Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, October 27, 2016 2:24 AM
Looking into getting an nshield edge hsm for our small network to help protect our 802.11x wireless network. I know this is not best practice, I want to setup a single tier root ca and then use module protection with the edge for the server private key using the nshield ksp's. Once this is done the certificate templates that I use for servers, laptops, or users will be using the standard microsoft ksp's and the certificate requests received by the ca are digitally signed with the cert created on the edge. Is this correct?
Thanks in advance for any help in clarifying this.
Jose
All replies (4)
Friday, October 28, 2016 9:22 AM ✅Answered
Hi Krakatao,
>> So does this mean that hsm's are not meant to be used to protect the private keys for servers, workstations, or users who auto enroll for certificates?
As far as I know, it won’t.
You could check article below to understand it:
Set Up a Certification Authority by Using a Hardware Security Module
https://technet.microsoft.com/en-us/library/cc732052(v=ws.11).aspx
When user send certificates request with CSP to CA, CSP will create public key and private key.
You could reference the article below for further understanding:
Cryptographic Service Providers
https://technet.microsoft.com/en-us/library/cc731248(v=ws.11).aspx
HSM could enhance the security of a certification authority(CA) and public key infrastructure(PKI).
Best Regards
John
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, October 28, 2016 3:31 PM ✅Answered
Connecting an HSM to a CA will protect only the CA's private keys. Clients, Servers, Workstations all generate their own keypair and would not have access to, or the ability to use the HSM.
Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. He is also co-founder of Revocent (revocent.com) and its CertAccord product that offers Linux certificate enrollment from a Microsoft CA. Connect with Mark at https://www.pkisolutions.com
Thursday, October 27, 2016 12:47 PM
You’re right! This is not best practice.
The single-tier CA you describe would have the Root CA online and exposed to the network. While the use of the Edge device is appropriate for protection of the Root CA private key, having the Root CA machine on the network is definitely not. It should always be offline and that means offline.
The nShield Edge device and the Root CA itself need to be highly secured with very limited access. Ideally you would only have the Root up twice a year and only to publish a new CRL.
To issue certificates you would setup a Subordinate CA and to protect its keys and those for the certs it issues you should seriously consider the nShield Connect if you’re considering an HSM solution from Thales.
The cost, of course, needs to be weighed against the level of protection you design, whatever vendor or solution you consider.
But the basic remains for your PKI design and that means placing the Root CA offline.
-bill
Thursday, October 27, 2016 6:35 PM
Hello Bill, I appreciate your response, but your answer does not address my question. My question was not about best practices, but about the mechanics of using Microsoft certificate services with an hsm.
Using an nshield edge requires installing the nshield csp's on the ca so that the private key is stored in the module. So does this mean that hsm's are not meant to be used to protect the private keys for servers, workstations, or users who auto enroll for certificates? My understanding is that the certificates they generate use the microsoft provided csp's which will not be stored in the hsm is this correct?