microsoft ad cs and ocsp integration guide for microsoft … · 2020-04-14 · 2 introduction...

Microsoft AD CS and OCSPIntegration Guide for Microsoft Windows Server 2012 and2012 R2

Version: 1.4.6

Date: Friday, December 20, 2019

Copyright 2019 nCipher Security Limited. All rights reserved.

Copyright in this document is the property of nCipher Security Limited. It is not to be reproduced,modified, adapted, published, translated in any material form (including storage in any medium byelectronic means whether or not transiently or incidentally) in whole or in part nor disclosed to any thirdparty without the prior written permission of nCipher Security Limited neither shall it be used otherwisethan for the purpose for which it is supplied.

Words and logos marked with ® or ™ are trademarks of nCipher Security Limited or its affiliates in the EUand other countries.

Mac and OS X are trademarks of Apple Inc., registered in the U.S. and other countries.

Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in theUnited States and/or other countries.

Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.

Information in this document is subject to change without notice.

nCipher Security Limited makes no warranty of any kind with regard to this information, including, but notlimited to, the implied warranties of merchantability and fitness for a particular purpose. nCipher SecurityLimited shall not be liable for errors contained herein or for incidental or consequential damagesconcerned with the furnishing, performance or use of this material.

Where translations have been made in this document English is the canonical language.

of 4 Microsoft AD CS and OCSP - Integration Guide for Microsoft Windows Server 2012 and 2012 R2

Contents

2 Introduction 1

2.1 Product configurations 1

2.2 Supported nCipher nShield functionality 1

2.3 Requirements 2

2.4 This guide 2

2.5 More information 3

3 Procedures 4

3.1 Installing the HSM 4

3.2 Installing the software and creating or sharing the Security World 4

3.3 Installing and configuring AD CS 6

3.4 Configuring auto-enrollment group policy for a domain 7

3.5 Configuring the nCipher nShield HSM with Certificate Services 8

3.5.1 Configuring Certificate Services with a new key 8

3.5.2 Configuring Certificate Services using an existing private key 8

3.6 Configuring Certificate Enrollment to use CA templates on the AD CS Server 9

3.7 Setting up key use counting 10

3.7.1 Key use counter overview 10

3.7.2 Installing Certificate Services with key use counting 11

3.8 CA Backup, migrate and restore 12

3.8.1 Backing up, migrating and restoring CA using an existing certificate and its associatedprivate key 13

3.8.2 Backing up, migrating and restoring the CA using an existing private key 16

3.9 Installing the OCSP 17

3.10 Configuring the CA to issue an OCSP Response Signing Certificate 18

3.10.1 Configuring certificate templates for your environment 18

3.10.2 Configuring the CA to support the Online Responder service 19

3.10.3 Requesting a certificate from OCSP Response Signing template 20

3.10.4 Verifying that the signing certificate is properly configured 21

3.10.5 Modifying the Online Responder service to use a nCipher HSM 21

3.11 Setting up a revocation configuration 21

3.12 Verifying that OCSP works correctly 22

Microsoft AD CS and OCSP - Integration Guide for Microsoft Windows Server 2012 and 2012 R2 of 4

3.12.1 Generating a certificate request 22

3.12.2 Removing information about the certificate's CRL 23

3.12.3 Retrieving information about the certificate's AIA, CRLs, and OCSP 24

3.12.4 Verifying the OCSP Server is Active 24

3.13 Uninstalling AD CS and OCSP 25

4 Troubleshooting 26

Contact Us 27

Europe, Middle East, and Africa 27

Americas 27

Asia Pacific 27

of 4 Microsoft AD CS and OCSP - Integration Guide for Microsoft Windows Server 2012 and 2012 R2

2 Introduction

2 IntroductionMicrosoft Active Directory Certificate Services (AD CS) provides the functionality for creating andinstalling a Certificate Authority (CA). The CA acts as a trusted third-party that certifies the identity ofclients to anyone who receives a digitally signed message. The CA may issue, revoke, and managedigital certificates.

The Online Responder is a Microsoft Windows Service that implements the Online Certificate StatusProtocol (OCSP) by decoding revocation status requests for specific certificates. The service provides up-to-date validation of certificates, and sends back a signed response containing the requested certificatestatus information. OCSP is used to provide real-time information about a certificate's status.

The CA and OCSP use the nCipher nShield Hardware Security Module (HSM) to protect their privatekeys.

Throughout this guide, the term HSM refers to nShield® Solo™ modules (nShield PCIe and SoloXC), nShield Connect™, and nShield Edge™ products.

They also use the HSM for important operations such as key generation, certificate signing, and CRLsigning. The nCipher HSM can can be configured to protect the private keys and meet FederalInformation Processing Standards (FIPS) 140-2 level 2 or level 3.

2.1 Product configurationsWe have successfully tested nCipher HSM integration with Microsoft Windows Server 2019 andMicrosoft Windows Server 2016 (Standard, Datacenter and Server Core editions) and Microsoft AD CS inthe following configurations:

nShieldSecurityWorld

Softwareversion

MicrosoftWindowsServer 2016

MicrosoftWindowsServer 2019

nShieldSolo

support

nShieldSolo+/ XCsupport

nShieldConnect +/XC support

nShieldEdge

support

12.60.3 Yes Yes No Yes Yes No

12.40.2 Yes No No Yes Yes No

2.2 Supported nCipher nShield functionality

Soft cards Yes(12.60.3only)

Key management Yes FIPS 140-2 level 3 Yes

Microsoft AD CS and OCSP - Integration Guide for Microsoft Windows Server 2012 and 2012 R2 Page 1 of 28

2 Introduction

Key recovery Yes Module-only key Yes K-of-N card set Yes

Load balancing Yes Key import Yes Fail over Yes

CA failover clustering is only supported with network attached HSMs (nShield Connect).

2.3 RequirementsBefore installing the software, we recommend that you familiarize yourself with the Microsoft AD CS andOCSP documentation and setup processes, and that you have the nCipher nShield documentationavailable. We also recommend that you have an agreed organizational Certificate Practices Statementand a Security Policy/Procedure in place covering administration of the PKI and HSM.

In particular, these documents should specify the following aspects of HSM administration:

l The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and thepolicy for managing these cards

l Whether the application keys are protected by the module, softcard, or an OCS

l The number and quorum of Operator Cards in the OCS, and the policy for managing these cards

l Whether the Security World should be compliant with FIPS 140-2 level 3

l Key attributes such as the key size and time-out

l Whether there is any need for auditing key usage

l Whether to use the nCipher Cryptographic Service Providers for Microsoft Cryptographic API: NextGeneration (CNG) or CryptoAPI (CAPI)

l Whether to initialize the nShield Security World as Recoverable; this is highly recommended.

We recommend that you use CNG for full access to available features and better integrationwith Microsoft Windows Server editions.

2.4 This guideThis guide describes how to configure AD CS and OCSP with the nCipher nShield Hardware SecurityModule (HSM), and set up a root CA. We have tested the instructions, which provide a straightforwardintegration process. There may be other untested ways to achieve interoperability. This guide might notcover every step of the hardware and software setup process.

This guide assumes that you are familiar with the nCipher HSM documentation and the setup process forAD CS and OCSP. For more information about installing the AD CS and OCSP, refer to the Microsoftdocumentation.

Page 2 of 28 Microsoft AD CS and OCSP - Integration Guide for Microsoft Windows Server 2012 and 2012 R2

2.5 More information

2.5 More informationl For more information about OS support, contact your Microsoft sales representative or nCipher

Support.

l For more information about contacting nCipher, see Addresses at the end of this guide.

l Additional documentation produced to support your nCipher product is in the document directoryof the CD-ROM or DVD-ROM for that product.

l For more information about HSM administration, refer to the User Guide for the HSM.


3 Procedures

3 Procedures

3.1 Installing the HSMInstall the HSM using the instructions in the Hardware Installation Guide for the HSM. We recommendthat you install the HSM before configuring the Security World Software, and before installing andconfiguring AD CS and OCSP.

If you already have an HSM installed and a Security World configured, proceed to "Installing andconfiguring AD CS" on page 6.

3.2 Installing the software and creating or sharing the SecurityWorldTo install the Security World Software and create the Security World:

1. Install the latest version of the Security World Software as described in the User Guide for theHSM.

We recommend that you always uninstall any existing Security World Software beforeinstalling the new Security World Software.

2. Initialize a Security World as described in the User Guide for the HSM.

You must create the Security World using the new-world utility supplied with theSecurity World software. You must then select Use existing Security World when installingand registering either CSP or CNG providers.

3. Register the Cryptographic Service Providers that you intend to use.

For CAPI on 64-bit Windows, both 32-bit and 64-bit CSP Install Wizards are available. Ifyou intend to use the CAPI CSPs from both 32-bit and 64-bit applications, or if you areunsure, run both wizards. The CNG Configuration Wizard registers the CNG Providersfor use by both 32-bit and 64-bit applications where relevant. For detailed informationon registering the CAPI CSPs or CNG Providers, refer to the User Guide for the HSM.

4. If you are installing OCSP on a different server to the CA, install the Security World Software onboth servers (as described in the User Guide for the HSMs) and share the Security World bycopying the %NFAST_KMDATA%\local directory from the CA server to the OCSP server. See theUser Guide for more information.

You can also have the Security World files in a shared network location which can beaccessed by both the CA and OCSP server.


3 Procedures

5. If you are going to use Key Counting using the nCipher CNG/KSP with the CA, you need to create aCAPolicy.inf file in the %Windows% directory before installing the CA role, and set a registry value.The Registry container is HKLM\Software\nCipher\CryptoNG\ and the Registry Key is UseCountEnabledwhich must be set to 1.

6. If you are intending to use Module protection, Pool mode can be configured using the relevantCNG or CAPI wizards.

You should already have a Security World configured on the ADCS server created using thenew-world utility, select Use existing Security World when prompted.

To enable pool mode using the CNG wizard:

1. Launch the CNG configuration wizard and go to the Enable HSM Pool Mode screen.

2. Select the checkbox Enable HSM Pool Mode for CNG Providers.

To enable pool mode using the CSP wizards:

1. Select 32bit CSP install wizard or 64bit CSP install wizard (depending on the platform inuse).

2. Launch the 32bit CSP install wizard or the 64bit CSP install wizard and go to the EnableHSM Pool Mode screen. Select the checkbox Enable HSM Pool Mode for CAPIProviders.


3.3 Installing and configuring AD CS

3.3 Installing and configuring AD CSTo install and configure Microsoft AD CS:

1. Click Start > Server Manager to open Server Manager.

2. Click Manage, then click Add Roles & Features. The Before you begin window opens. Click Next.

3. On the Select installation type window, make sure the default selection of Role or Feature BasedInstallation is selected and click Next.

4. On Server selection, select a server from the server pool and click Next.

5. On the Select server roles window, select the Active Directory Certificate Services role.

6. When prompted to install Remote Server Administration Tools click Add Features, then click Next.

7. On the Select features window, click Next.

8. On the Active Directory Certificate Services window, click Next.

9. On the Select role services window, the Certification Authority role is selected by default. Click Next.

10. On the Confirm installation selections window, verify the information and click Install.

11. When the installation is complete, click the Configure Active Directory Certificate Services on the

destination server link.

12. On the Credentials window, make sure that Administrator's credentials is displayed in the Credentials

box. If not, click Change and specify the appropriate credentials. Click Next.

13. On the Role Services window, select Certification Authority. This is the only available selection whenthe certification authority role is installed on the server. Click Next.

14. On the Setup Type window, select the appropriate CA setup type for your requirements. Click Next.

15. On the CA Type window, Root CA is selected by default. Click Next.

16. On the Private Key window, leave the default selection to Create a new private key selected. Click Next.

17. On the Cryptography for CA window, select the appropriate nCipher cryptographic provider alongwith the key type, key length and suitable hash algorithm:

l RSA #nCipher Security World Key Storage Provider

l ECDSA_P256 #nCipher Security World Key Storage Provider



Make sure the Allow administrator interaction when the private key is accessed by the CA check boxis ticked

18. Click Next.

19. On the CA Name window, give the appropriate CA name and click Next.

20. On the Validity Period window, enter the number of years for the certificate to be valid and click Next

21. On the CA Database window, leave the default locations for the database and database log files.Click Next.

22. On the Confirmation window, click Configure.


3 Procedures

23. If you select nCipher cryptographic service provider on the Cryptography for CA window, the nCipher key

storage provider-create a key wizard prompts you to create a new key. Click Next andOn. Select a wayto protect the new key. Click Next.

If either Softcard or OCS (token) protection was chosen when the CSP /CNG providerswere installed using the wizards, you will be prompted to either enter SoftcardPassphrase / PIN or present the OCS and credential. There will be no prompt if Moduleprotection was chosen. If using a FIPS 140-2 level 3 Security World you will need topresent either a card from the ACS or OCS for FIPS authorization before the ADCS keycan be generated, irrespective of your chosen protection method.

24. Once the passphrase(s) has been presented successfully, close the wizard.

The Progress window opens during the configuration processing, then the Results windowopens. Click Close. If the Installation progress window is still open, click Close on thatwindow also.

25. Register nFast Server as a dependency of AD CS with the ncsvcdep tool in the nfast/bin directory;this is needed as the nCipher service must have started before CA, otherwise the nCipher CNGproviders will fail. Run the command:

>ncsvcdep -a certsvc

26. Verify that the CA service has started successfully by running the following command on thecommand line. Use Windows key + R to open the Run dialog, and type cmd to open the commandprompt. Run the command:

>sc query certsvc

Output:

SERVICE_NAME: certsvc

TYPE : 110 WIN32_OWN_PROCESS (interactive)

STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

3.4 Configuring auto-enrollment group policy for a domainTo complete the integration procedures, you must configure auto-enrollment as a group policy:


3.5 Configuring the nCipher nShield HSM with Certificate Services

1. On the domain controller, click Start > Administrative Tools > Group Policy Management.

2. Go to Forest, select your Domain and expand it.

3. Double-click Group Policy Objects in the forest and domain containing the Default Domain PolicyGroup Policy object (GPO) that you want to edit.

4. Right-click the Default Domain Policy GPO, and then click Edit.

5. In the Group Policy Management Editor, click Computer Configuration > Policies > Windows Settings > Security

Settings > Public Key Policies.

6. Double-click Certificate Services Client - Auto-Enrollment.

7. In Configuration Model, click Enabled to enable auto-enrollment. Select the following check boxes:

n Renew expired certificates, update pending certificates, remove and revoke certificates.

n Update certificates that use certificate template.

8. Click Apply andOK to accept your changes and close the Editor.

3.5 Configuring the nCipher nShield HSM with Certificate Ser-vices

3.5.1 Configuring Certificate Services with a new key

To install the Certificate Server using the nCipher HSM Key Storage Provider (KSP):

1. Install and configure the nCipher HSM hardware and software as described in the section"Installing the software and creating or sharing the Security World" on page 4.

2. Install Microsoft Active Directory Certificate Services as described in the section "Installing andconfiguring AD CS" on page 6, with the following settings:

n In the Private Key window, click Create a new private key and click Next.

n Continue the CA setup as described in the section "Installing and configuring AD CS" onpage 6.

3.5.2 Configuring Certificate Services using an existing private key

To install the Certificate Server using the nCipher HSM KSP with an existing HSM private key:

1. Install and configure the nCipher HSM hardware and software as described in the section"Installing the software and creating or sharing the Security World" on page 4.

2. Install Microsoft Active Directory Certificate Services as described in the section "Installing andconfiguring AD CS" on page 6.

3. In the Private Key window, select Use existing private key and then Select an existing private key on this

computer. Click Next.

4. In the Select Existing Key window, click Change.

5. In the Change Cryptographic Provider window, select the CSP that contains the created key. Deletethe contents of the field CA common name, and click Search. The search finds the existing private


3 Procedures

key. Select the key, then select Allow administrator interaction when the private key is accessed by the CA.Click Next.

6. In the Cryptography for CA window, select the appropriate hash algorithm and click Next.

7. In the CA Name window, click Next.

8. In the Validity Period window, specify the validity period and click Next.

9. In the CA Database window, specify the certificate database locations and certificate database loglocations and click Next.

10. In the Confirmation window, click Configure.

11. Wait for the configuration to complete. After successful completion, close the AD CS configurationwindow.

12. Verify that the CA service has successfully started by running the command:

>sc query certsvc

13. Verify the CA key by running the command:

>certutil -verifykeys

3.6 Configuring Certificate Enrollment to use CA templates onthe AD CS ServerTo integrate the CA certificate enrollment functionality with a nCipher HSM generated CA private key:

1. Create a CA template that uses the nCipher HSM KSP:

a. Run certtmpl.msc.

b. Right-click the Administrator template, and select Duplicate Template. The Properties windowopens, showingCompatability tab.

c. Select Windows Server 2016 Under Certificate Authority and Certificate Recipient drop-down box.

d. Click the General tab. In Template display name, type a name for the template.

e. Click the Request Handling tab, and in Purpose select Signature and deselect Allow private key to

be exported.

f. Click the Cryptography tab and in the Provider category select Key storage provider.

g. In Algorithm Name, select the desired algorithm from the drop-down list.

h. Click Requests must use one of the following providers and in Providers, select nCipher Security World

Key Storage Provider only;

i. In Request Hash, select a hash type.

j. Click Subject Name tab and deselect Include e-mail name in subject name and deselect E-mailname.

k. Click Apply andOK to save the template settings and close the Certificate Template console.


3.7 Setting up key use counting

2. Run certsrv.msc.

3. In the left-hand pane, double-click the CA name.

4. Make sure the RpcLocator service is running and then run certsrv.msc.

5. Right-click the Certificate Template node and select New > Certificate Template to Issue.

6. Select the template you just created, and click OK.

7. Request a certificate based on the template:

a. Run certmgr.msc.

b. In the left-hand pane, right-click the Personal node, and select All Tasks > Request NewCertificate.

c. Click Next andNext to pass through the first two windows.

d. Select the template that you created, and click Enroll.

e. The Key Storage Provider window appears. Click Next.

f. Insert the Administrator card(s), and enter the passphrase or pin when prompted.

g. Proceed to create the new key to be associated with the certificate.

h. Select the type of protection you want to use, and click Next.

i. Depending on key protection method, enter the required credentials. The Certificate

Installation Results window should show STATUS: Succeeded. Click Finish.

If passphrase authentication is enabled, a prompt for passphrase appears.

8. Verify that the certificate is enrolled successfully. If the certificate fails to enroll, the following erroris displayed:

Error: the RPC server is unavilable. 0x800706ba (win32: 1722 RPC_S_SERVER_UNAVAILABLE

The enrollment wizard shows if the certificate enrollment was successful or failed. Use the Details buttonto check the main information.

3.7 Setting up key use counting

3.7.1 Key use counter overview

Setting up key use counting is optional. If you require key use counting, follow the procedures describedin this section. The procedures described in this section do not apply to most setups.

If you do not follow the procedures described in this section, key use counting is not installed.You cannot add key use counting to a key retrospectively.

The key use counter audits usage of the CA signing key. It maintains a count of how many times the keyhas been used. The key use counter should only be used with a root CA that has a low volume ofsignings where the count can be logged immediately before servicing a signature request and after the


3 Procedures

signature request has been serviced. This ensures that any illicit use of the CA is revealed throughdiscrepancies in the counter log.

Note the following information about the key use counter:

l The counter is in the NVRAM of the HSM. To access the key count value in NVRAM, users mustpresent the ACS to the HSM.

l The counter is a 64-bit integer counter associated with a single private key.

l The counter is started at zero.

l If the maximum count is reached, the counter restarts at zero.

l The counter can exist only on one HSM. If more than one HSM is attached to the server, you mustchoose which HSM stores the counter.

l If the module firmware is upgraded, the counter value is lost.

l The key counter can only be set at HSM initialization, it cannot be activated after deployment.

3.7.2 Installing Certificate Services with key use counting

To install Certificate Services with key use counting:

1. If it is not already on your system installation, create the file %SystemRoot%\capolicy.inf (where%SystemRoot% is the system environment variable for the Windows installation folder, by defaultC:\WINDOWS\capolicy.inf) with the following content:

[Version]

Signature="$Windows NT$"

[certsrv_server]

EnableKeyCounting=True

You must create the capolicy.inf file before Certificate Services is installed.

2. Install the CA using the HSM KSP.

3. Enable auditing for the CA service by running the command:

>certutil -setreg ca\auditfilter 1

4. Stop the certsvc service. Run:

>net stop certsvc

5. Right-click the CA and click Properties.

6. Click the Auditing tab and check the box for Start and Stop Active Directory Certificate Services.


3.8 CA Backup, migrate and restore

7. Select Start > Administrative Tools > Local Security Policy.

8. Go to Local Policy, expand it and select Audit Policy.

9. In the right pane, double-click Audit Object Access and select Success and Failure.

10. Click Apply and then OK, then close the window.

11. Update the local security policies by opening a command prompt and running the command:

>gpupdate.exe /force

12. Restart the CA service to pick up the changes, by running the commands:

>net start certsvc

You will be prompted to enter the CA certificate credentials upon CA restart.

13. Run Eventvwr.exe.

14. Select Windows Logs > Security.

15. Filter for event ID 4881 (CA startup event) or event ID 4880.

16. Verify the CA startup event shows the PrivateKeyUsageCount property with a corresponding value.

3.8 CA Backup, migrate and restoreThe most common procedure related to backup, migrate and restore for the CA and HSM is to use theoptions:

l Select a certificate and use its associated private key.

l Select an existing private key.

This procedure describes backing up the CA / HSM data on an existing server and then restoring the CA /HSM data onto a new server. nCipher have successfully tested this procedure in the followingconfigurations:

l Windows Server 2012 (CNG) to Windows Server 2012 R2 (CNG)

l Windows Server 2016 (CNG) to Windows Server 2019 (CNG)

If your existing CA is using a custom CAPolicy.inf file, you should copy the file to the newplanned CA server. TheCAPolicy.inf file is located in the%SystemRoot% directory, which isusually C:\Windows.


3 Procedures

3.8.1 Backing up, migrating and restoring CA using an existing certificate and itsassociated private key

For this procedure your CA must be protected with module-only protection or 1/N OCS withoutpassphrase as key protection method.

To back up the CA and HSM data on the existing server (machine #1), and then migrate the CA and HSMonto a new server (machine #2):

On machine #1:

1. Back up the CA database by running the command:

>certutil -config <CA_config_string> -backupdb <BackupDirectory>

Default location of theCA .edb file: C:\Windows\System32\CertLog

It is advisable to stop the CA database prior to Backup.

Ideally, in Microsoft Windows Server 2016 and later, you should use PowerShell.

For example:

> Backup-CARoleService - Path <path_to_backup_file> - DatabaseOnly

If using CMD (where ,CA_config_string = Computername\CA-Name), then run, for example:

certutil - config WINserver1\CA-example -backupdb C:\Users\Administrator\Documents\dbexample backup

2. Export the certificate on machine #1:

a. Run mmc.

b. In the console, go to File > Add/Remove Snap-in.

c. Select the Certificates tab and click Add.

d. The certificate snap-in window opens. Select Computer Account and click Next.

e. Keep the default selection and click Finish, then click OK.

f. Go to the directory Trusted Root Certificates > Certificates.

g. Right-click the CA certificate, and click All Tasks > Export, then click Next.

h. Select Base-64 encoded X.509 (.CER), and click Next.

i. Specify the path and file name to save the certificate, and click Next.

j. Click Finish.

k. Click OK to close the export success message.


3.8.1 Backing up, migrating and restoring CA using an existing certificate and its associated private key

3. Back up the contents of the Security World data from the following location:C:\ProgramData\nCipher\KeyManagement Data\local.

4. Uninstall the CA from machine #1.

On machine #2:

1. Copy the backed-up Security World data on the following path on machine #2:C:\ProgramData\nCipher\KeyManagement Data\local.

2. Load the Security World onto the HSM on machine #2, by running the command:

>new-world -l

For more information about loading a Security World, refer to the User Guide for the HSM.

3. Run the CNG Configuration Wizard.

If selecting operator card set protection, do not check Always use the wizard when creating

or importing keys.

4. Copy and install the X.509 certificate into the local user Trusted Root CA Store on machine #2:

a. Right-click the certificate, and click Install.

b. Click Next.

c. Select Local Machine.

d. Select Place all certificates in the following store, and click Browse.

e. Select Trusted Root Certification Authorities, and click OK.

f. Click Next.

g. Click Finish.

h. Click OK to close the import success message.

5. Install the certificate into Cert:\LocalMachine\My\ store. Using PowerShell, navigate to theLocalMachine:

>Set-Location -Path Cert:\LocalMachine\My\

Run the following command:

> Import-Certificate -FilePath C:\Users\Adminstrator.ADCSDC\Desktop\Certificate_Name.cer

6. Repair the certificate store by running the following command from the console:

>certutil -f -repairstore -csp "nCipher Security World Key Storage Provider" my "<cert serial number>"


3 Procedures

You should receive confirmation similar to:

my "Personal"

================ Certificate 0 ================

Serial Number: 13fa1422bfba4f9a4303e2aa162c25b2

Issuer: CN=ADCS-IO-CA, DC=ADCSDC, DC=internal

NotBefore: 11/10/2019 09:44

NotAfter: 11/10/2024 09:51

Subject: CN=ADCS-IO-CA, DC=ADCSDC, DC=internal

Certificate Template Name (Certificate Type):CA

CA Version: V0.0

Signature matches Public Key

Root Certificate: Subject matches Issuer

Template: CA, Root Certification Authority

Cert Hash(sha1): 486232dc0583012d47c75c74eb0d1b65da9f9484

Key Container = ADCS-IO-CA

Provider = nCipher Security World Key Storage Provider

Private key is NOT exportable

Signature test passed

CertUtil: -repairstore command completed successfully.

7. Click Start > Server Manager to open Server Manager.

8. Install and configure the CA as described in the section "Installing and configuring AD CS" onpage 6.

9. Install and configure AD CS with the following settings:

a. In the Set Up Private Key window, select Use existing private key and then Select a certificate and

use its associated private key.

b. In the existing Certificate window, the imported certificate is shown. Select the certificateand select Allow administrator interaction when the private key is accessed by the CA. Click Next.

c. If your CA is protected with OCS protection with passphrase, then the certificate is notdisplayed in the certificate section. You must remove the passphrase of the operator cardsetin order to view the CA certificate in the certificate section.

d. In the Certificate Database window click Next.

e. In the Confirmation window click Configure.

10. When the CA installation is complete, click Close in the installation results window.

11. Stop the CA service and then copy the backed-up CA database data onto machine #2.

12. Run the command:

>certutil -shutdown


3.8.2 Backing up, migrating and restoring the CA using an existing private key

13. On machine #2, restore the CA database by running the command:

>certutil.exe -f -restoredb <BackupDirectory>

14. Restart the CA by running the command:

>net start certsvc

15. Verify that the CA service has started successfully by running the command:

>sc query certsvc

3.8.2 Backing up, migrating and restoring the CA using an existing private key

To back up the CA and HSM data on the original server (machine #1), and then migrate the CA/HSM on anew server (machine #2):

On machine #1:

1. Back up the CA database by running the command:

>certutil -config <CA_config_string> -backupdb <BackupDirectory>

2. Back up the Security World data and the private key, which are found inC:\ProgramData\nCipher\Key Management Data\local. For more information about backing up aSecurity World, refer to the User Guide for the HSM.

3. Uninstall the CA from machine #1.

On machine #2:

1. Copy the backed-up Security World data and the private key toC:\ProgramData\nCipher\Key

Management Data\local on machine #2.

2. Load the Security World onto the HSM on machine #2, by running the command:

>new-world -l

For more information about loading a Security World, refer to the User Guide for the HSM.

3. Run the CNG Configuration Wizard and select Use existing Security World.

4. Install Microsoft Active Directory Certificate Services with the following settings:

a. In the Private Key window, select Use existing private key and use existing private key on this

computer. Click Next.


3 Procedures

b. In the Select Existing Key window, click Change. The Change Cryptographic Provider windowopens.

c. Select the CSP that contains the created key. Delete the contents of the fieldCA common

name, and click Search. The search results should find the existing private key

d. Select the key that you generated on machine #1, click Allow administrator interaction when the

private key is accessed by the CA, and click Next.

e. On the Cryptography for CA window, click Next.

f. In the CA name window, click Next.

g. In the Validity Period window, specify the validity period and click Next.

h. In the Certificate Database window, specify the certificate database location and click Next.

i. On the Confirmation window, click Configure.

j. In the Installation Results window, click Close.

5. Copy the backed-up CA database data onto machine #2.

6. Run the command:

>certutil -shutdown

7. On machine #2, restore the CA database by running the command:

>certutil.exe —f —restoredb <BackupDirectory>

8. Restart the CA by running the command:

>net start certsvc

9. Verify that the CA service has started successfully by running the command:

>sc query certsvc

3.9 Installing the OCSP

If you are installing OCSP on a different server from the CA, see "Installing the software andcreating or sharing the Security World" on page 4 for instructions on sharing the SecurityWorld.

To install Online Responder Services:

1. Open Server Manager. Select Start > Server Manager.

2. Click Manage and then click Add Roles & Features.


3.10 Configuring the CA to issue an OCSP Response Signing Certificate

3. Before you begin window appears. Click Next.

4. On the Select installation type window, make sure the default selection of Role or Feature BasedInstallation is selected. Click Next.

5. On Server selection, select a server from the server pool and click Next.

6. On the Select server roles window, select the Active Directory Certificate Services role.

7. Expand the Roles section (in the left-hand section) and click Online Responder.

8. Click Add Feature, then click Next.

9. On Select Feature window click Next.

10. On Web Server Role Screen click Next.

11. On Role Service Screen keep the default selection and click Next, then click Install.

12. When the installation completes, click the Configure Active Directory Certificate Services on the destination

server link.

13. Tick the check box for Online Responder and then click Configure.

14. Click Next.The Progress window is displayed during the configuration processing.The Results window appears.

15. Click Close. If the Installation progress window is still open, click Close on that window also.

3.10 Configuring the CA to issue an OCSP Response SigningCertificateThis section describes how to update the OCSP certificate template for use with the key storage providerCNG. This procedure assumes you have an Enterprise CA installed.

3.10.1 Configuring certificate templates for your environment

1. Go to Start > Run.

2. In the run dialog typemmc and click OK.

3. In the mmc console that appears go to File > Add/Remove Snap-in

4. In the Add or Remove Snap-Ins dialog box that appears find and click the Certificate Templates snap-in.

5. Click Add and then click OK.

6. Under Console Root expandCertificate Templates snap-in. All the available certificate templates thatyou can issue with your CA are listed in the middle section.

7. Scroll down the list until you locate the OCSP Response Signing template. Right-click the OCSP

Response Signing template and click Properties.

8. In the popup dialog that appears click the Security tab and click Add.

9. In the Select User, Computers, Service Accounts or Groups dialog that appears, select object types andmake sure Computers is checked.

10. Type the computer name if known, or search using the Advanced button in the lower left of thewindow, and then Find now to look for the OCSP host server name.


3 Procedures

11. Select the object and click Check Names, then click OK.

12. Click on the Advanced button, then click Find Now.

13. In the Search Results Panel, scroll down to locate the relevant server name hosting the OCSPresponder.

14. Select the server name, and click OK.The machine hosting the Online Responder is added to the Group and user names area under theSecurity tab.

15. Click the machine name in the Group and user names area and under the Permissions area give allpermissions to machine.

Do not click Apply or OK until the certificate template has been fully configured.

16. Click Request Handling tab and make sure that both Authorize additional service accounts to access the

private key and Allow private key to be exported are disabled.

17. Click the Cryptography tab. Select the algorithm, hash and key size you want to use from theAlgorithm Name drop-down combo box. We recommend that you choose the same algorithm asyour CA is using, although you can use any.

18. Below the combo box are two radio buttons: select Requests must use one of the following providers.

19. Check the box that opens next to the nCipher Security World Key Storage Provider entry.

20. Select the Subject Name tab.The radio button Build this from Active Directory Information is selected. If the following options aredisplayed:

l E-mail

l DNS name

l User principal name (UPN)

l Service principal name (SPN)

Make sure that only Service Principal Name (SPN) is checked.

22. Uncheck any other checked boxes. Click Apply and then OK.

To use CAPI CSP, make a copy of an OCSP response signing template. From theCryptographic tab, under the provider category, select Legacy Cryptographic Service Provider.Then, select Request must use one of the following providers and check nCipher Enhanced

Cryptographic Provider.

3.10.2 Configuring the CA to support the Online Responder service

1. Run certsrv.msc.

2. Navigate to your CA.

3. Right click on the CA and click Properties.

4. Select Extensions tab. In the Select extension list, click Authority Information Access (AIA).

5. Click Add and in the Add Location dialog box type under Location http://machinename/ocsp. Click OK.


3.10.3 Requesting a certificate from OCSP Response Signing template

6. On the Extensions tab make sure the URL that was just added to the locations area is highlighted.Then make sure the check boxes next to Include in the AIA extension of issued certificates and Include in

the online certificate status protocol (OCSP) extension are ticked.

7. Click Apply, let the service restart, then click OK.

To restart the service, you will need to present the CA credentials (passphrase orOCS and associated passphrase(s)) to the HSM.

8. In certsvc.msc, select to expand all directories under your Certificate Authority. Right click Certificate

Templates, and select New > Certificate template to issue.

9. From the list, select the OCSP Response Signing template and click OK to add to your list of usabletemplates.

You may need to refresh the window to see the newly-added template.

3.10.3 Requesting a certificate from OCSP Response Signing template

1. Go to Run, and type cmd to open the command prompt. Run the command:

> certutil -pulse

2. Go to Run, typemmc and click OK.

3. In the mmc console that appears, select File > Add/Remove Snap-in.

4. In the Add or Remove Snap-Ins pop-up dialog that appears, find the Certificates snap-in (under theAvailable snap-ins section).

5. Click the snap-in and click Add.

6. In the dialog that appears, check the Computer Account radio button, and then click Next.

7. In the Select Computer dialog, make sure that Local Computer is selected and click Finish. Then clickOK.

8. Under the Console Root, expand the Certificates heading.

9. Select the Personal folder and expand it.

10. Right-click Certificates and select All Tasks > Request New Certificate.

11. On the Before You Begin page click Next.

12. On the Select Certificate Enrollment Policy page click Next.

13. On the Request Certificates page select OCSP Response Signing template and click Enroll.

14. When prompted present, the ACS quorum and then the OCS quorum and enter the applicablepass-phrases.

15. On the Certificate Installation Results page select Finish.


3 Procedures

3.10.4 Verifying that the signing certificate is properly configured

1. Select the Personal folder and expand it.

2. Select the Certificates folder. In the right-hand pane, an OCSP certificate appears.

3. Right-click the certificate and click Properties.

4. A dialog box appears. On the General tab under Certificate Purposes select Enable Only for the followingpurposes, make sure the check box for OCSP is ticked. Click Apply and then OK.

3.10.5 Modifying the Online Responder service to use a nCipher HSM

1. Run Services.

2. Locate the Online Responder Service in the list of services.

3. Right-click the Online Responder Service and select Properties.

4. In the dialog box that appears select the Log on tab.

5. Under the Log on as heading, click the radio button next to Local System account. The heading Allow

service to interact with desktop becomes active with a check box next to it.

6. Select the check box. Click Apply, then OK.

7. From the Services window, right-click Online Responder Service and restart the service.

3.11 Setting up a revocation configurationA revocation configuration is needed to respond to status requests about certificates that have beenissued by a specific CA. Revocation configuration settings include:

l The CA certificate

l The signing certificate for the online responder

l The locations that clients can send their requests to

To set up a revocation configuration:

1. Open the Server Manager Dashboard and from the Tools menu select Online ResponderManagement.

2. Click Start and click Online Responder Management.

3. In the left-hand pane click Revocation Configuration.

4. In the right-hand pane under Actions click Add Revocation Configuration.

5. Click Next on the Getting started with adding a revocation configuration section.

6. In the Name the Revocation Configuration section, type a name for the configuration in the text box.(For this example we use Test). Then click Next.

7. In the Select CA Certificate Location section make sure the Select a certificate for an Existing enterprise CA

radio button is checked and click Next.

8. In the Choose CA Certificate section make sure the Browse CA certificates published in Active Directory

radio button is selected and then click Browse.


3.12 Verifying that OCSP works correctly

9. In the Select Certification Authority dialog box select the CA and click OK then Next.

10. In the Select Signing Certificate section ignore the default settings and make sure the Manually select a

signing certificate radio button is selected. Click Next.

11. If you are installing OCSP on a different server to the CA:

Follow the details provided below (a through to e) to install the OCSP on a differentserver to the CA. If the OCSP is on the same server as the CA just click FINISH.

a. On the Revocation Provider section click on Provider tab. The Revocation Provider Propertiesdialog is displayed.

b. Under Base CRLs, click Add.

c. Enter http://<OCSP hostname>/ocsp/<CA-name>.crl in the Open URL dialog box and click OK.

d. Under Base CRLs, select the above URL, click Move Up and then click OK.

e. Copy the CRL files from the c:\Windows\System32\certsrv\CertEnroll folder of the CA serverto theC:\Windows\SystemData\ocsp folder of the OCSP server.

12. In the next window click Finish. A dialog box opens stating Executing the specified action.... Let thisfinish.

13. When the wizard completes, the status of the Online Responder is shown in the Revocation

Configuration Status box as Bad Signing Certificate on Array Controller.

14. To fix this, click Array Configuration in the left-hand pane and expand it.

15. In the directory tree, click the machine name that you are using.

16. The revocation configuration that you just created is listed in the middle section, in this case Test.

17. In the right-hand pane, click Assign a signing certificate.

18. Check the certificate that you set up earlier is listed in the dialog box that opens. Click OK.

19. Go back to the Revocation Configuration pane and right-click the revocation configuration youcreated (in this case Test) and then click Edit Properties.

20. A Properties for Revocation Configuration: Test pane opens. Three tabs are available. Click the Signing

tab.

21. Uncheck the Do not prompt for credentials for cryptographic operations check box and click OK. If the keyis protected by a token, present this when requested.

22. Go back to Online Responder Management, go to Actions and click Refresh.

23. In the left-hand pane click Online Responder: Computer Name and check that the Revocation

Configuration Status shows as Working.

3.12 Verifying that OCSP works correctly

3.12.1 Generating a certificate request

The WebServer certificate template must be available. If required, install the WebServer certificatetemplate via Certsrv.msc. Right click Certificate Templates, and select New > Certificate Templates to issue.Then, select the WebServer template.


3 Procedures

1. Open Notepad and create a file called rsa.inf with contents similar to the following on your local Cdrive:

[Version]

Signature = "$Windows NT$"

[NewRequest]

Subject = "C=GB,CN=rsa.inf"

KeyAlgorithm = RSA

KeyLength = 2048

ProviderName = "nCipher Security World Key Storage Provider"

KeyUsage = 0xf0

MachineKeySet = True

RequestType = PKCS10

[EnhancedKeyUsageExtension]

OID = 1.3.6.1.5.5.7.3.1

[Extensions]

1.3.6.1.5.5.7.48.1.5 = Empty

In the rsa.inf file replace the subject with your CA common name.

2. Go to your local directory and find the file rsa.inf.

3. Check that rsa.inf contains the following messages:

Leaf certificate revocation check passed CertUtil: -verify command completed successfully.

4. From the command prompt navigate to your local C drive and add:

>certreq —new rsa.inf rsa.req

5. Check that rsa.req is listed in the directory.

6. In the command line run the command:

>certreq —submit —attrib —CertificateTemplate:WebServer rsa.req

7. Click OK to select the CA certificate and save it as rsa.cer in your local directory.

8. Navigate to the directory where you saved the certificate and look for rsa.cer.

3.12.2 Removing information about the certificate's CRL

1. Select Start > Run, and enter certsrv.msc. Click OK.

2. Click Certificate Authority. A list of folders below the CA appears.

3. Right-click the Revoked Certificates folder and click All Tasks, Publish. A Publish CRL dialog appears.


3.12.3 Retrieving information about the certificate's AIA, CRLs, and OCSP

4. Click OK to select a New CRL.

5. Right-click the CA and select Properties.

6. Click the Extensions tab.

7. Check that the Select extension drop-down list box shows CRL Distribution Point (CDP).

8. Click any of the listed CRL distribution points, and click Remove, then Yes.

9. Click Apply. A pop-up box appears saying you need to restart the service.

10. Click Yes to restart the service, and then click OK to close the dialog.

3.12.3 Retrieving information about the certificate's AIA, CRLs, and OCSP

1. To check that clients can still obtain revocation data in the command prompt, navigate to the folderwhere the certificate is stored, then type:

>certutil —url rsa.cer

2. The URL Retrieval Tool appears.

3. Select Certs (from AIA) and click Retrieve.

4. The list contains the verified Certificate and its URL. Select CRLs (from CDP) and click Retrieve.

5. Compare the results to what you had earlier when you removed a CRL distributed point. CRLsshow they have been verified.

6. Select OCSP (from AIA) and click Retrieve.

7. The list contains the Verified OCSP URL. Click Exit.

3.12.4 Verifying the OCSP Server is Active

1. To check details about the certificate and its CA configuration in the command prompt, navigate tothe folder wher the certificate is stored, then type:

>certutil -verify rsa.cer > rsa.txt

2. Open the text file rsa.txt. The last few lines should be as follows:

Verified Issuance Policies: None

Verified Application Policies:

1.3.6.1.5.5.7.3.1 Server Authentication

Leaf certificate revocation check passed

CertUtil: -verify command completed successfully

3. This shows that the OCSP Server is working correctly and there were no errors.


3 Procedures

3.13 Uninstalling AD CS and OCSPTo uninstall AD CS and OCSP:

1. Open Server Manager and click Start > Server Manager.

2. Click Manage and then click Remove Roles & Features.The Before you begin window opens. Click Next.

3. On server selection, select a server from the server pool, and click Next.

4. Deselect Active Directory Certificate Services and Online Responder, and click Next.

5. When the Removal process is complete, click Close and restart the machine.


4 Troubleshooting

4 TroubleshootingThe following table provides troubleshooting guidelines.

Problem Cause Resolution

Online Responder reportsBad Signing Certificate on

Array Controller.

This error occurs when theCA certificate is stale orcannot be located by theOnline Responder client.

Ensure that the steps above have beencorrectly carried out. Also, ensure that the CAis correctly configured and that a valid CAcertificate exists for OCSP Signing.

Using

certutil —url

<certnamehere.cer>

and selectingCerts (from

AIA) shows an entry in thelist called AIA with Failed

next to it.

This error occurs whenCertificate Authority WebEnrolment is not installedon the CA.

Install Certificate Authority Web Enrolment onthe CA machine. Go to Server Manager. Expandthe Roles section (in the left-hand section) andclick Active Directory Certificate Services. In thebottom right-hand section, click Add Role

Services and select Certificate Authority Web

Enrolment.

Using the certreq —new

<.req file here> commandreturns an Invalid ProviderSpecified error.

This error occurs when theCSPs are not installed andset up on the clientmachine or not set upcorrectly.

Ensure that the nCipher CAPI CSP andnCipher CNG CSP providers are correctlyinstalled and set. (Do this by running the CSP

Install Wizard andCNG Configuration Wizard

under nCipher in the Start menu).

When using the CAPI orCNG wizard to access aprivate key protected by anOCS with password, youare prompted multipletimes to enter the pass-word.

This error is due to a prob-lem in Windows Server2012.

To prevent this from happening, downloadand install the hotfix available at the followinglocation: http://sup-port.microsoft.com/kb/2740017/EN-US

When presenting a Javacard OCS (V12 onwardsonly), the AD CS Con-

figuration Wizard does notdetect the OCS. cardpp --examine showsTokenSecureChannelError.

TokenSecureChannelErrorcan occasionally be seenwhen presenting a Javacard OCS.

Remove and re-insert the OCS until it ispicked up by cardpp and the AD

CS Configuration Wizard.


http://support.microsoft.com/kb/2740017/EN-US

http://support.microsoft.com/kb/2740017/EN-US

Contact Us

Contact UsWeb site: https://www.ncipher.comSupport: https://help.ncipher.comEmail Support: [email protected] documentation: Available from the Support site listed above.

You can also contact our Support teams by telephone, using the following numbers:

Europe, Middle East, and Africa

United Kingdom: +44 1223 622444One Station SquareCambridgeCB1 2GAUK

Americas

Toll Free: +1 833 425 1990Fort Lauderdale: +1 954 953 5229

Sawgrass Commerce Center – ASuite 130,13800 NW 14 StreetSunriseFL 33323 USA

Asia Pacific

Australia: +61 8 9126 9070World Trade Centre Northbank WharfSiddeley StMelbourne VIC 3005Australia

Japan: +81 50 3196 4994Hong Kong: +852 3008 3188

10/F, V-Point,18 Tang Lung StreetCauseway BayHong Kong


About nCipher SecuritynCipher Security, an Entrust Datacard company, is a leader in the general-purpose hardware security module (HSM)market, empowering world-leading organizations by delivering trust, integrity and control to their business criticalinformation and applications. Today’s fast-moving digital environment enhances customer satisfaction, gives competitiveadvantage and improves operational efficiency – it also multiplies the security risks. Our cryptographic solutions secureemerging technologies such as cloud, IoT, blockchain, and digital payments and help meet new compliance mandates.We do this using our same proven technology that global organizations depend on today to protect against threats totheir sensitive data, network communications and enterprise infrastructure. We deliver trust for your business criticalapplications, ensure the integrity of your data and put you in complete control – today, tomorrow, always.www.ncipher.com

https://www.ncipher.com/