Procedures
Install the HSM
Install the HSM using the instructions in the Installation Guide for the nShield HSM.
Entrust recommends that you install the HSM before you configure the Security World software and before you install and configure Active Directory (AD) CS and OCSP.
If you already have an HSM installed and a Security World configured, proceed to Install and configure AD CS with Windows Server Enterprise.
Install the software and create or share the Security World
To install the Security World software and create the Security World:
- Install the latest version of the Security World software as described in the User Guide for the HSM. Entrust recommends that you uninstall any existing Security World software before installing the new Security World software.
- Initialize a Security World as described in the User Guide for the HSM.
You will be using this Security World when you are installing and registering either CSP or CNG providers.
- Register the CSPs that you intend to use:
- Windows Server Enterprise:
For CAPI on 64-bit Windows, both 32-bit and 64-bit CSP install wizards are available. If you intend to use the CAPI CSPs from both 32-bit and 64-bit applications, or if you are unsure, run both wizards. The CNG Configuration Wizard registers the CNG Providers for use by both 32-bit and 64-bit applications where relevant. For detailed information on registering the CAPI CSPs or CNG Providers, refer to the User Guide for the HSM.
- Windows Server Core:
> cnginstall --install > cngregister > capingwizard
- Windows Server Enterprise:
- Install the Security World software both on the OCSP server and on the CA server. Share the Security World by copying the
%NFAST_KMDATA%\localdirectory from the CA server to the OCSP server. See the User Guide for more information. - If you are going to use Key Counting using the nShield CNG/KSP with the CA, you need to create a
CAPolicy.inffile in the%Windows%directory before installing the CA role, and set a registry value. The Registry container isHKLM\Software\nCipher\CryptoNG\and the Registry Key isUseCountEnabledwhich must be set to 1. See Install Certificate Services with key use counter. - If you are intending to use Module protection, pool mode can be configured using the relevant CNG or CAPI wizards. To enable pool mode using the CNG wizard:
- Launch the CNG configuration wizard, and select the Enable HSM Pool Mode screen.
- Select the Enable HSM Pool Mode for CNG Providers option.
To enable pool mode using the CSP wizards:
- Select 32bit CSP install wizard or 64bit CSP install wizard (depending on the platform in use).
- Launch the 32bit CSP install wizard or the 64bit CSP install wizard, and select the Enable HSM Pool Mode screen. Select the Enable HSM Pool Mode for CAPI Providers option.
Install and configure AD CS with Windows Server Enterprise
| If you are using Windows Server Core, see Install and configure AD CS with Windows Server Core. |
| To create an AD-integrated CA, that is, an Enterprise CA, an account with Enterprise Administrator level privileges is required for the role configuration. |
- Join the domain.
- Select Start > Server Manager to open Server Manager.
- Select Manage, then select Add Roles & Features. The Before you begin window opens. Select Next.
- On the Select installation type window, make sure the default Role or Feature Based Installation is selected. Select Next.
- On Server selection, select a server from the server pool. Select Next.
- On the Select server roles window, select the Active Directory Certificate Services role.
- When prompted to install Remote Server Administration Tools, select Add Features. Select Next.
- On the Select features window, select Next.
- On the Active Directory Certificate Services window, select Next.
- On the Select role services window, the Certification Authority role is selected by default. Select Next.
- On the Confirm installation selections window, verify the information, then select Install.
- When the installation is complete, select the Configure Active Directory Certificate Services on the destination server link.
- On the Credentials window, make sure that Administrator’s credentials is displayed in the Credentials box. If not, select Change and specify the appropriate credentials. Select Next.
- On the Role Services window, select Certification Authority. This is the only available selection when the certification authority role is installed on the server. Select Next.
- On the Setup Type window, select the appropriate CA setup type for your requirements. Select Next.
- On the CA Type window, Root CA is selected by default. Select Next.
- On the Private Key window, leave the default selection to Create a new private key selected. Select Next.
- On the Cryptography for CA window, select the appropriate nShield cryptographic provider along with the key type, key length and suitable hash algorithm:
- RSA #nCipher Security World Key Storage Provider
- ECDSA_P256 #nCipher Security World Key Storage Provider
- ECDSA_P384 #nCipher Security World Key Storage Provider
- ECDSA_P521 #nCipher Security World Key Storage Provider
If OCS or Softcard protection is used, select the Allow administrator interaction when the private key is accessed by the CA option.
- Select Next.
- On the CA Name window, give the appropriate CA name. Select Next.
- On the Validity Period window, enter the number of years for the certificate to be valid. Select Next.
- On the CA Database window, leave the default locations for the database and database log files. Select Next.
- On the Confirmation window, select Configure.
- If you select nCipher cryptographic service provider on the Cryptography for CA window, the nCipher key storage provider-create a key wizard prompts you to create a new key. Select Next and OK. Select a way to protect the new key. Select Next.
If either Softcard or OCS (token) protection was chosen when the CSP /CNG providers were installed using the wizards, you will be prompted to either enter Softcard Passphrase / PIN or present the OCS and credential. There will be no prompt if Module protection was chosen. If you are using a FIPS 140-2 Level 3 Security World, you will need to present either a card from the ACS or OCS for FIPS authorization before the AD CS key can be generated, irrespective of your chosen protection method. - When the passphrase(s) has been successfully presented, close the wizard.
The Progress window opens during the configuration processing, then the Results window opens. Select Close. If the Installation progress window is still open, select Close on that window also. - Register
nFast Serveras a dependency of AD CS with thencsvcdeptool in thenfast/bindirectory; this is needed as the nShield service must have started before CA, otherwise the nShield CNG providers will fail.Run the command:
>ncsvcdep -a certsvc
- Verify that the CA service has started successfully by running the following command on the command line. Use Windows key + R to open the Run dialog, and type
cmdto open the command prompt.Run the command:
>sc query certsvc
Output:
SERVICE_NAME : certsvc TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0
Install and configure AD CS with Windows Server Core
| If you are using Windows Server Enterprise, see Install and configure AD CS with Windows Server Enterprise. |
- Join the domain by running the command:
> netdom join $(hostname) /domain:<full_DNS_domain_name> /userd:<user_name> /passwordd:<password>
- Restart the machine after joining the domain by running the command:
> shutdown /r /t 0
- Enable WOW64 if you are working with 32-bit applications.
- Run PowerShell as admin user.
- Install CA binaries via PowerShell, by running the command:
> Add-windowsfeature ADCS-Cert-Authority --IncludeManagementTools
- Configure CA via PowerShell, by running the command:
> Install-AdcsCertificationAuthority –AllowAdministratorInteraction –caType EnterpriseRootCA –CryptoProviderName ECDSA_P256#HSM_KSP_NAME –KeyLength 256 –HashAlgorithmName SHA256
Example:
> Install-AdcsCertificationAuthority –AllowAdministratorInteraction –caCommonName "Fips-128-Module-CA-1" –caType EnterpriseRootCA –CryptoProviderName "RSA#nCipher Security World Key Storage Provider" –KeyLength 2048 –HashAlgorithmName SHA256
- When the confirmation message appears, type A and press Enter.
Verify that the CA service has started successfully
To verify that the CA service has started, open a command prompt and run the command:
> sc query certsvc
The expected output is:
SERVICE_NAME : certsvc TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0
Configure auto-enrollment group policy for a domain
To complete the integration procedures, you must configure auto-enrollment as a group policy:
- On the domain controller, select Start > Administrative Tools > Group Policy Management.
- Select Forest, then select your Domain and expand it.
- Double-click Group Policy Objects in the forest and domain containing the Default Domain Policy Group Policy object (GPO) that you want to edit.
- Right-click the Default Domain Policy GPO, then select Edit.
- In the Group Policy Management Editor, select Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
- Double-click Certificate Services Client - Auto-Enrollment.
- In Configuration Model, select Enabled to enable auto-enrollment. Select the following options:
- Renew expired certificates, update pending certificates, remove and revoke certificates.
- Update certificates that use certificate template.
- Select Apply and OK to accept your changes and close the Editor.
Comments
0 comments
Please sign in to leave a comment.