cmd terminal.

cmd exited on MYHOST with error code 0.
> _

    The new cmd started will run under the profile of the account indicated, i.e. this account will be the current user for any application running from it.

  2. Run the HSM management GUI console from terminal cmd.

    "\Program Files\Dinamo Networks\HSM Dinamo\dinamocon.exe"

    The title bar shows the account under which the console is running (v 4.8.0+).

    Impersonation of the SISTEMA account
    Impersonation of the SISTEMA account

    Account impersonation LOCAL SERVICE
    Account impersonation LOCAL SERVICE

    Account impersonation NETWORK SERVICE
    Account impersonation NETWORK SERVICE

    In Environment Configuration/MS CAPI/Containers check or create the container and indicate the private key that will be used. Make a note of the name of the container. For more information, see the specific topic Containers / Certificate Store.

  3. Run the gui certificate manager from of cmd.

    certmgr

    Locate the certificate that will be associated and make a note of the certificate's hash (also called fingerprint). The hash value will be used later, so make a note of it. If the certificate has not yet been imported, you can do so now using the manager.

    You can also list the certificates by running the command line:

    certutil -user -store "My"

  4. Execute, from of cmd, the utility hsmutil to make the association between a certificate in the cert store and a key in the HSM:

    Ex. 1, for CSP provider:

    • -conteiner is a csp container name
    • -keyspec is the use of the key in the container (sign or key_exchange)
    hsmutil -j cert-assign-key --csp "Dinamo HSM Cryptographic Provider" --store current_user --repo My --container prod --keyspec at_keyexchange --certhash 9A714AEFD314BE74C7953002A6FDC83248C7868A

    Ex. 2, for CNG provider (cng enabled):

    • -conteiner is a key name in HSM
    • -keyspec é cng (literal)
    hsmutil -j cert-assign-key --csp "Dinamo HSM Cryptographic Provider" --store current_user --repo My --container mykey --keyspec cng --certhash 9A714AEFD314BE74C7953002A6FDC83248C7868A

  5. To perform a signature test via CSP/CNG you can use hsmutil:

    Ex: cmd hsmutil -j cert-sign --store current_user --repo My --certhash 9979222498057bc1e2867da9c02dc500f080a264 --inform hex --in 1234EEFF BB187A708484AE518C527DBEF56C92F404ECF49EDCD7A5EFA7BBC0C19D67CBE7E8243F45164831F340A6FE59A805CC F4B90140C4AD7BD0C63D44AF7487DCA85521E191EF809BC1DF92232FE8DC5B74A9FE549417FE78B463FCC0D72FBA93 474072E8D7A6FC70E59C22879F2FCC71C43D0095F2D8A84392182AFE62DAAF7CF0D46238C9F41480576449557CE8A6 3DFCFDBCE6E66A9E13E48F7D82C0F5C50A05F350C0FFE1B06841FAA11D8F1E6C6E700665F5ECD72982DBF198F6E728 6997FE35E4984B7A5A59DDBDF6F84A4998343EF2E2C62DB45EE5A4BF954C6A57E572DA8ACB5008EAA25E363F0FCAF0 C1DF95204C4A68D57D4AEF31F737845329A2D0A980 Total time: 125.84 ms (0.13 sec) [7.95 op/sec]