ncipher modules Integration Guide for Microsoft Windows Server 2008 Active Directory Certificate Services Windows Server bit and 64-bit

(1)

nCipher modules

Integration Guide for

Microsoft Windows Server 2008 Active Directory

Certificate Services

(2)

Integration Guide for Microsoft Windows Server 2008 Active Directory Certificate Services 2 Date: 05 March 2010

These installation instructions are intended to provide step-by-step instructions for installing nCipher software with third-party software. These instructions do not cover all situations and are intended as a supplement to the nCipher documentation provided with nCipher products.

Disclaimer: nCipher Corporation Ltd disclaims all liabilities regarding third-party products and only provides warranties and liabilities with its own products as addressed in the Terms and Conditions for Sale. nCipher is a registered trademark of nCipher Corporation Limited. Any other trademarks referenced in this document are the property of the respective trademark owners.

(3)

Integration Guide for Microsoft Windows Server 2008 Active Directory Certificate Services 3

1. Introduction

The nCipher HSM integrates with Microsoft Windows Server 2008 Active Directory Certificate Services (AD CS) on Windows Server 2008 to provide full key life-cycle management with FIPS certified hardware and to reduce the cryptographic load on the host server CPU.

The benefits of using an HSM with AD CS include: • Secure storage of the private key.

• FIPS 140-2 level 3 validated hardware.

• Improved server performance through offloading of cryptographic processing. • Secure storage of certificates’ private keys.

• Full life cycle management of the keys. • Failover support.

This document explains how to set up and configure AD CS with an HSM. The instructions in this document have been thoroughly tested and provide a straightforward integration process. There may be other untested ways to achieve interoperability.

This document may not cover every step in the process of setting up all the software. This document assumes that you have read your HSM documentation and that you are familiar with the documentation and setup process for AD CS. For more information about installing the AD CS, refer to the Microsoft documentation.

The integration between the HSM and AD CS has been tested for the following combinations:

Operating system nCipher

version PCI support netHSM support nShield Connect support

Windows Server 2008 32-bit and 64-bit

11.11 Yes Yes --

Windows Server 2008 32-bit and 64-bit

11.30 Yes Yes Yes

For more information about OS support, contact your Microsoft sales representative or Thales Support. For more information about contacting Thales, see “Addresses” at the end of this guide.

Additional documentation produced to support your nCipher product can be found in the document directory of the CD-ROM or DVD-ROM for that product.

Note Throughout this guide, the term HSM refers to nShield Solo modules, netHSM, and nShield Connect products. (nShield Solo products were formerly known as nShield).

(5)

2. Supported nCipher functionality

Soft Cards Key Management Strict FIPS Support Key Recovery Module Only Key K-of-N Card Set

Key Generation Key Import Fail Over

Fall Back Load Balancing Preload support

3. Requirements

Before attempting to install the software, we recommend that you familiarize yourself with the AD CS documentation and setup process and that you have the nCipher documentation available.

We also recommend that there be an agreed organizational Certificate Practices Statement and Security

Policy/Procedure in place covering administration of the HSM. In particular, these documents should specify the following aspects of HSM administration:

• The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and the policy for managing these cards.

• Whether the application keys are protected by the module or an Operator Card Set (OCS). • The number and quorum of Operator Cards in the OCS, and the policy for managing these cards. • Whether the security world should be compliant with FIPS 140-2 level 3.

• Key attributes such as the key size, persistence, and time-out. • Whether there is any need for auditing key usage.

• Whether to use nCipher’s Cryptographic Service Providers for Cryptographic API: Next Generation (CNG) or CryptoAPI (CAPI).

Note We recommend that you use CNG for full access to available features and better integration with Windows Server 2008.

(6)

4. Procedures

To set up and configure the AD CS with an HSM: 1. Install the HSM.

2. Install the nCipher Support Software, and configure the Security World. 3. Install Microsoft Active Directory Certificate Services.

In addition, this guide describes the following procedures: • Migrating a certificate between certificate authorities • Setting up key use counting.

All these procedures are described in the following sections.

5. Installing the HSM

Install the HSM using the instructions in the Hardware Installation Guide for the HSM. We recommend that you install the HSM before configuring the nCipher software and before installing and configuring AD CS.

(7)

6. Installing the nCipher support software and creating

the security world

To install the nCipher Software and create the security world:

1. Install the latest version of the nCipher support software as described in the User Guide for the HSM. 2. Initialize a security world as described in the User Guide for the HSM.

Note You can also use the CSP Install Wizard or the CNG Configuration Wizard to create a Security World for nShield PCI HSMs. For nShield Connect modules and netHSMs, we recommend that you use the front panel user interface to create the Security World. 3. Register the Cryptographic Service Providers that you intend to use.

Note For CAPI on 64-bit Windows, both 32-bit and 64-bit CSP Install Wizards are available. If you intend to use nCipher’s CAPI CSPs from both 32-bit and 64-bit applications, or if you are unsure, run both wizards. The CNG Configuration Wizard registers the nCipher CNG Providers for use by both 32-bit and 64-bit applications where relevant. For detailed information on registering the nCipher CAPI CSPs or CNG Providers, the User Guide for the HSM.

(8)

7. Installing Microsoft Active Directory Certificate

Services

7.1. Installation procedure

Note If you intend to enable key use counting, read “Setting up key use counting” before proceeding. To install and configure Microsoft Active Directory Certificate Services:

1. From the Windows Start menu, select Start > Administrative Tools > Server Manager. The Select Server Roles window appears.

2. Right-click Roles (on the left), and select Add Roles. The Select Server Roles window appears.

3. Ensure that Certification Authority is selected.

4. Optionally, if you want to submit certificate requests by means of a Web interface, ensure that Certification

Authority Web Enrollment is selected.

5. Click Next.

The Specify Setup Type window appears.

6. Select the appropriate Certification Authority (CA) setup type for your requirements:

• Enterprise. • Standalone.

Note If your machine is not a member of an Active Directory domain, only Standalone is available. 7. Click Next.

The Specify CA Type window appears.

8. Select the type of Certification Authority (CA) for your requirements: • Root.

• Subordinate.

Note If your CA is to be the only CA, select Root. If you want to use multiple CAs, select Root or Subordinate according to where in the hierarchy this CA is to appear.

(9)

Integration Guide for Microsoft Windows Server 2008 Active Directory Certificate Services 9 9. Click Next.

The Set Up Private Key window appears.

10. Select the private key setup appropriate for your requirements:

• For a typical installation, select Create a new private key.

• If you have special requirements, such as Key Use counting, or if you are migrating from a previous CA, select Use existing private key.

11. Click Next.

The Configure Cryptography for CA window appears.

12. If you have chosen to create a new private key, select a key algorithm and provider from a drop-down list: • We recommend that you select either RSA or one of the ECDSA curves (ECDSA_P256, ECDSA_P384

or ECDSA_P512) with the nCipher Security World Key Storage Provider.

• If you select ECDSA, also select a comparable size of hash algorithm: SHA256 with ECDSA_P256, SHA384 with ECDSA_P384 and SHA512 with ECDSA_P521.

• If you are using the nCipher CAPI CSP, select the nCipher Enhanced Cryptographic Provider. • Ensure that you select Use strong private key protection features.

Note If you are using the nCipher CAPI or CNG providers and you do not select Use strong private key protection features, the AD CS installation can fail.

Note AD CS does not support the use of standard DSA root keys. If you select a DSA key in the Configure Cryptography for CA window, the AD CS installation fails. For further information, see http://support.microsoft.com/kb/946387.

13. As prompted, enter a name for the CA.

14. As prompted, enter a certificate validity period.

After installing AD CS, you must register nFast Server as a dependency of the CA service to ensure that the nCipher CNG or CAPI CSPs are available for use before the CA starts up by running the command:

ncsvcdep -a certsvsc

(10)

7.2. Display of windows by services

In order to improve security, Windows Server 2008 does not allow services to display a window on the desktop that can be generally seen by users. Instead, any windows created by services are presented on what is termed the

Session 0 desktop. Users are alerted to the fact that a service is trying to display a window by a dialog box:

If your CA private key is protected by an OCS, Certificate Services may need to display dialogs prompting the user to insert Operator Cards or enter of pass phrases. In such cases, the Interactive services dialog detection window appears and the user must select Show me the message.

(11)

8. Migrating a certificate between certificate

authorities

You can choose to move a certificate from one CA server to another. Such certificate migration may be appropriate in cases such as:

• Upgrading from a Windows Server 2003 CA to a Windows Server 2008 CA. • Reinstalling Windows Server 2008 on a new computer.

This section describes the procedures to use when an HSM is involved in such a certificate migration.

8.1. Migrating from a Windows Server 2003 CA to a Windows Server

2008 CA

To migrate a certificate and private key protected by an HSM from a Windows Server 2003 CA to a Windows Server 2008 CA.

1. On Windows Server 2003:

a. Back up the key management data, located in:

• nCipher Support Software versions earlier than 11.03: %NFAST_HOME%\kmdata\local (by default, C:\nfast\kmdata\local).

• nCipher Support Software versions 11.03 or later: %NFAST_KMDATA%\local (by default,

C:\ProgramData\nCipher\Key Management Data\local).

b. Ensure that you keep any of the Security World’s Administrator Cards and Operator Cards because you will need them to restore the Security World and access the keys.

2. On Windows Server 2008:

a. Install the nCipher Support Software.

b. Stop the “nFast Server” service by running the command: net stop "nFast Server"

c. Replace the Key Management Data folder %NFAST_KMDATA%\local (by default,

C:\ProgramData\nCipher\Key Management Data\local) with the key management files you backed

up from the Windows 2003 installation.

(12)

Integration Guide for Microsoft Windows Server 2008 Active Directory Certificate Services 12 e. If one or more of the HSMs you intend to use must be added to the Security World, follow the

instructions in the User Guide for the HSM. You must have a quorum of Administrator Cards from the Security World.

f. Either continue using the nCipher CAPI private key from the original CA with CAPI, or import your existing CAPI key into the nCipher CNG key storage provider:

• If you plan to use CAPI, run the CSP Install Wizard(s), and select the existing CAPI key when running the AD CS role installation wizard.

• If you wish to import your existing CAPI key into CNG, first run the CNG Configuration Wizard, then identify the nCipher key file name that corresponds to the signing key in the named CAPI container, by running the command:

csputils –m –d –n SAMPLE-CAPI-CONTAINER-CA This command produces output of the form:

Detailed report for container ID

#00c1deb83de30a7015e15e8e9e763742fc3e1d48 Filename:

key_mscapi_container-00c1deb83de30a7015e15e8e9e763742fc3e1d48 Container name: SAMPLE-CAPI-CONTAINER-CA Container is a machine container.

CSP DLL name: ncsp.dll

Filename for signature key is

key_mscapi_eea3d453a94b8890f5fc4c2e920c93813ee6d5ee Key was generated by the CSP

Key hash: eea3d453a94b8890f5fc4c2e920c93813ee6d5ee Key is recoverable.

Key is cardset protected. Cardset name: SampleCardset

Sharing parameters: 1 of 1 shares required.

Cardset hash: 22f94c0d459594b230da3255af46d7446af81d42 Cardset is non-persistent.

No key exchange key.

Detailed report for container ID

#736289b47d43712053edb23bfe0cae4085d2a2e7

You require the Key hash from this output to identify the signing key to the cngimport tool: cngimport import –-machine-key

--key=eea3d453a94b8890f5fc4c2e920c93813ee6d5ee --appname=mscapi NEW-CNG-KEY-NAME-CA

Confirm that the key has been imported successfully by running the command: cnglist --list-keys

g. Follow the procedure for installing Microsoft Active Directory Certificate Services in “Installation

procedure” until the Set up Private Key window appears. h. In the Set up Private Key window, select Existing Private Key.

(13)

Integration Guide for Microsoft Windows Server 2008 Active Directory Certificate Services 13 j. Select the existing CA key in Select the key that you want to use for this CA (on the right-hand side

of the window).

k. Complete the remainder of the procedure for installing Microsoft Active Directory Certificate Services as described in “Installation procedure”.

After you complete the remainder of the AD CS installation procedure, the Windows Server 2008 CA is successfully configured with the private key that was generated when the original Windows Server 2003 CA was installed.

9. Setting up key use counting

Setting up key use counting is optional; the procedure described in this section does not apply to most setups. If you do not follow the procedure described in the section, key use counting is not installed. You cannot add key use counting to a key retrospectively. If you require key use counting, follow the instructions for the procedure described in this section.

9.1. Key use counter overview

The key use counter is used to audit usage of the Certification Authority (CA) signing key; it maintains a count of how many times the key has been used. We recommend the key use counter for use principally with a root CA that undergoes a low volume of signings in which the count can be logged immediately before servicing a signature request and after the signature request has been serviced. This ensures that any illicit use of the CA is revealed through discrepancies in the counter log.

You also need to consider the following information about the key use counter: • The counter resides in the NVRAM of the HSM.

• The counter is a 64-bit integer counter associated with a single private key. • The counter is started at zero.

• If the maximum count is reached, the counter restarts at zero.

• The counter can exist only on one HSM. If more than one HSM is attached to the server, you must choose which HSM stores the counter.

• If the module firmware is upgraded, the counter value is lost.

• If the certification authority start-up event in the Security log wrongly reports a usage count of zero for the signing key, see http://support.microsoft.com/kb/951721.

9.2. Key use counter increments

The key use counter increments are dependent on the type of CA (such as offline or online issuing) and the cryptographic operations that are executed by the CA to service a certificate signature request (CSR). The key

(14)

9.3. Installing Certificate Services with key use counting

To install Certificate Services with key use counting:

3. If it is not already present on your system installation, create the file %SystemRoot%\capolicy.inf (where

%SystemRoot% is the system environment variable for the Windows installation folder, by default C:\WINDOWS\capolicy.inf) with the following content:

[Version]

Signature="$Windows_NT$" [certsrv_server]

EnableKeyCounting=1

Note You must create the capolicy.inf file before Certificate Services is installed. 4. Generate a key with use counting enabled in the specified container by running the command:

keytst.exe –m –s –c <SAMPLE-CA-NAME>

In this command, <SAMPLE-CA-NAME> can be your choice of key name.

5. To generate a CNG key with use counting enabled, ensure %NFAST_HOME%\bin is set in your PATH, and run the command:

cngsoak -s –l <RSA_KEY_SIZE> –C –k –machine --nc –o 1 –t 1 –n

<SAMPLE-CA-NAME>

In this command, <RSA_KEY_SIZE> is the size of the RSA key and <SAMPLE-CA-NAME> can be your choice of key name.

Note For CNG keys created with the cngsoak utility, the initial count is 1 instead of 0.

Note You cannot use ECDSA with key use counting because the CA only supports the use of existing nCipher RSA private keys.

6. After you have generated suitable key, follow the procedure for installing Microsoft Active Directory Certificate Services in “Installation procedure” until the Set up Private Key window appears.

7. In the Set up Private Key window, select Existing Private Key, and select the key that you generated with key use counting enabled.

9.4. Keeping a record of the key count using Windows 2008 audit

facilities

Windows 2008 provides the facility to keep an audit record of the key count every time the CA is stopped or started. To enable this facility:

(15)

Integration Guide for Microsoft Windows Server 2008 Active Directory Certificate Services 15 2. Select Start and stop Active Directory Certificate Services (under Events to audit on the Auditing tab).

3. From the Windows Start menu, run secpolicy.msc. The Local Security Policy window appears.

4. Select Audit Policy (on the left-hand side of the window), and enable Object access auditing for success and failure (on the right-hand side of the window).

5. Update the local security policies by opening a command prompt and running the command: gpupdate.exe /force

Windows 2008 now keeps an audit record of the key count every time the CA is stopped or started. The audit records contain a record of the key use count.

To view audit records, navigate to Windows Logs > Security and open the Event Viewer. The audit records have an Event ID of 4880.

10. Interoperation notes

To ensure successful integration of an nCipher HSM with Certificate Services on Windows Server 2008, take note of the following:

• In Strict-FIPS security worlds, you cannot use ECDSA as either the CA certificate signing algorithm or for any certificate requests submitted to the CA. For information about a fix for this issue consult Microsoft support, reference 952722.

• The CA in Windows Server 2008 no longer supports the use of DSA with any Cryptographic Service Provider.

• You cannot currently configure the CA to use an existing ECDSA private key during Certificate Services installation.

• You cannot use the Create New Private Key option during the Certificate Services installation to generate keys with a use count. In such a case, if you want to you key use counting, you must use an existing private key. For more information, see “Setting up key use counting”.

• The use of a particular Cryptographic Service Provider for the CA private key does not prevent other CSPs being used for the private keys of certificate requests submitted to the CA.

• After installing Certificate Services, you must run the command ncsvcdep -a certsvc to ensure that the CA service waits for the nCipher software to become available before starting. Failure to run this command can result in the CA not starting after a server reboot.

(16)

11. Addresses

Americas

2200 North Commerce Parkway Suite 200 Weston Florida 33326 USA Tel: +1 888 744 4976 or + 1 954 888 6200 sales@thalesesec.com

Asia Pacific

Units 2205-06 22/F Vicwood Plaza

199 Des Voeux Road Central Hong Kong PRC Tel: + 852 2815 8633 asia.sales@thales-esecurity.com

Australia

103-105 Northbourne Avenue Turner ACT 2601 Australia Tel: +61 2 6120 5148 sales.australasia@thales-esecurity.com

Europe, Middle East, Africa

Meadow View House

Long Crendon Aylesbury Buckinghamshire HP18 9EQ UK Tel: + 44 (0)1844 201800 emea.sales@thales-esecurity.com

Internet addresses

Web site: www.thalesgroup.com/iss

Support: http://iss.thalesgroup.com/en/Support.aspx Online documentation: http://iss.thalesgroup.com/Resources.aspx

ncipher modules Integration Guide for Microsoft Windows Server 2008 Active Directory Certificate Services Windows Server bit and 64-bit

nCipher modules

Integration Guide for

Microsoft Windows Server 2008 Active Directory

Certificate Services

Contents

1.

Introduction

2.

Supported nCipher functionality

3.

Requirements

4.

Procedures

5.

Installing the HSM

6.

Installing the nCipher support software and creating

the security world

7.

Installing Microsoft Active Directory Certificate

Services

7.1.

Installation procedure

7.2.

Display of windows by services

8.

Migrating a certificate between certificate

authorities

8.1.

Migrating from a Windows Server 2003 CA to a Windows Server

2008 CA

9.

Setting up key use counting

9.1.

Key use counter overview

9.2.

Key use counter increments

9.3.

Installing Certificate Services with key use counting

9.4.

Keeping a record of the key count using Windows 2008 audit