Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, July 13, 2010 7:34 PM
Hi.
Is there any procedure to move the private key of a CA to HSM?
The scenario is the following: having the CA installed as enterprise root CA with Private Key locally stored using "MS Strong Cyptographic Provider" from "Custom settings to generate the key pair and CA certificate" window that appears when installing a CA in a AD environment (Enterprise Root CA).
After a while, the company decides to harden the PKI Infrastructure and an HSM is aquired (being nCipher, Safenet or AEP HSM).
Question: how the ent rootCA private key can be exported in order to be moved on HSM?
Thank You, Victor
All replies (7)
Monday, July 19, 2010 7:07 AM ✅Answered
Hi,
You can export private key and CA certificate to a p12 file by using the Certification Authority Backup Wizard.
http://support.microsoft.com/kb/298138
Hope it helps.
This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Monday, July 19, 2010 7:10 PM ✅Answered
Once you have the P12 file, you can then contact the vendor, as Paul stated, to import the P12 into the HSM.
If you plan to do a FIPS 140-2 level 3 security world, you would need to navigate through a level 2 security world to import the file.
Also, you need to review what your CP states for care and control of the CA keys. If anything like "the key must be generated in a FIP 140-2 level 3 protected HSM" or "the key must reside in an HSM", then you must tear down and redeploy as you are breaking your CP if you import a software-protected key
Brian
Tuesday, July 13, 2010 7:42 PM
On Tue, 13 Jul 2010 19:34:53 +0000, VMitu wrote:
Question: how the ent rootCA private key can be exported in order to be moved on HSM?
Whether or not this can be done, and if it can be done, how it can be done,
is entirely dependant on the specific HSM. You'd need to work this out with
your HSM provider.
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
Tuesday, July 13, 2010 8:23 PM
Thank you for your answer.
Independent of HSM, is it possible to export CA key to a p12 file?
Thank you,
V
Tuesday, July 13, 2010 8:43 PM
You can query the key's export policy with the following command and look for "Export Policy" in the output. The possible flags are defined here: http://msdn.microsoft.com/en-us/library/aa379412(VS.85).aspx
"certutil -v -store <ROOT | CA> <CA Cert Serial #>"
For example: "certutil -v -store ROOT "70 77 5a b5 90 dd 71 8d 4a b3 e4 36 ef 93 a4 c2"" returns:
...
Export Policy = 3
NCRYPT_ALLOW_EXPORT_FLAG -- 1
NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG -- 2
...
Monday, April 10, 2017 8:32 AM
Hello,
I have a similar requirement now. I wanted to move my root keys from Microsoft software Key storage provider to HSM ( nshield Thales) without really the help of Vendor, as vendor offers only professional services.
Monday, April 10, 2017 2:36 PM
I would recommend using professional services. Personally, I would only provide guidance through an engagement as the policy and processes are very complicated
As stated earlier, even though it is technically possible, moving a software key to an HSM is never recommended as you have no record of whether the key was ever exported improperly/erroneously.
If you are interested in professional assistance, contact me.
Brian